Archive for December, 2010

Microsoft didn’t kill

Friday, December 17th, 2010

You may have read my post from yesterday about how was dead in the water for 4-5 hours yesterday.  I was instantly suspicious of Microsoft and their patches as being the root cause of the problem.  I mean it had to be Microsofts fault because patches had just been applied to the box and it had been rebooted right!!!  WRONG.

It just goes to show that you can’t always jump to conclusions.  I find often when troubleshooting a problem with others, that they get cemented into a one track thought process too early on in the investigation.  once they have an idea in mind, the close their thoughts to anything else.  They often throw all other logic out the door in the thought that they are on the right path.  This is in fact VERY dangerous. 

When troubleshooting a problem – ALWAYS remember the basics…

  1. When did it last work? For me – it was last working before the reboot – NOT before the Microsoft patches – and that’s a fine line but you need to be clear about it.  The server WAS working fine up until the last reboot.  The reboot was a side effect of the Microsoft patches.
  2. What has changed? For me the things I KNEW had changed was, the Microsoft patches had been applied, a reboot had occurred and the website was not working.
  3. What do the log files say? I firstly reviewed Windows System log for any clues there – and there were none.  I then reviewed the Windows Application log – there were a few IIS related errors but nothing seemed to be “serious” enough to cause the site to be down.
  4. What is still working?  Break the problem down into smaller chunks to prove / disprove things.  For me – I have a few websites on this server – some are straight HTML sites and others are PHP sites.  Placed a very basic “Hello world” HTML file inside and tested it – it worked just fine.  That suggested to me that the issue was then related not to IIS as all other IIS sites on the server were working, but to something else linked to  And that lead me to look at PHP.  I placed a basic PHP file in the and that worked too.  I then decided I needed to look further into PHP and went searching for it’s error logs.  I found they were located in the c:\windows\temp folder and that led me to finding the huge number of session files.  I pondered if this was part of the problem and decided to delete them as based on my digging on the web it was not going to hurt it.

Anyway – that’s how my brain worked through this problem – I hope it helps someone else think through their problems when they strike an issue.  Thanks go out to Radek at VMVault – he restored my server to their DR environment that allowed me to later review this problem and prove it was not the Microsoft patches that caused it – the backup was taken BEFORE the patches were applied – one more reason to do good backups.

Tags: , ,
Posted in Blog | No Comments » Website Down – here’s why

Thursday, December 16th, 2010

I awoke this morning to find that was in fact dead in the water.  I logged onto the server console and found it had rebooted after last nights Microsoft patches.  Oh great I thought – something is messed up with the patches.

I reviewed the list of patches and could not see anything that would make it fail like this.  None of the patches looked like they affected IIS in any way. I dug further – on this webserver I have both WordPress sites and normal IIS sites.  The normal IIS sites were showing up just fine, it was only affecting the PHP sites on this server.

I reviewed the list of patches applied in last nights patch list and got the following.


None of these seem to be able to cause problems with my server at all.  I figured however given it’s been working fine that ONE of them MUST be the culprit.  I decided to remove the 2305420 patch first – this one updates task scheduler and the thought was that maybe something there is messed up with it.

After a reboot – all still dead Sad smile  I really don’t have time for this – so I removed ALL last nights patches and rebooted again.

After the 2nd reboot – it’s still dead… really not good Sad smile

My hosting provider VMVault also had contacted me as they noticed my website was off the air – their monitoring systems were the thing that actually alerted me to the fact that there were problems in the first place.  Radek from VMVault advised that last nights backup was good and based on my desire to get this running quickly he has started to restore it into an alternate VM so that I can see what I need to do to make this work.

I did some more digging and went looking for my PHP_Error log file – it’s located in the C:\Windows\Temp folder.  When I went to open the folder, the Explorer windows locked up and became non responsive.  Strange I thought – I went to grab my morning cup of tea and when I came back it was now responsive.  There were load of temporary files there may beginning with sess_. Most were 0KB in length but others were larger.  I counted over 750,000 of these before I stopped counting.  I wondered if the large number of files was slowing down PHP in some way and therefore making it time out.  So I used an elevated command prompt and deleted sess_*.*  After over two hours, it was still going with the deletion of the files. 



