“Zara 2018” .bip extension ransomeware attack

I need a solution

Hello – our company just was hit by a “zara 2018” .bip extension ransomeware. We have Symantec Endpoint 14 installed on all of our Windows 7, 8 and 10 clients, as well as our 2008 R2 servers. A Wndows 7 client was the host of the ransomeware, and it went from share to share. Our servers have Symantec Endpoint 14 installed on them as well. Our Symantec Server did not notify me of the activity & it is not recorded in any log file. The way it was identified was by the user who came in & logged onto his computer, and found the message that all his files were encrypted. Can anyone tell me why the Symantec Endpoint did not detect this intrusion? It also appears that it was before hours so no one had been onsite or on the infected client system to initiate the attack via email or other route that we can see. I am very concerned & am doubting whether Symantec will catch the next intrusion.  Any advice/input would be greatly appreciated – thanks.

0

Related:

  • No Related Posts

Re: NDMP-Backup Error >> Failed to propagate handle; TimeOut after inactive

hello COmmunity,

After switching to a new backup server and a platform change from Linux to Windows, we get errors in certain processes when backing up NDMP file systems

suppressed 138 bytes of output.

.144324:nsrndmp_save: Adding attribute *policy workflow name = eNAS-VDM-016

.144324:nsrndmp_save: Adding attribute *policy action name = backup

.06/18/18 07:52:22.821430 NDMP Service Debug: The process id for NDMP service is 0x5a670b0

42909:nsrndmp_save: Performing DAR Backup..

83320:nsrndmp_save: Performing incremental backup, BASE_DATE = 44478769945

42794:nsrndmp_save: Performing backup to Non-NDMP type of device

174908:nsrdsa_save: Saving the backup data in the pool ‘dd3 enas’.

175019:nsrdsa_save: Received the media management binding information on the host ‘bkpmgmnt01.sis.net’.

174910:nsrdsa_save: Connected to the nsrmmd process on the host ‘bkpmgmnt01.sis.net’.

175295:nsrdsa_save: Successfully connected to the Data Domain device.

129292:nsrdsa_save: Successfully established Client direct save session for save-set ID ‘2854701209’ (eNAS1-DM-01:/root_vdm_9/VDM-16_fs2) with Data Domain volume ‘enas_001’.

42658:nsrdsa_save: DSA savetime = 1529301142

85183:nsrndmp_save: DSA is listening for an NDMP data connection on: 10.109.130.100, port = 8912

42952:nsrndmp_save: eNAS1-DM-01:/root_vdm_9/VDM-16_fs2 NDMP save running on ‘bkpmgmnt01.sis.net’

84118:nsrndmp_save: Failed to propagate handle 0000000000000000 to C:Program FilesEMC NetWorkernsrbinnsrndmp_2fh.exe child process: Das Handle ist ungültig. (Win32 error 0x6)

84118:nsrndmp_save: Failed to propagate handle 0000000000000000 to C:Program FilesEMC NetWorkernsrbinnsrndmp_2fh.exe child process: Das Handle ist ungültig. (Win32 error 0x6)

accept connection: accepted a connection

42953:nsrdsa_save: Performing Non-Immediate save

42923:nsrndmp_save: NDMP Service Error: Medium error

42923:nsrndmp_save: NDMP Service Warning: Write failed on archive volume 1

42617:nsrndmp_save: NDMP Service Log: server_archive: emctar vol 1, 93 files, 0 bytes read, 327680 bytes written

42738:nsrndmp_save: Data server halted: Error during the backup.

7136:nsrndmp_save: (interrupted), exiting

— Job Indications —

Termination request was sent to job 576172 as requested; Reason given: Inactive

eNAS1-DM-01:/root_vdm_9/VDM-16_fs2: retried 1 times.

eNAS1-DM-01:/root_vdm_9/VDM-16_fs2 aborted, inactivity timeout has been reached.



Strangely, these messages do not occur on all file systems, but rather randomly.

