Category Archives: Misc.

YARA’s XOR Modifier, (Mon, Oct 14th)

YARA searches for strings inside files. Strings to search for are defined with YARA rules.

With the release of YARA 3.8.0, support for searching for XOR encoded strings was introduced. By adding the modifier xor to the definition of a string, YARA 3.8.0 would search for strings that were XOR encoded, with a single-byte key, ranging from 1 to 255.

Here is an example of a string with xor modifier.

    rule xor_test {
        strings:
            $a = “https://isc.sans.edu” xor
        condition:
            $a
    }

This YARA version’s xor modifier would not match unencoded strings.

Apparently, that was not the purpose, and this was fixed with version 3.10.0.

The same rule would now also match unencoded strings.

With the latest version of YARA, 3.11.0, a YARA rule developer has now control over which XOR key range is used by modifier xor.

This is done by specifing an optional minimum-key – maximum-key range after the xor modifier, like this: xor(min-max).

The following rule has an xor modifier with key range 0x01-0xFF (minimum/maximum keys can be specified with decimal or hexadecimal values).

    rule xor_test {
        strings:
            $a = “https://isc.sans.edu” xor(0x01-0xFF)
        condition:
            $a
    }

This rule will not match unencoded strings.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

ALERT: vRealize Automation patch to prevent potential data loss when using bulk import

This post was originally published on this site

VMware Support Alert Using bulk import, customers can bring unmanaged machines under management of vRealize Automation. However, if transient issues occur while performing the import operation, this may result in destruction of the machine being imported and data loss.

To guard against such data loss, customers are urged to read KB article: VMware vRealize Automation 7.0 patch to prevent potential data loss when using bulk import (2144526)

Any updates to this information will be made in the KB article itself.

The post ALERT: vRealize Automation patch to prevent potential data loss when using bulk import appeared first on Support Insider.

ALERT: Linked Clone pool creation and recompose failure

This post was originally published on this site

VMware Support AlertBefore upgrading to vSphere 6 update 1, VMware would like everyone to read the following KB article for important information.

Creating and recomposing linked clone desktops will fail on Horizon view 6.1.x and all older releases after upgrading to vSphere 6.0 Update 1.

The Linked Clone desktop appears to be created on vCenter, but it will be deleted  soon after vCenter complains about either “disposable” or “internal” vmdk files  this desktop.

All older versions of Horizon View Composer prior to Horizon 6.2 require SSL v3 to communicate with ESXi hosts, however the SSL v3 has been disabled in ESX6i Update 1 hosts.

Please read this KB article for further information: Upgrading to vSphere 6 update 1 will cause Linked Clone pool creation and recompose failure with Horizon View 6.1.x and older releases (2133018)

Any updates to this information will be made in the KB article itself.

The post ALERT: Linked Clone pool creation and recompose failure appeared first on Support Insider.

ALERT: Important information before upgrading to vSphere 6.0 Update 1

This post was originally published on this site

VMware Support AlertBefore upgrading your environment to vSphere 6.0 Update 1, VMware would like everyone to read the following KB article for important information.

After installing or upgrading to ESXi 6.0 and 6.0 Update 1, customers network connectivity is lost randomly with the error: NETDEV WATCHDOG: vmnic0: transmit timed out. This issue has been resolved.

Please proceed to KB article: ESXi 6.0 network connectivity is lost with NETDEV WATCHDOG timeouts in the vmkernel.log (2124669)

This issue is resolved in ESXi 6.0 Update 1a, available at VMware Downloads. For more information, see the VMware ESXi 6.0 Update 1a Release Notes.

Any updates to this information will be made in the KB article itself.

The post ALERT: Important information before upgrading to vSphere 6.0 Update 1 appeared first on Support Insider.

ALERT: When removing CPU from VM configuration hard disks and nic are removed

This post was originally published on this site

VMware Support AlertVMware has become aware of situation whereby hard disks and/or nics may be removed from a virtual machine when reconfiguring VM workflows in vRealize Automation.

We have identified two distinct scenarios where this might happen and so have create two separate KB articles. Please familiarize yourself with both articles so that you can avoid these situations.

  1. When performing reconfigure operations in multiple browser tabs In VMware vRealize Automation, the hard disks and NICs are removed unexpectedly (2124198)
  2. In VMware vRealize Automation, the hard disks are removed unexpectedly when reconfiguring a virtual machine that has RDM disks (2124657)

Any updates to this information will be made in the KB articles themselves. The Additional Information section details how to receive these updates.

The post ALERT: When removing CPU from VM configuration hard disks and nic are removed appeared first on Support Insider.

ALERT: Support for Leap Seconds in VMware Products

This post was originally published on this site

VMware Support AlertThe world’s next leap second adjustment is scheduled for 30th of June 2015 at 23:59:60 UTC.

System administrators need to be aware that this may cause issues on NTP synchronized devices and operating systems. For information on Leap Second and its impact on VMware products, please review the KB article-

Support for Leap Seconds in VMware Products (2115818)

Implications of not upgrading your kernel or enabling Time Skew:

Not all customers will be affected, but those who forgo updating VMware Appliance’s operating system kernel or enable time skew may observe the following issues:

  1. First issue that may be observed is the kernel (simplistically, the Linux operating system) can become hung and require a reboot.
  2. The second issue that may be observed is higher than normal CPU consumption on their Linux appliances where JVM’s are utilized. In the vCenter Server Appliance (VCVA), this problem can manifest itself as high CPU consumption of the ESX Agent Manager (EAM) and other Java-based processes.

The post ALERT: Support for Leap Seconds in VMware Products appeared first on Support Insider.

ALERT: vSphere Web Client 5.0 fails to load

This post was originally published on this site

VMware Support AlertVMware has become aware of an issue with the vSphere Web Client 5.0 failing to load with the error:

RSL Error # of 29
 Error 2046

Note: The RSL Error (# out of 29) number may fail at different values.
Note: This issue only impacts only the usability of the vSphere Web Client 5.0

  • This error occurs regardless of the browser or version used.
  • This is independent of the Adobe Flash version installed.
  • Setting the system clock on an effected system back may allow the vSphere Web Client to work outside of the vCenter Server for a short amount of time.

For further diagnostic and mitigation information refer to KB article: The vSphere Web Client 5.0 fails to load and displays the error: Error # of 29 2046 with RSL (2116567). Any updates to this information will be made in the KB article itself.

The post ALERT: vSphere Web Client 5.0 fails to load appeared first on Support Insider.