Somewhere along the way however the websites started responding again…

It looks to me as if the large number of files in the temp folder was causing PHP to die badly and that it was not related to the Microsoft patches at all, but rather the reboot that occurred afterwards.

Tags: ,
Posted in Blog | 3 Comments »

SBS 2011 Releases to Manufacturing

Tuesday, December 14th, 2010

Today Microsoft finalised and released the code for SBS 2011 Standard and the SBS 2011 Premium Addon.  They announced it here.

So over the next few weeks the actual code will be made available to the rest of us via the various channels.  I’ll expect to see it on MSDN/TechNet early in the new year and available via the channel probably around the same time.  This will be your chance as a reseller to grab the final code and install it in your own environments.  You will want to become familiar with this before you head on out and deploy it for clients for real.  There are a number of changes around things like Exchange 2010 that are worthy of note.

I’ll be posting more on this over the coming weeks once I get my hands on the final RTM code.  For now – congratulations to Microsoft for getting this out the door.

Tags: , , , ,
Posted in Blog | No Comments »

How do I get past the “Malicious Website Blocked” in Trend WFBS 7.0?

Saturday, December 11th, 2010

The Trend WFBS product has had the ability for some time now to perform scanning of web traffic and it compares the destination URLs you are attempting to access to both a local database on the WFBS Security Server and also a global database that Trend maintains for it’s Web Reputation Services.  The WEBS database is one of the key ways that Trend can block access to malicious websites and therefore stem the infection rate of malware before they even have defined a pattern file for it.

Occasionally however valid URLs get into the WEBS database that might stop us from accessing valid websites.  Now you can notify Trend about these and they will re-evaluate the site to ensure there is no malware present and then reclassify that URL so that future access to the site is not blocked.  This like many things takes time. How can you get past the Malicious Website Blocked message in the meantime is the purpose of this FAQ.

1. Firstly you must capture the URL of the website you are trying to access.  Below you can see that tis is trying to stop access to  – so that is the URL you want to provide an exclusion for.


2. Login to the WFBS Security Console via the web page.  Navigate to the Preferences tab and select the Global Settings option from the menu. 

3. Then select the Desktop / Server sub-tab as below.


4. Scroll down the list until you get to the Web Reputation section. Type in the URL you wish to add to the Global Exceptions list and select the Add button.  This will add this URL to the Global Exceptions for ALL users in your environment.


5. Scroll down the screen and click save.

6. On the Client Security Agent on the desktop computer, right click the icon and select “Update Now”.  This will force update the client to the WFBS Security Servers settings.

You should now be able to refresh the Internet Explorer window on the client and access the website that was blocked before.


You can also read about my experience with the upgrade process here and sign up for the newsletter.  I’ll be releasing a WFBS v7.0 Visual Guide in the coming weeks and the newsletter is the way I’ll announce it before on the blog – so watch out for a special offer.

Tags: , , ,
Posted in FAQs | 34 Comments »

Trend WFBS 7.0 – build 1369 or 1370?

Friday, December 10th, 2010

I posted yesterday about a patch for WFBS 7.0 that brought it up to 1370 level.  What I found shortly after applying the patch was that in the Trend WFBS Security console it reported not as build 1370, but as build 1369.  See below.



Initially I was concerned that this meant that the patches supplied were incomplete, but I contacted Trend and discussed this with the Global Product Manager Melody Liu and she explained to me that it was something funky to do with the way Trend displayed the build number when they rolled up this latest group of patches into the 1370 release.  You see the most recent patch in the 1370 build was 1369 – therefore it was including that patch.  Build 1370 itself was the combination of ALL the patches before it.  Confused?  Sure – I was and Melody agreed.  As a result today, Trend have re-released the patch and the version you can download now will ensure the display shows as build 1370.


Anyway – the point is – if you have already applied the Build 1370 patch and your console shows 1369 – it’s totally fine to leave it as is.  If however you want it to display as 1370 then go ahead and download the later update.  No big issue either way as it’s JUST a display issue.


You can also read about my experience with the upgrade process here and sign up for the newsletter.  I’ll be releasing a WFBS v7.0 Visual Guide in the coming weeks and the newsletter is the way I’ll announce it before on the blog – so watch out for a special offer.