Does anyone know this error message and knows where the problem lies? The evaluation of the Celerra logs has so far revealed nothing.

Best Regard

Cykes

Related:

  • No Related Posts

NDMP-Backup Error >> Failed to propagate handle; TimeOut after inactive

hello COmmunity,

After switching to a new backup server and a platform change from Linux to Windows, we get errors in certain processes when backing up NDMP file systems

suppressed 138 bytes of output.

.144324:nsrndmp_save: Adding attribute *policy workflow name = eNAS-VDM-016

.144324:nsrndmp_save: Adding attribute *policy action name = backup

.06/18/18 07:52:22.821430 NDMP Service Debug: The process id for NDMP service is 0x5a670b0

42909:nsrndmp_save: Performing DAR Backup..

83320:nsrndmp_save: Performing incremental backup, BASE_DATE = 44478769945

42794:nsrndmp_save: Performing backup to Non-NDMP type of device

174908:nsrdsa_save: Saving the backup data in the pool ‘dd3 enas’.

175019:nsrdsa_save: Received the media management binding information on the host ‘bkpmgmnt01.sis.net’.

174910:nsrdsa_save: Connected to the nsrmmd process on the host ‘bkpmgmnt01.sis.net’.

175295:nsrdsa_save: Successfully connected to the Data Domain device.

129292:nsrdsa_save: Successfully established Client direct save session for save-set ID ‘2854701209’ (eNAS1-DM-01:/root_vdm_9/VDM-16_fs2) with Data Domain volume ‘enas_001’.

42658:nsrdsa_save: DSA savetime = 1529301142

85183:nsrndmp_save: DSA is listening for an NDMP data connection on: 10.109.130.100, port = 8912

42952:nsrndmp_save: eNAS1-DM-01:/root_vdm_9/VDM-16_fs2 NDMP save running on ‘bkpmgmnt01.sis.net’

84118:nsrndmp_save: Failed to propagate handle 0000000000000000 to C:Program FilesEMC NetWorkernsrbinnsrndmp_2fh.exe child process: Das Handle ist ungültig. (Win32 error 0x6)

84118:nsrndmp_save: Failed to propagate handle 0000000000000000 to C:Program FilesEMC NetWorkernsrbinnsrndmp_2fh.exe child process: Das Handle ist ungültig. (Win32 error 0x6)

accept connection: accepted a connection

42953:nsrdsa_save: Performing Non-Immediate save

42923:nsrndmp_save: NDMP Service Error: Medium error

42923:nsrndmp_save: NDMP Service Warning: Write failed on archive volume 1

42617:nsrndmp_save: NDMP Service Log: server_archive: emctar vol 1, 93 files, 0 bytes read, 327680 bytes written

42738:nsrndmp_save: Data server halted: Error during the backup.

7136:nsrndmp_save: (interrupted), exiting

— Job Indications —

Termination request was sent to job 576172 as requested; Reason given: Inactive

eNAS1-DM-01:/root_vdm_9/VDM-16_fs2: retried 1 times.

eNAS1-DM-01:/root_vdm_9/VDM-16_fs2 aborted, inactivity timeout has been reached.



Strangely, these messages do not occur on all file systems, but rather randomly.

Does anyone know this error message and knows where the problem lies? The evaluation of the Celerra logs has so far revealed nothing.

Best Regard

Cykes

Related:

  • No Related Posts

VBA: Restore from secondary site fails during resurrect: nsrclone ‘Unable to query RAP database for clone pool resource’

Article Number: 487023 Article Version: 3 Article Type: Break Fix



NetWorker 8.2.3,NetWorker Family

With 8.2.3.x NW server- VBA restore across secondary site feature fails to resurrect backups. The called clone command fails with no indication in GUI.

