Category: Antivirus

Remote Access Trojan (RAT)

· Leave a comment ·

What is RAT (Remote Access Trojan)? 

A Remote Access Trojan (RAT) is a type of malware that allows covert surveillance, a backdoor for administrative control and unfettered and unauthorized remote access to a victim’s machine. 

The RAT is extremely dangerous because it enables intruders to get remote control of the compromised computer. 

Once the host system is compromised, the intruder may use it to distribute RATs to other vulnerable computers and establish a botnet.

Because a RAT enables administrative control, it makes it possible for the intruder to do just about anything on the targeted computer, including:

  • Monitoring user behavior through keyloggers or other spyware.
  • Accessing confidential information, such as credit card and social security numbers.
  • Activating a system’s webcam and recording video.
  • Taking screenshots.
  • Distributing viruses and other malware.
  • Formatting drives.
  • Deleting, downloading or altering files and file systems.

What are the most common types of RAT?

• Back Orifice
• SubSeven
• ProRat
• Turkojan
• Poison-Ivy
• Saefko
• CrossRAT
• Beast Trojan
• Blackshades
• Mirage
• DarkComet
• NetBus
• Nuclear RAT

How is the RAT installed on my computer?

RAT is often like other malware infection vectors. Hackers use various techniques to install a RAT on your computer. These techniques and methods are listed below:

  • Users can be tricked to download malicious packages
  • Users can be lured into visiting suspicious web links
  • Crafted email attachments are sent to the target users
  • RAT is delivered using files downloaded through torrents

Threat actors can install RATs either by gaining temporary physical access or via social engineering attacks.

How to detect RATs?

Detecting a Remote Access Trojan is a difficult task because in most cases, they do not show up in the list of running tasks or programs on your computer. Moreover, your system will not be slowed. However, your internet speed will slow down as RAT uses your bandwidth to work. A RAT can infect your computer for several years if it goes unnoticed.

To get out of the RAT nightmare, using malware detection tools and antivirus scans can be helpful. 

How can a RAT be avoided?

There are several tools, techniques and best practices that can be used to avoid a RAT attack. Below is a detailed list of them: 

  • Do not download files from untrusted sources such as pornography sites or freeware software
  • Always avoid opening email attachments from strangers or people you don’t know
  • Do not download games through malicious websites
  • Install antivirus software and keep it patched and up to date
  • Always keep your OS, web browsers and applications up-to-date and apply patches to all of them
  • You should also avoid downloading torrent files if they are from unreliable sources
  • Always lock public computers when they are not in use, and be cautious of telephone calls or emails asking you to install an application
  • It is sometimes difficult to avoid a RAT because the attackers use a binder to link a RAT with legitimate executable programs, which hampers the detector from finding it. Though RATs don’t show up in running processes, using a task manager to look for unfamiliar or unknown processes is a good practice. If there are any strange files running in your task manager, then quickly remove them. If you do not find any strange processes, then search for it on Google to get the answer
  • Sometimes, a RAT is added to Windows startup directories and registry entries so that it can start automatic execution every time you turn on your system. 
  • Another good idea for removing suspicious applications from your computer is to use the “Add or Remove Program” option located in your control panel. If you notice any odd program on your computer, just uninstall it.
  • Since a RAT uses the bandwidth of your internet connection, it will ultimately slow down your internet speed. Therefore, poor internet speed may be an indication of RAT malware. If this is the case, quickly disconnect your internet. Doing so will prevent attackers from taking control of your PC, because RAT only works when the internet connection is active. After disconnecting the internet, you need to use a malware program such as Spy Hunter or Malwarebytes to exterminate a RAT.

10 Best RAT Software Detection Tools

If you like to look at digital attack maps, have a look at this page on Secure Idées which points to sites such as map.httpcs.com.

Remote Access Trojan (RAT)

Source: dnsstuff, Fakhar Imam

How to Stay Protected Against Ransomware

· Leave a comment ·

How to Stay Protected Against Ransomware
                                           How to Stay Protected Against Ransomware

 

To prevent a ransomware attack, experts say IT and information security leaders should do the following:

  1. You can’t protect what you don’t know exists:

Developing an inventory of your assets is crucial. Keep clear inventories of all of your digital assets and their locations, so cyber criminals do not attack a system you are unaware of.