Tags: , , ,
Posted in Blog | No Comments »

How to access Windows Activation Server through ISA or TMG Firewalls

Friday, December 10th, 2010

Today I had to create a rule in ISA/TMG for a client to allow any computer to get out to the Windows Activation Servers without the user being given access to other websites.  It was pretty simple but I thought I’d share with you all.

Basically all the rule has to do is to allow HTTP and HTTPS protocols out from All Protected Networks to (this is a referrer server that MS use to direct it to another country/locality based activation server) and create both a Domain Name Set and a URL set for *  I could have gone more precise with the * but that might then break things in future if the activation servers change based on the referral server.

The rule looks like this.


Build the rule, apply it – wait a few minutes for TMG’s configuration to sync with the TMG Configuration Database and you should be good Smile

Tags: , , , ,
Posted in FAQs | 2 Comments »

Trend WFBS 7.0 – Patch 1370 Now Available

Thursday, December 9th, 2010

Trend have yesterday released an update to their patches for WFBS 7.0.  This most recent patch includes everything that was in Patch 1357 as well as additional hotfixes.

How did I know about the patch?  Easy – my WFBS Security Console showed me when I logged into it this morning.  It’s a new feature in WFBS 7.0 that does this.


Patch 1370 fixes a number of key issues that people have seen since the release of WFBS just over a month ago.  Key things include…

  1. Users may receive the ESENT Event ID 490 notification in the Application Event Log after installing the Security Agent. (Critical Patch 1357, hot fix 1360)
  2. Users may experience performance issues when saving Microsoft(TM) Office(TM) files to a shared network drive on a 64-bit server. (Critical Patch 1357)
  3. The performance of some Worry-Free Business Security 7.0 servers may slow down after a few weeks. (Critical Patch 1357, 1347)
  4. Users may experience high CPU resource issues when logging onto Worry-Free Business Security (WFBS) 7.0. (hot fix 1359, 1362)
  5. Users may experience performance issues when processing Microsoft Office files. (hot fix 1361)
  6. If multiple users log on to the same server and one of them opens the Security Agent UI, the client UI will open for the other users too. (Hot Fix 1362)
  7. Users may experience product update issues such as: delays, updating earlier than scheduled, clients that will not update. (Hot Fix 1365)
  8. Users might experience send/relay email issues when sending email from the email server. (hot fix 1366)
  9. Users may experience the following network drive issues: 1) network drive disconnects or maps to different folders 2) remote applications unable to launch after upgrading from previous versions. (Hot Fix 1369)
  10. WFBS 7.0 does not merge the MSA configuration HTTPS advisory from version 6.0 SP3.

The issues I highlighted in BOLD above are key issues that quite a few people in the community have seen.  I however have not seen them which makes me wonder what I do differently from the rest of you all Smile

You can download the patch direct from Trend here

Now there’s been a bit of outcry in the community over the problems that Trend has had over the last few weeks since releasing WFSB 7.0.  Many of the issues covered in this latest patch simply were not seen during the beta process and therefore could not have been predicted or fixed before releasing the product.  I’ve heard of resellers who decided to upgrade 10 of their clients network environments to WFBS 7.0 without even running this in house first.  I’m sorry but that’s irresponsible.  When a new product is released there WILL BE PROBLEMS.  There is ALWAYS the chance that things we do out here are not seen in the vendors testing environment.  Such has been the case here.  My strategy for rollout of a new product is firstly to get involved in the beta test cycles where possible.  Sure we all don’t have time to do it, but if we consider this part of servicing our customers correctly vs playing with toys, then we can find time.  Secondly when a new product is released, run it on your own servers first for a while.  Then and only then deploy it to a SMALL NUMBER of client sites (ie 2 or 3) to see how it performs and what problems you might have.  After those 2 or 3 sites work ok, then look to deploy it to 10-15 sites and again leave it a short while before then deploying it to the rest of your clients.  A strategy like this can limit your exposure to problems and help figure out any “specific” things that you might be doing differently to everyone else.


You can also read about my experience with the upgrade process here and sign up for the newsletter.  I’ll be releasing a WFBS v7.0 Visual Guide in the coming weeks and the newsletter is the way I’ll announce it before on the blog – so watch out for a special offer.

