Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FSS tips, tricks, and requests.


  • Please log in to reply
7 replies to this topic

#1 owen81

owen81

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 02 February 2012 - 02:45 PM

Fss.exe is an excellent program, can't sing its praises enough. That being said, it can be a bit tricky to get the issues fixed once you've identified them. This post is two things - The first is a description of how I take the information provided by FSS and manage to fix machines without a corresponding uninfected machine of the same flavor of windows. The second is a request for the developer to add in some features to make this process easier.
For anyone who's unfamiliar, the app is available at http://download.bleepingcomputer.com/farbar/FSS.exe
This can identify missing registry keys needed for internet connectivity, firewall, or system restore, and it also checks the MD5's of the associated files in system32 and system32/drivers.

If you've identified missing keys, you're going to need copies of the right keys. I've found someone else who compiled a zip for each type of windows covered. http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
While this has all the keys, you may need to edit permissions, in particular on the legacy keys, to be able to use the reg file.

If FSS identifies the firewall's turned off, just turn it back on using regedit (change the 0 to a 1 at the location in the fss.txt)

Next we get to the sys, dll, and exe files that get md5 checked. These are all available in windows CD's in compressed files which can be opened with 7zip. For windows XP these are available on the CD at i368/drivers.cab and for windows vista and 7 they're in sources/install.wim. If there are multiple flavors of a vista or 7 on the disk, read the xml file at the root of the wim, you can find out which version of vista or 7 corresponds to which numbered directory.

On occasion I've had machines where i replaced the files with incorrect md5s from the disk like this and FSS still said the md5's were incorrect - not sure what the cause of this is, but at least I know the file replaced is no longer a rootkit component. (most common reason i've had to use FSS is cleaning up after a rootkit infection.)

Now we get to the 2nd part, the feature request. I know there is an export service and find files feature, but these seem clunky. When I've got a good machine(or possibly just clean disk), i just want to grab everything it's got wholesale so i can build a repository of solutions. Can we get something which, when all registry keys are correct and all md5's match that can simply grab a copy of all the keys and files and dump them into a directory wherever FSS is run from which is labled with x32 or x64, the base type of windows, and the specific flavor of that base. (i.e. x32 windows 7 home premium). Even better, I don't think it's illegal to distribute the reg keys needed, so just grab the ones I linked above and bundle them in. The files on the other hand would be illegal - but making a script that would grab them off working installs or even the the CD's shouldn't be (working installs are trivial, for the cd's target the cab or wim on the disk, use 7z to open, grab the appropriate files and md5 check them). (just like windows xp PE's which allow you to construct a PE from the XP disks aren't illegal, but releasing them already built is)
Finally, relating to the legacy keys, is there a way outside of permissions in regedit to alter the registry permissions, it would be handy to have something which can allow you to enter the legacy keys then revert to normal permissions on them once you've added the appropriate entries.

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:10 PM

Posted 02 February 2012 - 04:03 PM

While this has all the keys, you may need to edit permissions, in particular on the legacy keys, to be able to use the reg file.


I will let Farbar answer the rest, but I want to make one note. I know a lot of people feel its necessary to recreate the legacy keys. The reality is that there is just no reason to replace them. Instead your better off just deleting the legacy key altogether and reboot. The legacy keys will then be recreated when the service starts.

#3 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:10 PM

Posted 02 February 2012 - 04:19 PM

Instead your better off just deleting the legacy key altogether and reboot. The legacy keys will then be recreated when the service starts.

I did not know that, thanks for sharing. :)

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:10 AM

Posted 02 February 2012 - 04:27 PM

Thanks for your interest in the tool.

As far as the MD5 concerns, FSS doesn't say a MD5 is not correct. The tool has a database that will be updated from time to time to make a judgment if a MD5 is legit. The newest legit version of a file or the very old version (on a CD or DVD) are intentionally left out from the database. The old ones are left out to emphasize the need for updating to be safe and the newest ones are not yet studied to establish that their MD5 is legit. So listing MD5 instead of reporting a file doesn't necessarily mean it is not legit. But a file without company name is always a bad file.

As far as those requests concerns, the tool is designed only for diagnosis purposes. It shall not be developed to make any change to the system or copy any registry or copy a file or alter any permissions. Those who intent to use the tool are expected be able to read the log, see what is needed and which version is needed and do the rest.

#5 owen81

owen81
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 03 February 2012 - 11:56 AM

Forgot to mention i always grab those files from slipstreamed disks, so they should be reasonably up-to-date & I'd recommend the same to others if you _need_ to use a disk to grab the files(an updated & uninfected machine is always the best place to grab those files if you can). I assume the MD5's change because MS decided to patch something, and they decided to patch something to fix some vulnerability, make it more stable, or add some functionality. I also assume once the hotfix or SP is listed as installed windows won't decide to update that file to the newer & correct form unless a new hotfix is released(or sp, but those are just rolled up hotfixes if I'm not mistaken). Just a random thought here, but possibly funny enough, my guess is a lot of things that might exploit the old service would check banners or something akin to that for services which will list the version windows thinks it has so the exploit may not choose to attack something which is in fact an older and vulnerable version.

Grinler: I didn't realize those were created on the service running, i assumed it was at a system restore point or somesuch, nice to know. Means it's that much easier to fix these issues.

Farbar: Nice to know how your MD5 rules work & accordingly why my MD5's sometimes do and sometimes don't match what you're looking for. Also nice to know about the MS signing or lack thereof as one of the things to look for when there's an MD5 mismatch with your DB.
Understandable that this is for diagnosis not fixing so you have no intent to add that functionality. I've gotten by just fine using the diagnoses given to fix the problems so far, and in fact those diagnoses have shed light on problems that would otherwise have been very difficult to ferret out.
Thanks again for the wonderful tool.

Finally are there any, or could there be any, command line switches for FSS so I could scan for all of the services you check from the command line?

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:10 AM

Posted 03 February 2012 - 12:30 PM

You are most welcome, and thanks for understanding and the kind words.

Finally are there any, or could there be any, command line switches for FSS so I could scan for all of the services you check from the command line?


FSS doesn't use command line to do its job. With "Search File" and "Export Service" it gives the needed extra's to do what is needed.

There are cmd commands to do what FSS does. But it requires some more efforts. If you want them I can give you those commands. But why do you need them if FSS does it for you? FSS is made to do the diagnosis without the need for batching background. As you have already mentioned a restore operation will do the job.

#7 owen81

owen81
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 03 February 2012 - 02:28 PM

I was considering making a wrapper which would launch FSS on a full scan, then parse its log file to kludge in some of the features I wanted. I know I could do the things you do via the command line but it seems such a waste to recreate everything you do when you do what I want so well. I'll probably just manually run FSS then launch my stuff to parse the log and do what I want from there, would have just been convenient to wrap it all up in one bundle.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:10 AM

Posted 03 February 2012 - 05:38 PM

Good luck and thanks again for making the effort. :thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users