The daemon.raw on networker server shows error message:

155503:nsrclone: Unable to query RAP database for clone pool resource: No NSR pool resource found with name '' 

During the VBA resurrect process(also known as restore across sites) nsrclone is called with two parameters: -L(VBA) and -S(SSID), Here is an example of the called command and result on v8.2.3 server:

nsrclone -L vba-name.domain.local -S dc168af0-00000006-228bf9f9-578bf9f9-20e15000-924f8f56/1468791289 

nsrclone behavior is changed here to have a required parameter ‘destination pool’

Upgrade to 8.2.3.x

Fix:

Upgrade to latest cumulative fix.

Workaround:

When recovering across sites or from secondary copy, contact EMC NetWorker Support for assistance with manual resurrect procedure

Reference for manual resurrect procedure: https://support.emc.com/kb/333404

Related:

  • No Related Posts

VNX M and R 2.1: Collector-Manager service stopped and will not start. Error message: SEVERE Can’t load descriptor

Article Number: 483114 Article Version: 3 Article Type: Break Fix



VNX Family Monitoring & Reporting

In VNX M&R 2.1 the Collector-Manager service will not start. In the logs is the following error:

SEVERE — [2016-05-09 16:06:19 EDT] — Bootstrap::main(): Can’t start Collector Manager!

com.watch4net.apg.v2.common.config.InvalidConfigurationException: Can’t load descriptor ‘Variable-Handling-Filter/Default/conf/variable-handling-filter-topo.xml’ for filter TOPO-Filter!

In this instance, the file at the indicated path was not present:

/opt/VNX/Collecting/Variable-Handling-Filter/Default/conf/variable-handling-filter-topo.xml’ for filter TOPO-Filter!

In this instance, many configuration files were missing.

To ensure all configuration files were correct, the collect component of VNX M&R was redeployed.

The collect component includes all dependencies for collecting including stream, text, xml, collectors, and cross-referencing, variable-handling, property-tagging, group, failover filters. This will ensure that the components are removed and reinstalled in the correct order.

To re-deploy the collect component, navigate to the bin directory of VNX M&R and preform the following steps:

Default path of bin:

Windows: C:Program FilesVNXbin

Linux: /opt/VNX/bin

1. Verify the desired component is available:

Windows:

manage-modules.cmd list available | findstr collect
Linux:
./manage-modules.sh list available | grep collect

User-added image

2. Stop services:
Windows:
mange-modules.cmd service stop all (alternatively you may use server manager/services.msc and stop all services starting with VNX)
Linux:
./manage-modules.sh service stop all
3. Uninstall the collect component:
Windows:

manage-modules.cmd remove emc-vnx-collect

Linux:

./manage-modules.sh remove emc-vnx-collect

VNX M&R will then list the components to be uninstalled and ask if you wish to proceed. Type ‘y’ or hit the return key.

User-added image


VNX M&R will then remove the components in order. On each component it will ask “Do you want to completely purge the module xxxxxx Default out of the system, including data files, configuration files and restore points? (yes/no) .” Type “y” for each component.
4. Redeploy the collect component:
Windows:

./manage-modules.cmd install emc-vnx-collect Default

Linux:

./manage-modules.sh install emc-vnx-collect Default

Note: Be sure to include the instance name of Default, or the components will be named ’emc-vnx’ and it will not work correctly.

VNX M&R will list all dependencies required and you to accept the changes.

User-added image

Enter ‘y’ and continue.

The following configuration questions will be asked. Note that not all answers are default.

? Activate the FailOver-Filter (yes/no) [y] >

Key in ‘n’ and press return.
? Hostname or IP address to send data to [localhost] >
Hit the return key to accept the default.
? Network port to send data to [2020] >
* Do not accept the default 2020. Key in ‘2000’ and hit the return key
? Tomcat hostname or IP address [localhost] >
Hit the return key to accept the default.
? Configure custom Tomcat port (yes/no) >
Key in ‘n” and press return.
? Tomcat communication protocol [1] >
Key in ‘1’ and press return.
?Username [ws-user] >
Hit return key to accept default
? