Horizon Win10 logon black screen delay

This post was originally published on this site

I’m building a 1909 Win 10 gold image vm and i’m running into an issue of a black screen delay when windows begins to login.

 

6.7U3

Horizon 7.10

DEM 7.11

 

1.  Hosts are using physical Nvidia GPUs.

2.  Ran the OSOT allowing Windows updates along with a couple apps (calculator etc.)  Everything else is pretty much default using the Windows 10 1909-2004 template.

3.  I’m currently running an earlier build in production, during logon, all i see is waiting with a delayed spinning circle, which eventually goes to Preparing Desktop (circle runs smoother in this stage) followed by an immediate Windows desktop.  In the current 1909 build that i’m getting prepared for production, it goes through at logon with applying vmware dem, gpos etc displayed on the screen, once thats complete it goes to preparing for a few seconds and goes to a solid black screen that is delayed by like 15 seconds…  it also seems that the startup apps take longer to start in this build post optimizations as well.  Has anyone experienced this?

4.  Lastly, everything else is great other than the dreaded start menu click delaying for 3 seconds or so , sometimes its immediate, but most times there is a noticable delay with the start button as well as Windows search.  Is there anything that addresses this outside of the OSOT that i’m missing?

 

Thanks for any insight!

WSO UEM 2005 issues with on-prem?

This post was originally published on this site

I’m getting ready to upgrade from 1907 and was wondering if anyone has upgraded to to 2005 on-prem.  If you have upgraded, did you experience any issues. 

 

I’m upgrading to get to the latest version and also resolve an issue where the VMWare Tunnel (via the UAG) will lose it credentials every 6 months and stop working.  Also, there was an issue where the tunnel settings page wouldn’t load because of a similar issue.

 

I could go to 2001 but will be in the same boat soon enough where I need to upgrade.

 

Any feedback is appreciated.

 

Joe Beaty

DatastoreCluster Reporting

This post was originally published on this site

Hey all,

 

Is it possible to report on all the datastores that are in the cluster?  For instance, we have a Datastore Cluster that has 16 datastores inside of it.  I want to traverse by each cluster and get results for the entire Datastore Cluster and not each individual datastore.  This is what I have been using but it returns every single datastore. 

 

javascript:;Get-Datastore  |
Select @{N='Datacenter';E={$_.Datacenter.Name}},
    @{N='DSC';E={Get-DatastoreCluster -Datastore $_ | Select -ExpandProperty Name}}, 
    Name,CapacityGB,@{N='FreespaceGB';E={[math]::Round($_.FreespaceGB,2)}},
    @{N='ProvisionedSpaceGB';E={[math]::Round(($_.ExtensionData.Summary.Capacity - $_.Extensiondata.Summary.FreeSpace + $_.ExtensionData.Summary.Uncommitted)/1GB,2)}},
    @{N='UnCommittedGB';E={[math]::Round($_.ExtensionData.Summary.Uncommitted/1GB,2)}},
    @{N='VM';E={$_.ExtensionData.VM.Count}} | Format-Table -AutoSize

preferred audio output

This post was originally published on this site

Hi all,

Horizon 7.10

Windows 10 1903

Linked Clones

 

We have two different types of clients which uses two separate types of audio hardware. Our issues is that a subset of users are having to set the audio driver every time they login. 

 

The default audio driver in the golden image is Vmware audio driver.

 

We have some users that use a zero client to connect to our VDI environment and use a headset with microphone. The only way to get headset and mic to work on the headset is use to the Teradici audio driver. 

 

each user has the audio output option of Vmware or Teradici.  When they choose the audio driver, its reset after logoff/logon.

 

how can we solve this?

 

Thank you.

AA20-182A: EINSTEIN Data Trends – 30-day Lookback

This post was originally published on this site

Original release date: June 30, 2020

Summary

Cybersecurity and Infrastructure Security Agency (CISA) analysts have compiled the top detection signatures that have been the most active over the month of May in our national Intrusion Detection System (IDS), known as EINSTEIN. This information is meant to give the reader a closer look into what analysts are seeing at the national level and provide technical details on some of the most active threats.