Be in a position to answer the questions instantly like:

  • How many PCs from a particular manufacturer do you have in your environment?
  • Which desktops/laptops are running an operating system that its vendor recently stopped supporting?
  • Which IT assets have a particular piece of software installed?

2. Keep all software up to date, including operating systems and applications:

Updates are important. They are available for both our operating system and individual software programs. Performing these updates will deliver a multitude of revisions to your computer, such as adding new features, removing outdated features, updating drivers, delivering bug fixes, and most importantly, fixing security holes that have been discovered.

3. Use A Supported Operating System:

Just because your old computer is still running doesn’t mean that you’re going to continue to receive updates. Both Apple and Microsoft stop providing updates for older operating systems. For example, Microsoft no longer provides updates for Windows XP, and Apple does not provide updates for early versions of OS X.

If the creator is no longer providing updates for a particular operating system, then that operating system becomes more dangerous every day you continue to use it. If a new vulnerability emerges, an update to remove the vulnerability may never be released. Virus writers know this and use it to their advantage, often preying on computers that are not just behind on a few updates, but computers still running an unsupported operating system.

Therefore, it is important that you are running a maintained operating system, one that is still receiving updates.

4. Use an Antivirus Program:

An evergreen solution to prevent against most threats is to use a good antivirus software from a reputable vendor and always keep it up-to-date.

5. Regular Backup your Files:

Back up all information every day, including information on employee devices, so you can restore encrypted data if attacked. Better safe than sorry.

3-2-1 Backup strategy is good.

3-2-1 strategy means having at least

  • 3 copies of your data
  • 2 local copies on different storage types
  • 1 backup off-site.

6. Segment the company network:

Don’t place all data on one file share accessed by everyone in the company. Separate functional areas with a firewall, e.g., the client and server networks, so systems and services can only be accessed if really necessary.

"Good network segmentation is not going to make it impossible to 
compromise your network, but it does make it more difficult."

        ~ Mat Gangwer, security operations leader, Rook Security Inc.

7. Train and re-train employees in your business:

Your users can be your weakest link if you don’t train them how to avoid booby-trapped documents and malicious emails.  As ransomware is commonly introduced through email attachments and links, arming employees with the knowledge they need to practice secure email and browsing habits can prevent many ransomware attacks from succeeding.

Train employees on how to recognize phishing attacks as well as best practices such as not opening attachments or links in emails from unknown senders, checking link URLs, and never clicking pop-up windows.

Training should be ongoing rather than a single session to ensure that employees keep up with new threats and maintain secure habits.

8. Develop a communication strategy to inform employees if a virus reaches the company network:

The speedy dissemination of information is vital in stopping an attack or the continuance of an attack. It is vital that all users on the network be made aware of an attack or attempted attack to ensure the vigilance of other users on your network. It is likely that other users have also received similar phishing emails and your quick response may prevent further damage.

9. Instruct information security teams to perform penetration testing to find any vulnerabilities:

The Penetration tests must be carried out periodically either by Third party organization specialized in Security Testing or by the specialized internal resource. Periodic assessment of its information assets, network equipment, and applications should be conducted and fixed all gaps found during the assessment.

10. Keep Your Knowledge Up-to-Date:

There’s not a single day that goes without any report on cyber-attacks and vulnerabilities in popular software and services, such as Android, iOS, Windows, Linux, and Mac Computers as well.

So, it’s high time for users of any domain to follow day-to-day happening of the cyber world, which would not only help them to keep their knowledge up-to-date but also prevent against even sophisticated cyber-attacks.

Mitigating an attack:

If your company is hacked with ransomware, you can explore the free ransomware response kit for a suite of tools that can help. Experts also recommend the following to moderate an attack:

  • Remove the infected machines from the network, so the ransomware does not use the machine to spread throughout your network.
  • Launched less than a year ago, the No More Ransom (NMR) project has started as a joint initiative by Europol, the Dutch National Police, Intel Security, and Kaspersky Lab, No More Ransom is an anti-ransomware cross-industry initiative to help ransomware victims recover their data without having to pay ransom to cyber criminals.

The online website not just educates computer users to protect themselves from                  ransomware, but also provides a collection of free decryption tools.

The platform is now available in 14 languages and hosts 40 free decryption tools,           supplied by a range of member organizations, which can be used by users to decrypt their files which have been locked up by given strains of ransomware.

