Adobe CC and UEM

This post was originally published on this site




I’m trying to setup Adobe CC 2018 on an app stack. I have been able to capture the application on a stack fine. The challenge I have is to capture the actions of accepting the license agreement and to logon to the adobe cloud for licensing using UEM.



Here is what happens:

User logs on > Opens a component of CC > users is asked to accept the license agreement then user is asked to logon to the cloud for the license. User logs off > vm gets deleted/rebuilt (Persistent Instant Clone) > User logs on > Opens a component of CC > user is asked to accept the license agreement then user is asked to logon to the cloud for the license.

Has anyone figure out a way to address this with UEM?


Current Environment

Horizon 7.3.2

App Vols.




Upgrading soon to

Horizon 7.5.1

App Vols. 2.14

UEM 9.4

Adding NIC to HP DL580 Gen9 running ESXi 5.5U3

This post was originally published on this site

Having some troubles with our HP DL580 that I was hoping I could get some suggestions for;


When we build our ESXi servers, we set the BIOS settings and Legacy BIOS mode via the profile templates in HP OneView.

We have just finished configuring a HP DL580 Gen9 with our standard build scripts and SPP but were asked to provide an additional, dedicated connection to provide a direct network path for patching.


Generally the server is built with 2 x CNE1200 NICs and 2 x LPe12000 HBA. To accommodate the client’s request, we added an additional CNE1200 NIC to the server, ran the SPP again to apply drivers and restarted the server (new total 3 x CNE1200 NICs on DL580 Gen9)


When the server comes back online after installing the NIC, we are issued the following error message:

1706-The Extended BIOS Data Area in Server Memory has been Overwritten – Smart Array Interrupt 13h BIOS Cannot Continue – System Halted


During some troubleshooting, I noticed that if I revert the server BIOS setting to UEFI mode, it will circumvent this error and it appears that ESXi 5.5U3 loads up properly and I am able to interact with the server in vCenter no problem. We are able to configure and utilize the server properly at this stage but if I try to revert the BIOS settings to Legacy Mode, it will present the 1706-error message again.


I was poking around based on some articles I saw online regarding similar errors others have dealt with; and I noticed that the Smart Array Storage Administrator fails to load as well – the screen gets stuck on the ‘loading drivers’ portion of the built-in application.


Is there a reason to be using Legacy BIOS in ESXi 5.5U3 if I am able to boot to the OS?

I read that swapping between the 2 was not supported after installation but I have been able to do so without any obvious adverse behaviour in the system

Is there a recommended process/steps I can follow for adding hardware such as NICs to an already running server configuration?

Would a full re-imaging of the server be recommended to have this new hardware function properly?


I can try to provide any additional, relevant information in determining the underlying cause should it be required


Thanks for any help you guys can offer

TA18-201A: Emotet Malware

This post was originally published on this site

Original release date: July 20, 2018

Systems Affected

Network Systems


Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.

This joint Technical Alert (TA) is the result of Multi-State Information Sharing & Analysis Center (MS-ISAC) analytic efforts, in coordination with the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC).


Emotet continues to be among the most costly and destructive malware affecting SLTT governments. Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate.

Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment.

Emotet is disseminated through malspam (emails containing malicious attachments or links) that uses branding familiar to the recipient; it has even been spread using the MS-ISAC name. As of July 2018, the most recent campaigns imitate PayPal receipts, shipping notifications, or “past-due” invoices purportedly from MS-ISAC. Initial infection occurs when a user opens or clicks the malicious download link, PDF, or macro-enabled Microsoft Word document included in the malspam. Once downloaded, Emotet establishes persistence and attempts to propagate the local networks through incorporated spreader modules.

Figure 1: Malicious email distributing Emotet

Currently, Emotet uses five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator.

  1. NetPass.exe is a legitimate utility developed by NirSoft that recovers all network passwords stored on a system for the current logged-on user. This tool can also recover passwords stored in the credentials file of external drives.
  2. Outlook scraper is a tool that scrapes names and email addresses from the victim’s Outlook accounts and uses that information to send out additional phishing emails from the compromised accounts.
  3. WebBrowserPassView is a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module.
  4. Mail PassView is a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, and Gmail and passes them to the credential enumerator module.
  5. Credential enumerator is a self-extracting RAR file containing two components: a bypass component and a service component. The bypass component is used for the enumeration of network resources and either finds writable share drives using Server Message Block (SMB) or tries to brute force user accounts, including the administrator account. Once an available system is found, Emotet writes the service component on the system, which writes Emotet onto the disk. Emotet’s access to SMB can result in the infection of entire domains (servers and clients).
Figure 2: Emotet infection process

To maintain persistence, Emotet injects code into explorer.exe and other running processes. It can also collect sensitive information, including system name, location, and operating system version, and connects to a remote command and control server (C2), usually through a generated 16-letter domain name that ends in “.eu.” Once Emotet establishes a connection with the C2, it reports a new infection, receives configuration data, downloads and runs files, receives instructions, and uploads data to the C2 server.

Emotet artifacts are typically found in arbitrary paths located off of the AppDataLocal and AppDataRoaming directories. The artifacts usually mimic the names of known executables. Persistence is typically maintained through Scheduled Tasks or via registry keys. Additionally, Emotet creates randomly-named files in the system root directories that are run as Windows services. When executed, these services attempt to propagate the malware to adjacent systems via accessible administrative shares.

Note: it is essential that privileged accounts are not used to log in to compromised systems during remediation as this may accelerate the spread of the malware.

Example Filenames and Paths:

C:Users<username>AppData LocalMicrosoftWindowsshedaudio.exe

C:Users<username>AppDataRoamingMacromediaFlash Playermacromediabinflashplayer.exe

Typical Registry Keys:




System Root Directories:






Negative consequences of Emotet infection include

  • temporary or permanent loss of sensitive or proprietary information,
  • disruption to regular operations,
  • financial losses incurred to restore systems and files, and
  • potential harm to an organization’s reputation.


NCCIC and MS-ISAC recommend that organizations adhere to the following general best practices to limit the effect of Emotet and similar malspam:

  • Use Group Policy Object to set a Windows Firewall rule to restrict inbound SMB communication between client systems. If using an alternative host-based intrusion prevention system (HIPS), consider implementing custom modifications for the control of client-to-client SMB communication. At a minimum, create a Group Policy Object that restricts inbound SMB connections to clients originating from clients.
  • Use antivirus programs, with automatic updates of signatures and software, on clients and servers.
  • Apply appropriate patches and updates immediately (after appropriate testing).
  • Implement filters at the email gateway to filter out emails with known malspam indicators, such as known malicious subject lines, and block suspicious IP addresses at the firewall.
  • If your organization does not have a policy regarding suspicious emails, consider creating one and specifying that all suspicious emails should be reported to the security or IT department.
  • Mark external emails with a banner denoting it is from an external source. This will assist users in detecting spoofed emails.
  • Provide employees training on social engineering and phishing. Urge employees not to open suspicious emails, click links contained in such emails, or post sensitive information online, and to never provide usernames, passwords, or personal information in answer to any unsolicited request. Educate users to hover over a link with their mouse to verify the destination prior to clicking on the link.
  • Consider blocking file attachments that are commonly associated with malware, such as .dll and .exe, and attachments that cannot be scanned by antivirus software, such as .zip files.
  • Adhere to the principal of least privilege, ensuring that users have the minimum level of access required to accomplish their duties. Limit administrative credentials to designated administrators.
  • Implement Domain-Based Message Authentication, Reporting & Conformance (DMARC), a validation system that minimizes spam emails by detecting email spoofing using Domain Name System (DNS) records and digital signatures.

If a user or organization believes they may be infected, NCCIC and MS-ISAC recommend running an antivirus scan on the system and taking action to isolate the infected workstation based on the results. If multiple workstations are infected, the following actions are recommended:

  • Identify, shutdown, and take the infected machines off the network;
  • Consider temporarily taking the network offline to perform identification, prevent reinfections, and stop the spread of the malware;
  • Do not log in to infected systems using domain or shared local administrator accounts;
  • Reimage the infected machine(s);
  • After reviewing systems for Emotet indicators, move clean systems to a containment virtual local area network that is segregated from the infected network;
  • Issue password resets for both domain and local credentials;
  • Because Emotet scrapes additional credentials, consider password resets for other applications that may have had stored credentials on the compromised machine(s);
  • Identify the infection source (patient zero); and
  • Review the log files and the Outlook mailbox rules associated with the infected user account to ensure further compromises have not occurred. It is possible that the Outlook account may now have rules to auto-forward all emails to an external email address, which could result in a data breach.


MS-ISAC is the focal point for cyber threat prevention, protection, response, and recovery for the nation’s SLTT governments. More information about this topic, as well as 24/7 cybersecurity assistance for SLTT governments, is available by phone at 866-787-4722, by email at, or on MS-ISAC’s website at

To report an intrusion and request resources for incident response or technical assistance, contact NCCIC by email at or by phone at 888-282-0870.


    Revision History

    • July, 20 2018: Initial version

    This product is provided subject to this Notification and this Privacy & Use policy.

    Vcenter installation Failure: “Failed to send http data”

    This post was originally published on this site



    I am trying to install vcenter and keep getting this error. I have disabled my firewall and still get the error. Please help!


    2018-07-03T14:37:44.444Z – info: output:PROGRESS


    2018-07-03T14:37:50.279Z – info: output:


    2018-07-03T14:37:50.279Z – info: output:


    2018-07-03T14:37:50.279Z – info: output:ERROR

    + <Errors>

    + <Error>

    + <Type>ovftool.http.send</Type>

    + <LocalizedMsg>

    + Failed to send http data

    + </LocalizedMsg>

    + </Error>

    + </Errors>



    2018-07-03T14:37:52.414Z – info: output:RESULT

    + ERROR



    2018-07-03T14:37:52.415Z – info: Xml output from ovftool: <data><ManifestValidate valid=”true”/><Errors><Error><Type>ovftool.http.send</Type><LocalizedMsg>Failed to send http data</LocalizedMsg></Error></Errors></data>

    2018-07-03T14:37:52.415Z – error: Ovf Service:vmrefFlag: false

    2018-07-03T14:37:52.416Z – info: Cancelling timeout due to error from progress callback

    2018-07-03T14:37:52.416Z – error: Progress Controller: [VCSA ERROR] – Progress callback error

    2018-07-03T14:37:52.416Z – error: Progress Controller: [VCSA ERROR] – Details Failed to send http data

    2018-07-03T14:37:52.419Z – info: Cancelling the ping timer for session mgmt

    2018-07-03T14:37:52.419Z – info: Cancelling the ping timer for session mgmt

    2018-07-03T14:37:52.437Z – info: ovfProcess child process exited with code 1