IDS is a network tool that uses sensors to monitor inbound and outbound traffic to search for any type of suspicious activity or known threats, alerting analysts when a specific traffic pattern matches with an associated threat. IDS allows users to deploy signatures on these boundary sensors to look for the specific pattern, or network indicator, associated with a known threat.

The EINSTEIN Program is an automated process for collecting, correlating, analyzing, and sharing computer security information across the federal civilian departments and agencies. By collecting information from participating federal departments and agencies, CISA builds and enhances our Nation’s cyber-related situational awareness.

The signatures CISA created have been included below for analysts across various organizations to use in enhancing their own network defenses. Note: CISA has created and tested these signatures in an environment that might not be the same for all organizations, so administrators may need to make changes or updates before using in the following signatures in their local environments.

Technical Details

Note: the below Snort signatures accounted for over 90 percent of what CISA analysts identified as potential threats using the IDS system for detection.

1. NetSupport Manager RAT

Description

The NetSupport Manager Remote Access Tool (RAT) is a legitimate program that, once installed on a victim’s machine, allows remote administrative control. In a malicious context, it can—among many other functions—be used to steal information. Malicious RATs can be difficult to detect because they do not normally appear in lists of running programs, and they can mimic the behavior of legitimate applications.

Examples

In January 2020, Palo Alto researchers observed the abuse of NetSupport in targeted phishing email campaigns.[1] In November 2019, Zscaler researchers observed “software update-themed” campaigns tricking users into installing a malicious NetSupport Manager RAT.[2] The earliest malicious use of NetSupport was seen in a phishing email campaign—reported by FireEye researchers in April 2018.[3]

Snort Signature

alert tcp any any -> any $HTTP_PORTS (msg:"NetSupportManager:HTTP Client Header contains 'User-Agent|3a 20|NetSupport Manager/'"; flow:established,to_server; flowbits:isnotset,.tagged; content:"User-Agent|3a 20|NetSupport Manager/"; http_header; fast_pattern:only; content:"CMD="; nocase; http_client_body; depth:4; content:"POST"; nocase; http_method; flowbits:set,.; classtype:http-header; reference:url,unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/; reference:url,www.pentestpartners.com/security-blog/how-to-reverse-engineer-a-protocol/; reference:url,github.com/silence-is-best/c2db;

2. Kovter

Description

Kovter is a fileless Trojan with several variants. This malware started as ransomware that malicious actors used to trick victims into thinking that they need to pay their local police a fine. Cyber actors have also used Kovter to perform click-fraud operations to infect targets and send stolen information from the target machines to command and control servers. Kovter’s evolving features have allowed this malware to rank among the Center for Internet Security’s most prolific malware year after year.[4] See CISA’s Webinar on Combatting Ransomware for additional information on Kovter.

Snort Signature

alert tcp any any -> any $HTTP_PORTS (msg:"Kovter:HTTP URI POST to CnC Server";; flow:established,to_server; flowbits:isnotset,.tagged; content:"POST / HTTP/1.1"; depth:15; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; depth:47; fast_pattern; content:"User-Agent|3a 20|Mozilla/"; http_header; content:!"LOADCURRENCY"; nocase; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; nocase; http_header; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"; pcre:"/User-Agentx3a[^rn]+rnHostx3ax20(?:d{1,3}.){3}d{1,3}rnContent-Lengthx3ax20[1-5][0-9]{2,3}rn(?:Cache-Control|Pragma)x3a[^rn]+rn(?:rn)?$/H";; classtype:nonstd-tcp;; reference:url,www.malware-traffic-analysis.net/2017/06/29/index2.html;

3. XMRig

Description

XMRig is a type of cryptocurrency miner that uses the resources of an unsuspecting infected machine to mine Monero—a type of cryptocurrency. XMRig can cause a victim computer to overheat and perform poorly by using additional system resources that would otherwise not be active.