  • Boston-based cyber security firm Cybereason has released RansomFree — a real-time ransomware detection and response software that can spot most strains of Ransomware before it starts encrypting files and alert the user to take action.

    RansomFree is a free standalone product and is compatible with PCs running Windows 7, 8 and 10, as well as Windows Server 2010 R2 and 2008 R2.

Source: The Hacker NewsTech Republicsecurity.illinois.edudigital guardian.comSophosIt.ieCybereason

Petya Ransomware

· Leave a comment ·

The WannaCry ransomware is not dead yet and another large-scale ransomware attack is making chaos worldwide, shutting down computers at corporates, power supplies, and banks across Russia, Ukraine, Spain, France, UK, India, and Europe and demanding $300 in bitcoins.

Researchers found a variant of the Petya ransomware called GoldenEye attacking systems around the world is spreading rapidly with the help of same Windows SMBv1 vulnerability.

Just like Petya, GoldenEye encrypts the entire hard disk drive and denies the user access to the computer. However, unlike Petya, there is no workaround to help victims retrieve the decryption keys from the computer.

Additionally, after the encryption process is complete, the ransomware has a specialized routine that forcefully crashes the computer to trigger a reboot that renders the computer unusable until the $300 ransom is paid.

Below given text displays on the screen:

GoldenEye Ransomware
                                                            Petya Ransomware

it is quite surprising that even after knowing about the WannaCry issue for quite a decent amount of time, big corporates and companies have not yet implemented proper security measures to defend against such threat.

Don’t Pay Ransom, You Wouldn’t Get Your Files Back 

Infected users are advised not to pay the ransom because hackers behind Petya ransomware can’t get your emails anymore.

Posteo, the German email provider, has suspended the email address i.e. wowsmith123456@posteo.net, which was behind used by the criminals to communicate with victims after getting the ransom to send the decryption keys.

How to Protect Yourself from Ransomware Attacks

What to do immediately? Go and apply those goddamn patches against EternalBlue (MS17-010) and disable the unsecured, 30-year-old SMBv1 file-sharing protocol on your Windows systems and servers.

Since GoldenEye Ransomware is also taking advantage of WMIC and PSEXEC tools to infect fully patched Windows computers, you are also advised to disable WMIC (Windows Management Instrumentation Command-line).

Kill Switch:

Researcher finds GoldenEye ransomware encrypt systems after rebooting the computer. So if your system is infected with Petya ransomware and it tries to restart, just do not power it back on.

“If machine reboots and you see this message, power off immediately! This is the encryption process. If you do not power on, files are fine.” ‏HackerFantastic tweeted. “Use a LiveCD or external machine to recover files”

Petya kill switch
                                                                                            Kill Switch

PT Security, a UK-based cyber security company and Amit Serper from Cybereason, have discovered a Kill-Switch for Petya ransomware. According to a tweet, the company has advised users to create a file i.e. “C:\Windows\perfc” to prevent ransomware infection.

Amit Serper

Create Perfc, Perfc.dat, Perfc.* in “C:\Windows” folder

Erhan

Regular Backup your Files:

To always have a tight grip on all your important documents and files, keep a good backup routine in place that makes their copies to an external storage device which is not always connected to your computer.

That way, if any ransomware infects you, it cannot encrypt your backups.

Moreover, make sure that you run a good and effective anti-virus security suite on your system, and keep it up-to-date. Most importantly, always browse the Internet safely.

One good thing,  this ransomware is spreading via local network and not so massive like WannaCry.

Source: Tthe Hackernewscnet,

WannaCry Ransomware

· Leave a comment ·

A massive ransomware campaign hit computer systems of hundreds of private companies and public organizations across the globe – which is believed to be the most massive ransomware delivery campaign to date.
The Ransomware in question has been identified as a variant of ransomware known as WannaCry (also known as ‘Wana Decrypt0r,’ ‘WannaCryptor’ or ‘WCRY’).

WannaCry1

What is WannaCry?

Generally, WannaCry comes in two parts. First, it’s an exploit whose purposes are infection and propagation. The second part is an encryptor that is downloaded to a computer after it has been infected.

The first part is the main difference between WannaCry and the majority of encryptors. To infect a computer with a common encryptor, a user has to make a mistake, for example by clicking a suspicious link, allowing Word to run a malicious macro, or downloading a suspicious attachment from an e-mail message. A system can be infected with WannaCry without the user doing anything.

WannaCry-infection-flow02The vulnerability used in this attack (code named EternalBlue) was among those leaked by the Shadow Brokers group. The vulnerability was exploited to drop a file on the vulnerable system, which would then be executed as a service. This would then drop the actual ransomware file onto the affected system, encrypting files with the .WNCRY extension. (A separate component file for displaying the ransom note would also be dropped.) Files with a total of 176 extensions, including those commonly used by Microsoft Office, databases, file archives, multimedia files, and various programming languages.

PropagationIf WannaCry/Wcry entered an organization’s network, it could spread within it very rapidly. Any machine or network that has exposed port 445 to the internet is at risk as well. EternalBlue exploit works over the Internet without requiring any user interaction.

How widespread is the damage?

The attack has been found in 150 countries, affecting 200,000 computers, according to Europol, the European law enforcement agency. FedEx, Nissan, and the United Kingdom’s National Health Service were among the victims.

What is the killswitch?

The worm-spreading part of the WannaCry – which is designed to infect other computers — has a special check at the beginning. It tries to connect to a hardcoded website on the Internet and if the connection FAILS, it continues with the attack. If the connection WORKS, it exits. Thus, by registering this domain and pointing it to a sinkhole server, a researcher from the U.K. successfully slowed the spread of the worm.

wannacry_cyberexpert_ap
British IT expert Marcus Hutchins who has been branded a hero for slowing down the WannaCry global cyber-attack sits in front of his workstation during an interview in Ilfracombe, England, Monday, May 15, 2017. ( Image source: AP)

On the one hand, it does stop further spread of the infection. However, only if the worm is able to connect to the Internet. Many corporate networks have firewalls blocking internet connections unless a proxy is used. For these, the worm will continue to spread in the local network. On the other hand, there is nothing stopping the attackers from releasing a new variant that does not implement a killswitch.

Killswitch Domain

The second domain was sinkholed by Matt Suiche of Comae Technologies, who reported stopping about 10,000 infections from spreading further:

We should thank below given people for saving millions of computers from getting hacked:

  • MalwareTech— very skilled 22-years-old malware hunter (Marcus Hutchins) who first discovered that here’s a kill-switch, which if used could stop ongoing ransomware attack.
  • Matthieu Suiche— security researcher who discovered the second kill-switch domain in a WannaCry variant and prevent nearly 10,000 computers from getting hacked.
  • Costin Raiu— security researcher from Kaspersky Lab, who first found out that there are more WannaCry variants in the wild, created by different hacking groups, with no kill-switch ability.

Not only this, Benjamin DelpyMohamed Saherx0rzMalwarebytesMalwareUnicorn, and many others.

Multiple security researchers have claimed that there are more samples of WannaCry out there, with different ‘kill-switch’ domains and without any kill-switch function, continuing to infect unpatched computers worldwide.

How to Protect Yourself from WannaCry Ransomware?

Here are some simple tips you should always follow because most computer viruses make their ways into your systems due to lack of simple security practices:

1. Always Install Security Updates

If you are using any version of Windows, except Windows 10, with SMB protocol enabled, make sure your computer should always receive updates automatically from the Microsoft, and it’s up-to-date always.

2. Patch SMB (Server Message Block) Vulnerability

Since WannaCry has been exploiting a critical SMB remote code execution vulnerability (CVE-2017-0148) for which Microsoft has already released a patch (MS17-010) in the month of March, you are advised to ensure your system has installed those patches.

Moreover, Microsoft has been very generous to its users in this difficult time that the company has even released the SMB patches (download from here) for its unsupported versions of Windows as well, including Windows XP, Vista, 8, Server 2003 and 2008.

Note: If you are using Windows 10, you are not vulnerable to SMB vulnerability.

3. Disable SMB

Even if you have installed the patches, you are advised to disable Server Message Block version 1 (SMBv1) protocol, which is enabled by default on Windows, to prevent against WannaCry ransomware attacks.