Tags: , , , ,
Posted in Blog | 6 Comments »

Cleaning up WSUS Failed Upgrade on SBS 2008

Thursday, December 9th, 2010

My post yesterday was about an issue a friend had with their SBS 2008 server.  Basically I was unsure as to how the suscomp.dll got removed from the server at all and why it totally broke all their websites on their SBS 2008 server.  It turns out that the system tried to install WSUS 3.0 Service Pack 2 (SP2) and as part of that process it removes WSUS 3.0 SP1 and the associated suscomp.dll file.

So how do you go about fixing this problem?  Fortunately for me, Microsoft have written this repair guide that allows you to at least get WSUS 3.0 SP1 back into operation without too much pain.  I followed the step here to get WSUS 3.0 SP1 installed again.  I had to do this last year on my own server when WSUS 3.0 SP2 failed too, but I never did get around to figuring out what went wrong.  Anyway – I used the Microsoft process but could not use restore the WSUS Database as there was no backup.  Followed the Microsoft Guide to get it working though.

I then proceeded to manually download WSUS 3.0 SP2 so that I could install it interactively.  This gives me the best chance of seeing just what went wrong and fixing it.  The install process ran fine all the way through to the end.  No errors… grr.  I checked the SBS Remote Web Workplace website and OWA and all works fine.  More grrr…  Oh well – it’s working now.  I would have liked to see what caused the problem but I’ve got no idea Sad smile

Tags: , , , , ,
Posted in Blog | 22 Comments »

HTTP Error 500.19 on SBS 2008

Wednesday, December 8th, 2010

Today I was investigating problems with a friends SBS 2008 server.  It suddenly had decided to give a HTTP Error 500.19 – Internal Server Error to every single website on it including Remote Web Workplace, OWA and even Sharepoint was dead.  Given that all these apps were dead, I even tried to access the iisstart.htm page that is installed by default on the default website – not even that worked as you can see in the screenshot below.  Something was really broken on this server.


After asking all my SBS MVP buddies and not getting a solution, I turned to the place of all knowledge… the SBS CSS team in Las Colinas, Texas.  Damian from the team responded quickly and suggested “either the Application pools set to 32-bit True or missing suscomp.dll from \windows\system32\inetsrv”.

I checked the SBS Application Pool under IIS Manager and the “Enable 32-bit applications” was set to False – that meant that these app pools were “normal”



I next checked out the \windows\system32\inetsrv folder and sure enough suscomp.dll was missing.  I then copied it from another SBS 2008 server and did an IISRESET to restart IIS and everything works once more.  Thanks Damian!

Now the quandry… what has happened on this server so that the suscomp.dll is missing… that’s the next thing I need to figure out.

UPDATE Dec 9th – I found the source of the problem – documented here

Tags: , ,
Posted in Blog | 39 Comments »

Trend WFBS 7.0 Patch Update – New Features

Monday, December 6th, 2010

One of my biggest criticisms of Trend Micro in their WFBS product has been the lack of real notification that patches are available for their products.  This is pretty important as you want to know of issues as soon as you can so that you can decide if you wish to take action on it or not.  Well in WFBS 7.0, they’ve got a new feature that goes some way towards solving the problems.  I’ve known this feature existed in WFBS 7.0 but until Trend released their first update, I was not able to grab screenshots of it.  Now when Trend release a security update for WFBS 7.0 it will display in the WFBS Security Console that the update is available as you can see in the screen shot below.


Once you know an update is available, the click here to download link takes you directly to Trends site so you can download the update and install it on your server.  Below you can see the version of my WFBS console and the build number (1343 is the Release code for WFBS 7.0).


After the update, you can see I’m now at build 1357 which includes this installation patch that Trend alerted me to in the console above.



What’s missing from this solution at the moment is email based notification from the console that the patch is available.  I’d also like to see an automatic setting that would allow me to decide for the Trend WFBS console to apply the patch immediately, or either 1/3/7/30 days after release so that I can automatically set it and forget it.  I’m hoping that Trend engineers are reading this and can incorporate those features into a service pack for WFBS 7.0 in the future Smile

Tags: , , ,
Posted in Blog | 2 Comments »