Snort Signature

alert tcp any any -> any !25 (msg:"XMRIG:Non-Std TCP Client Traffic contains JSONRPC 2.0 Config Data";; flow:established,to_server; flowbits:isnotset; content:"|22|jsonrpc|22 3a 22|2.0|22|"; distance:0; content:"|22|method|22 3a 22|login|22|"; distance:0; content:"|22|agent|22 3a 22|XMRig"; nocase; distance:0; fast_pattern; content:"libuv/"; nocase; distance:0; content:!"|22|login|22 3a 22|x|22|"; flowbits:set,; classtype:nonstd-tcp;; reference:url,malware-traffic-analysis.net/2017/11/12/index.html; reference:url,www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=1101;

Mitigations

CISA recommends using the following best practices to strengthen the security posture of an organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines. See Protecting Against Malicious Code.
  • Ensure systems have the latest security updates. See Understanding Patches and Software Updates.
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users’ permissions to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.
  • Enforce a strong password policy. See Choosing and Protecting Passwords.
  • Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.
  • Enable a personal firewall on agency workstations that is configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
  • Scan all software downloaded from the internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs). Sign up to receive CISA’s alerts on security topics and threats.
  • Sign up for CISA’s free vulnerability scanning and testing services to help organizations secure internet-facing systems from weak configuration and known vulnerabilities. Email vulnerability_info@cisa.dhs.gov to sign up. See https://www.cisa.gov/cyber-resource-hub for more information about vulnerability scanning and other CISA cybersecurity assessment services.

Resources

https://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/
https://threatpost.com/netsupport-manager-rat-nortonlifelock-docs/153387/
https://www.zdnet.com/article/new-lokibot-trojan-malware-campaign-comes-disguised-as-a-popular-game-launcher/
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless
https://www.varonis.com/blog/what-is-mimikatz/

References

Revisions

  • June 30, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

AA20-182A: EINSTEIN Data Trends – 30-day Lookback

This post was originally published on this site

Original release date: June 30, 2020

Summary

Cybersecurity and Infrastructure Security Agency (CISA) analysts have compiled the top detection signatures that have been the most active over the month of May in our national Intrusion Detection System (IDS), known as EINSTEIN. This information is meant to give the reader a closer look into what analysts are seeing at the national level and provide technical details on some of the most active threats.

IDS is a network tool that uses sensors to monitor inbound and outbound traffic to search for any type of suspicious activity or known threats, alerting analysts when a specific traffic pattern matches with an associated threat. IDS allows users to deploy signatures on these boundary sensors to look for the specific pattern, or network indicator, associated with a known threat.

The EINSTEIN Program is an automated process for collecting, correlating, analyzing, and sharing computer security information across the federal civilian government. By collecting information from participating federal government agencies, CISA builds and enhances our Nation’s cyber-related situational awareness.

The signatures CISA created have been included below for analysts across various organizations to use in enhancing their own network defenses. Note: CISA has created and tested these signatures in an environment that might not be the same for all organizations, so administrators may need to make changes or updates before using in the following signatures in their local environments.

Technical Details

Note: the below Snort signatures accounted for over 90 percent of what CISA analysts identified as potential threats using the IDS system for detection.

1. NetSupport Manager RAT

Description

The NetSupport Manager Remote Access Tool (RAT) is a legitimate program that, once installed on a victim’s machine, allows remote administrative control. In a malicious context, it can—among many other functions—be used to steal information. Malicious RATs can be difficult to detect because they do not normally appear in lists of running programs, and they can mimic the behavior of legitimate applications.

Examples

In January 2020, Palo Alto researchers observed the abuse of NetSupport in targeted phishing email campaigns.[1] In November 2019, Zscaler researchers observed “software update-themed” campaigns tricking users into installing a malicious NetSupport Manager RAT.[2] The earliest malicious use of NetSupport was seen in a phishing email campaign—reported by FireEye researchers in April 2018.[3]

Snort Signature

alert tcp any any -> any $HTTP_PORTS (msg:"NetSupportManager:HTTP Client Header contains 'User-Agent|3a 20|NetSupport Manager/'"; flow:established,to_server; flowbits:isnotset,.tagged; content:"User-Agent|3a 20|NetSupport Manager/"; http_header; fast_pattern:only; content:"CMD="; nocase; http_client_body; depth:4; content:"POST"; nocase; http_method; flowbits:set,.; classtype:http-header; reference:url,unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/; reference:url,www.pentestpartners.com/security-blog/how-to-reverse-engineer-a-protocol/; reference:url,github.com/silence-is-best/c2db;

2. Kovter

Description

Kovter is a fileless Trojan with several variants. This malware started as ransomware that malicious actors used to trick victims into thinking that they need to pay their local police a fine. Cyber actors have also used Kovter to perform click-fraud operations to infect targets and send stolen information from the target machines to command and control servers. Kovter’s evolving features have allowed this malware to rank among the Center for Internet Security’s most prolific malware year after year.[4] See CISA’s Webinar on Combatting Ransomware for additional information on Kovter.

Snort Signature

alert tcp any any -> any $HTTP_PORTS (msg:"Kovter:HTTP URI POST to CnC Server";; flow:established,to_server; flowbits:isnotset,.tagged; content:"POST / HTTP/1.1"; depth:15; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; depth:47; fast_pattern; content:"User-Agent|3a 20|Mozilla/"; http_header; content:!"LOADCURRENCY"; nocase; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; nocase; http_header; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"; pcre:"/User-Agentx3a[^rn]+rnHostx3ax20(?:d{1,3}.){3}d{1,3}rnContent-Lengthx3ax20[1-5][0-9]{2,3}rn(?:Cache-Control|Pragma)x3a[^rn]+rn(?:rn)?$/H";; classtype:nonstd-tcp;; reference:url,www.malware-traffic-analysis.net/2017/06/29/index2.html;

3. XMRig

Description

XMRig is a type of cryptocurrency miner that uses the resources of an unsuspecting infected machine to mine Monero—a type of cryptocurrency. XMRig can cause a victim computer to overheat and perform poorly by using additional system resources that would otherwise not be active.

Snort Signature

alert tcp any any -> any !25 (msg:"XMRIG:Non-Std TCP Client Traffic contains JSONRPC 2.0 Config Data";; flow:established,to_server; flowbits:isnotset; content:"|22|jsonrpc|22 3a 22|2.0|22|"; distance:0; content:"|22|method|22 3a 22|login|22|"; distance:0; content:"|22|agent|22 3a 22|XMRig"; nocase; distance:0; fast_pattern; content:"libuv/"; nocase; distance:0; content:!"|22|login|22 3a 22|x|22|"; flowbits:set,; classtype:nonstd-tcp;; reference:url,malware-traffic-analysis.net/2017/11/12/index.html; reference:url,www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=1101;

Mitigations

CISA recommends using the following best practices to strengthen the security posture of an organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines. See Protecting Against Malicious Code.
  • Ensure systems have the latest security updates. See Understanding Patches and Software Updates.
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users’ permissions to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.
  • Enforce a strong password policy. See Choosing and Protecting Passwords.
  • Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.
  • Enable a personal firewall on agency workstations that is configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
  • Scan all software downloaded from the internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs). Sign up to receive CISA’s alerts on security topics and threats.
  • Sign up for CISA’s free vulnerability scanning and testing services to help organizations secure internet-facing systems from weak configuration and known vulnerabilities. Email vulnerability_info@cisa.dhs.gov to sign up. See https://www.cisa.gov/cyber-resource-hub for more information about vulnerability scanning and other CISA cybersecurity assessment services.

Resources

https://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/
https://threatpost.com/netsupport-manager-rat-nortonlifelock-docs/153387/
https://www.zdnet.com/article/new-lokibot-trojan-malware-campaign-comes-disguised-as-a-popular-game-launcher/
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless
https://www.varonis.com/blog/what-is-mimikatz/

References

Revisions

  • June 30, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

BSOD on Workstation Pro 15.5.6 (running RHEL 7.7 Guest).