Here’s the list of simple steps you can follow to disable SMBv1:

  1. Go to Windows’ Control Panel and open ‘Programs.’
  2. Open ‘Features’ under Programs and click ‘Turn Windows Features on and off.’
  3. Now, scroll down to find ‘SMB 1.0/CIFS File Sharing Support’ and uncheck it.
  4. Then click OK, close the control Panel, and restart the computer.

4. Enable Firewall & Block SMB Ports

Always keep your firewall enabled, and if you need to keep SMBv1 enabled, then just modify your firewall configurations to block access to SMB ports over the Internet. The protocol operates on TCP ports 137, 139, and 445, and over UDP ports 137 and 138.

5. Use an Antivirus Program

An evergreen solution to prevent against most threats is to use a good antivirus software from a reputable vendor and always keep it up-to-date.

Almost all antivirus vendors have already added detection capability to block WannaCry, as well as to prevent the secret installations from malicious applications in the background.

6. Be Suspicious of Emails, Websites, and Apps

Unlike WannaCry, most ransomware spread through phishing emails, malicious adverts on websites, and third-party apps and programs.

So, you should always exercise caution when opening uninvited documents sent over an email and clicking on links inside those documents unless verifying the source to safeguard against such ransomware infection.

Also, never download any app from third-party sources, and read reviews even before installing apps from official stores.

7. Regular Backup your Files:

To always have a tight grip on all your important documents and files, keep a good backup routine in place that makes their copies to an external storage device which is not always connected to your computer.

That way, if any ransomware infects you, it cannot encrypt your backups.

8. Keep Your Knowledge Up-to-Date

There’s not a single day that goes without any report on cyber-attacks and vulnerabilities in popular software and services, such as Android, iOS, Windows, Linux and Mac Computers as well.

So, it’s high time for users of any domain to follow day-to-day happening of the cyber world, which would not only help them to keep their knowledge up-to-date but also prevent against even sophisticated cyber-attacks.

What to do if WannaCry infects you?

Well, nothing.

If WannaCry ransomware has infected you, you can’t decrypt your files until you pay a ransom money to the hackers and get a secret key to unlock your file.

Never Pay the Ransom:

It’s up to the affected organizations and individuals to decide whether or not to pay the ransom, depending upon the importance of their files locked by the ransomware.

But before making any final decision, just keep in mind: there’s no guarantee that even after paying the ransom, you would regain control of your files.

Moreover, paying ransom also encourages cyber criminals to come up with similar threats and extort money from the larger audience.

So, sure shot advice to all users is — Don’t Pay the Ransom.

“Given the high profile of the original attack, it’s going to be no surprise at all to see copycat attacks from others, and perhaps other attempts to infect even more computers from the original WannaCry gang. The message is simple: Patch your computers, harden your defences, run a decent anti-virus, and – for goodness sake – ensure that you have secure backups.” Cyber security expert Graham Cluley told The Hacker News.

Source: thehackernews, indianexpresskaspersky,  securelisttrendmicro, Microsoft

Ransomware

· Leave a comment ·

Ransomware is a sophisticated piece of malware that blocks the victim’s access to his/her files.

There are two types of ransomware in circulation:

Encrypting ransomware, which incorporates advanced encryption algorithms. It’s designed to block system files and demand payment to provide the victim with the key that can decrypt the blocked content. Examples include CryptoLockerLockyCrytpoWall and more.

Locker ransomware, which locks the victim out of the operating system, making it impossible to access the desktop and any apps or files. The files are not encrypted in this case, but the attackers still ask for a ransom to unlock the infected computer.

Examples include the police-themed ransomware or Winlocker.

Ransomware Statistics 2016 [Infographic]

Ransomware-Statistics-2016

Source: armadacloud, Trendmicro

McAfee Agent cannot be removed while it is in managed mode

· 30 Comments ·

Problem: The following message displays when select Remove for the McAfee Agent through Add \ Remove Programs or Programs and Features on client computers:

McAfee Agent cannot be removed while it is in managed mode”



Solution:

The computer must be removed from Managed Mode

  1. Steps:
    1-     Open Command Prompt
    2- Go to the folder” C:\Program Files (x86)\McAfee\Common Framework” on X64 systems,” C:\Program Files\McAfee\Common Framework” on X86 systems
    3- Type “frminst.exe /forceuninstall” and press enter.     command without quotes


 source: McAfee

Share the Love, Not the Info (Love, Relationships & Technology)

· Leave a comment ·

Love, Relationships & Technology: 

A study by McAfee shows a number of adults sharing private details about their lives, including those of an intimate nature, such as nude photos and sexts—all of this on unsecured digital devices. In a McAfee survey, which asked more than 9,000 adults worldwide, between the ages of 18-54, about their private data sharing habits and online behavior when it comes to matters of the heart.

