Wait, what?

Having just installed a Unified Communications Certificate (UCC) with multiple Subject Alternative Names (SAN), I went on to install the antivirus software on my customer’s server.

One of my pet peeves is that the antivirus software wants to use SSL for its administration console, but it creates a self-signed certificate. Not very secure, there. It’s also annoying, because web browsers get grouchy about the SSL cert until you install it. Sometimes that doesn’t work right, and it’s a pain to install it on every workstation just so that you can go to the console once or twice in the lifetime of the workstation to install the software.

So during the antivirus installation, when it asked me for the IP address or “domain name” (it meant host name, but just try to talk to software developers about that one), I overrode the default name it put in there (server.domain.local), and tried to tell it to use host.domain.com, which I already had a valid SSL certificate for. Naturally, it refused. So I set it back to its default and finished installing the antivirus software.

Then I thought: “Wait a minute, this is a UCC, and I didn’t use all of the slots for SANs”.

So I logged into GoDaddy again, and looked around in the SSL area. It turns out there IS an option to add SANs to existing UCCs. I added “server.domain.local”. It told me that was going to need to be vetted. I waited a while, and checked the e-mail address on file for the domain, but nothing appeared. After a while, I called GoDaddy support. Turns out, that’s an unusual situation, which cannot be vetted in the normal way. The guy put me on hold for a while, worked with the SSL team, and managed to generate an approval request to the e-mail on file. I approved it, and the SAN was added to the UCC.

The GoDaddy instructions for adding a SAN to a UCC say that once it is added, you need to re-download it and install it on your server. OK, seems easy enough.

Wait a minute, there is no pending request to complete. How do I install this on the server? I suppose I could generate a new CSR and re-key the certificate, but there’s gotta be a better way. I called back and asked this question, and GoDaddy support did not have a good answer. So I re-keyed the cert, downloaded it, deleted the old one, and installed the new one. Then I edited the bindings on the websites to replace the cert.

Now I have a valid SSL certificate for the local FQDN of the server, as well as its internet-facing FQDNs.

And the antivirus software is happy.

Tags: SAN, SSL, UCC

When I go to http://icanhascheezburger.com, which is a WordPress Blog showing cute cat pictures with (sometimes) funny captions, the page loads OK, but then I get this pop-up error a few seconds later.

However, I did some research on js-kit.com, and found that it is a site that makes plug-ins for people to rate things in blog pages. There’s nothing sinister about it. I googled the heck out of it looking for anyone who was saying it was a malicious thing. I found none.
I went directly to the URL listed as being dangerous, and I got the following warning, again from Trend Micro:

So I went to www.js-kit.com, without the “ratings.js” on the end, and I learned that it is a site written by people who create plug-ins for blog sites, so people can rate how cool they thought particular items were. Again, nothing sinister.

However, I also noticed that when the page loaded, the Internet Explorer icon next to the Address Bar showed an icon that looks a little bit like the Trend Micro icon. It’s blue, it’s circular, and it has some squiggles in it – but it’s NOT the same icon, and they are not pretending to be Trend. They’re not spoofing, but I can see why a moron might think so. Here is the comparison between the two:

Trend icon:

JS-Kit icon:

Maybe an idiot might think those were the same icon, but I don’t.

Further information about JS-Kit:
They build plug-ins for blogs. Their site tells how to embed the plug-ins. It’s really pretty straightforward. Here are the instructions:

…and here is a URL to their FAQ, telling all about what they do.
http://wiki.js-kit.com/FAQ+-+Navigator

I called Trend Micro support and asked about it. The tech did not have any idea why it was blocked, and when I showed him the JS-Kit icon, he actually made noises like he thought it was fishy, that it was a good reason for them to be blocked. I had to educate him about how the icons may be SIMILAR, but they are NOT the same.

I’ve submitted this information to Trend Micro. Hopefully they will see how dumb they are being and it will be removed from their block list.

In the meantime, I guess I’ll add it to my exclusion list.

Update: I just got this from Trend Micro Support (potentially sensitive info blocked out):

From: Trend Micro Technical Support
Sent: Wednesday, October 21, 2009 11:03 AM
To: Paul Sterley
Subject: [SR#-#-##########] [WFBS 6.0] Website Blocked

Hi Mr. Sterley,

Good Day!

The URL that you submitted has now been untagged on our detection list.

Please confirm.

It is beneficial for our records to be up to date, by simply REPLYING Back to this email. Please let me know if I was able to resolve your Concern(s) so I may formally close this case for you. A simple “Close this case” note would do.

Again, thank you for your time.

Sincerely yours,

Xxxxxxx Xxxxxxxx

Systems Engineer

NABU SMB Support, Trend Micro Inc.

Tags: JS-Kit, Trend Micro

I don’t know yet whether this is a problem that all SBS2008 machines will have with Trend Micro Worry-Free Business Security, or whether it’s just a weird problem that mine had.

I kept getting e-mails from the Trend Micro Security Server with the following message:
Trend Micro Security Server – At least one Exchange server is outdated.

LiveStatus showed At least one Exchange server is outdated.
Expanded the Updates row and clicked the Deploy Now button as directed. No results.

In the Security Settings tab, selected the Exchange agent, and saw that the patterns are out of date.

In Reports -> Log Query, I ran the following report:
Time range: Today
Type: Exchange server
Content: Update logs

I saw this message, repeated: Web server authentication was unsuccessful. An invalid username or password was entered. Please check your settings and make any necessary changes, and then try again.

Tech Support told me to manually copy the updated pattern files (lpt$vpn###) in place, just in case the files were corrupt. This updated them once, but they refused to update automatically afterward.

Tech Support told me to create a new application pool in IIS which uses the LocalSystem built-in account, and switch the SMEX Website to use this new app pool. This was very promising, given the error message in the log, but it didn’t work.

Tech support told me to uninstall and reinstall the messaging security agent.

Tech support told me to reboot the server (the “Hail Mary” approach).

Finally, what solved the problem was an intuitive leap. I figured “Well, I’ve given the website all of the permissions it could want, and I’m still getting a web authentication error. Wait, what’s this other website here called OfficeScan?”

I assigned the custom application pool (the one that uses LocalSystem) to the OfficeScan website, and I have not had a problem updating since.

Update: The problem came back after an upgrade of the software. None of the items above solved the problem, although manually copying the patterns into place would shut it up for a while – until the next update.

I finally got fed up and simply set the NTFS security on the entire Trend Micro folder structure to Everyone:Modify. It’s not the most secure, that’s true – but it works. If Trend Micro can’t make their junk set its own security during the installation, I guess I’ll just have to run it with a lower security level – and keep my eyes out for the other antivirus vendors to make something less crappy than this.

Tags: Trend Micro, WFBS