This post was originally published on this site

Hi;

 

I just got a BSOD running a Windows 10 Host (1909). I was running a RHEL 7.7 Linux Guest full-screen at the time. (I had just returned from a break).

 

I got a mini-dump and a memory.dmp.

 

Running windbg against the memory.dmp calls out what looks to the casual observer like Workstation driver and process references:

 

“FAULTING_PROCESSOR: 6

 

PROCESS_NAME:  vmware-vmx.exe

 

FAULTING_THREAD:  ffffdd86e5270080″

 

and

 

STACK_TEXT: 

ffff8603`bfddf468 fffff801`4f778228 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : vmx86+0x100a

ffff8603`bfddf470 fffff801`4f77abdb : 00000000`00000000 00000000`00000000 ffff8603`bfddf938 00000000`00000000 : vmx86+0x8228

ffff8603`bfddf5b0 fffff801`4f771f13 : 00000000`000001b0 00000000`00000001 ffff8603`bfddf938 ffffdd87`01c65430 : vmx86+0xabdb

ffff8603`bfddf680 fffff801`4f77293e : 00000000`00000000 fffff801`391543a9 00000000`00000000 fffff801`38f132d4 : vmx86+0x1f13

ffff8603`bfddf860 fffff801`394b2a2b : 00000000`000003f8 fffff801`38f13269 00000000`00000000 ffffdd86`fab5d7a0 : vmx86+0x293e

ffff8603`bfddf8c0 fffff801`394b22f6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x71b

ffff8603`bfddf9e0 fffff801`38fd3c18 : 00000000`746c6644 ffff8603`bfddfa00 00000000`00000000 ffff8f85`bb997c40 : nt!NtDeviceIoControlFile+0x56

ffff8603`bfddfa50 00007ffe`f23dc154 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x28

00000073`dc9ff5c8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`f23dc154

 

 

STACK_COMMAND:  .thread 0xffffdd86e5270080 ; kb

 

SYMBOL_NAME:  vmx86+100a

 

MODULE_NAME: vmx86

 

IMAGE_NAME:  vmx86.sys

 

BUCKET_ID_FUNC_OFFSET:  100a

 

FAILURE_BUCKET_ID:  CLOCK_WATCHDOG_TIMEOUT_INTERRUPTS_DISABLED_vmx86!unknown_function”

 

I’ll attach the entire !analyze -v output. (I’m only familiar enough with WinDbg to produce the !analyze output at this time, so I’m not sure what else would be helpful).

 

Is this an issue with the workstation driver? The system has an E5-1650 V4 Xeon CPU, for what its worth.

 

Thanks;

Dual monitor not working

This post was originally published on this site

I’m trying to figure out how to use 2 monitors. I’m running Ubunut 18.04 with a 4k monitor and an HD monitor. Both are recognized and work fine on the local machine.

The  horizon client is version 5.4.1 build 15988340.

 

i’m connecting to a windows 10 vm on a corporate network. In the guest Display settings, I only see a single display which is the 4k monitor so that is the first question, is true dual monitor at the guest OS level supported? At some point i could see both monitors in some horizon view, similar to what windows would show, ie 2 boxes that can be moved to be side by side or stacked. And they had checkable marks on them (checking both and applying did not show the 2nd monitor) But i no longer see any option in the horizon menu to show this view.

 

So i do not see any way to pick 2 monitors.

 

I have also tried stretching the guest desktop image across monitors in one of two ways.

 

1) If i position the desktop so that it overlaps both local monitors and select full screen – all monitors, then i get a very distorted image where it looks like it has dropped the resoution to HD. it is virtually unusable.

 

2) i tried was from windowed mode and with the desktop on the 4k monitor,  dragging  the vertical border onto the HD monitor. But for each pixel column the desktop is extended, it ‘robs’ a pixel on the other side, ie it turns black. So that there is never more than 3840 pixels on the virtual desktop.

 

Is this all consistent with what is supported in the linux horizon client or is there some way to run 2 monitors with independent resolutions?