27% still don’t secure their mobile devices with a basic personal identification number (PIN) or passcode. And 38% have shared PIN or passcode with others. This puts you at risk for cyber stalking, identity theft and leakage of their intimate data.

Love, Relationships & Technology
Love, Relationships & Technology

Bad technology habits are on the rise worldwide, but people are still not taking the steps to protect their information from prying eyes and angry exes.

Think twice before sharing private data, including intimate texts, passwords, photos and more. If you‘re not careful about what you share, it could land in the wrong hands.

Keep Your Personal Info Safe by Following These Simple Tips:

Lock Your Lips. Do not share passwords with anyone.

Lock Your Devices. Use password protection on your phone and other mobile devices.

Love the Delete Button. Take the time to delete personal or intimate text messages, emails and photos on your phone.

Share the Love, Not the Info. Once you share private information with those you love, that data is out of your hands, and out of your control.

Men are more likely to protect their devices than women.

Avoid bad buzz and keep your private life private.

LRT2014_Infographic-Global-FNL

The Futures Company and MSI conducted surveys in the US, UK, Australia, 
Canada, Germany, France, Spain, Italy, The Netherlands, Japan, Mexico, 
China, India, Singapore and Brazil among 9,337 men and women, 
ages 18 to 54. The survey was conducted in December 2013 – January 2014.

 Source: McAfee

McAfee ePO not allowing administrator login after password change

· 2 Comments ·
In our organization, McAfee ePO server has been running fine until a couple of days ago. We’ve experienced a turnover in IT personnel and I have been changing different administrator names\passwords as part of security practice. After required changes done, restarted all the servers. Everything was fine except McAfee ePO web portal; I was not able to login.

It’s throwing below given errors:

DataChannel – Dependency scheduler had initialization error

LYNXSHLD1510 – dependency EPOCore had initialization error

AvertAlerts – Dependency scheduler had initialization error

Image- 1
Image- 1

All the errors were initialization errors.

SOLUTION:

Check the SQL DB connectivity with McAfee ePO; open your browser and type https://ServerName:8443/core/config

Log on with ePO credentials. (See Image-2)

epo-1
Image- 2

Type new user name and passwords, click “Test Connection”

Click Apply, if the test is successful.

Restart your ePO server, that’s it.

 Happy computing!!

Source: McAfee

McAfee ePO SQL credentials lost

· 2 Comments ·

McAfee ePO SQL credentials lost:

While I was searching for the solution what if I lost McAfee ePO admin password and there were no additional accounts configured, some of the blogs on the internet mentioned that go to https://ServerName:8443/core/config and reset the ‘Admin’ password. This is not the correct solution to reset the ‘Admin’ password.

https://ServerName:8443/core/config is useful to reset the SQL credentials for connecting McAfee ePO 4.x and 5.x to the database. 

Step- by-step procedure to reset the SQL credentials:

Open a web browser and go to https://localhost:8443/core/config-auth
(Where 8443 is the port for the console communication) (see Image-1)

Image- 1
Image- 1

Log on with ePO credentials. ( See Image-2)

Image- 2
Image- 2

Type ‘sa’ in the User name field. Click on the change password.

For a minute minimize this window and go startà All Programs à MS SQL Server 2008R2 àclick on SQL Server Management Studio, below is shown window will appear ( see Image-3)

Authentication, select ‘Windows Authentication’, click Connect

Image-3
Image-3

Expand SecurityLogins and double-click the ‘sa’ account (or) right click on ‘sa’ click on ‘Properties (see Image-4)

Image-4
Image-4

Type and confirm a password in the General tab under Login name section. 

Click on ‘OK’

Open McAfee ePO web console window (see Image-2)

Type ‘sa’ in the User name field. Click on the change password.

Type the password for ‘sa’ account into the User password and Confirm password fields.

Click Test Connection.

Click Apply, if the test is successful.

Below is shown window will open (see Image-5), restart the McAfee ePO server.

Image- 5
Image- 5

That’s it.

 Happy computing!!

 IMPORTANT: Please follow the same sequence above mentioned. After changing the SQL password if you try to open the ePO web console https://ServerName:8443/core/config it won’t open at all. Even though if you lost the SQL password, still you can open the McAfee web console https://ServerName:8443/core/config, then follow the steps in same sequence.

Source: McAfee

McAfee ePO Admin password lost

· 12 Comments ·

McAfee ePO Admin password lost:  

Some time ago I started attending trainings and discussions with industry experts, on McAfee ePO and started learning many things from them. During these sessions I came across some issues with McAfee 4.x and 5.x installation. I have uploaded solutions to some of these issues on my blog, please refer the following link:

https://lakkireddymadhu.wordpress.com/2014/01/16/mcafee-epo-installation-errors/

          One fine morning all of sudden I got a doubt, what if I lost McAfee ePO admin password and there were no additional accounts configured. I opened my laptop and started Googling for the solution. There were more blogs describing this issue, but none had a satisfied solution. After a rigorous search on the Internet, I found two good and easy solutions.

Solution–1: 

We believe that only one account, i.e. Admin account, is configured in McAfee ePO. But by default one more account exists in the McAfee ePO User Management, named system. This account is disabled by default. User ‘system’ account has administrative rights (see the Image-1).

Image- 1
Image- 1

This user (system) is by default non-editable through the web console (see the Image2)

Image- 2
Image- 2

We have to enable the user ‘system’ through MS SQL.

Go to start –> All Programs –> MS SQL Server 2008R2 –> click on SQL Server Management Studio, expand Databases -> expand ePO Database –> expand Tables –>go to dbo.OrionUsers –> right click on dbo.OrionUsers –>click on Edit Top 200 Rows.One window will open on the right side (see the Image-3)

Image- 3
Image- 3

Under the OrionUsers Table –>following changes will need to be done for the user ‘System’

Under Disabled –> default setting will be True, change it to False  (click enter)

Under Interactive –>default setting will be False, change it to True  (click enter)

Minimize the SQL window and Open the McAfee ePO web console and type username: system, Password:system

It will allow you to login. Click on MenuàUnder User Management –>click on Users –>Admin –>Rightside down click on Actions –>click on Edit (see the Image-4& Image -5)

Image- 4
Image- 4

Image- 5
Image- 5

Click on Change Authentication or Credential

Type Password and confirm Password and save (see the Image-6)

Image- 6
Image- 6

Log off and Login with Admin credentials. That’s it.

Now Open SQL and make the same changes in OrionUsers Table (Exactly as shown in the Image-7)

Image- 7
Image- 7

Under Disabled –>change it to True  (click enter)

Under Interactive –> change it to False  (click enter)

Solution–2:

In solution 1, enabling of the user system’ account through MS SQL resets Admin the Password.

In Solution -2, we will create a new account with Administrative rights using MS SQL and through new account  will reset the Admin password.

Go to start –> All Programs –> MS SQL Server 2008R2 –>click on SQL Server Management Studio, expand Databases –> Click on ePO Database –> open a New Query, run the following query and execute

INSERT INTO [dbo].[OrionUsers]

(Name, AuthURI, Admin, Disabled, Visible, Interactive, Removable, Editable)
VALUES (‘epoadmin‘,’auth:pwd?pwd=7LTSeirrzM8EjqttaozV4cSiPGQWi8w3′,1,0,1,1,1,1)

It will create a new user epoadmin, with the password: epoadmin

Open the McAfee ePO web console with username and password epoadmin

It will allow you to login.Click on Menu –>Under User Management –>click on Users –> Admin –> Rightside down click on Actions –> click on Edit and reset the Admin Password

Log off and Login with Admin credentials. That’s it.

NOTE: Use the above solutions when you don’t have any other option. Be sure you have got the required skills to modify SQL serverYou can break your ePO server if you don’t know what you are doing. Don’t   hold me responsible for your actions; think before you act and always make sure you have a backup 🙂

IMPORTANT: McAfee recommends that you implement account and password management policies such as:

  • Maintaining a backup administrator account
  • Creating individual accounts for each administrator
  • Adhering to corporate requirements for accounts and passwords

Happy computing!!

Source: thegid, cupfighter, McAfee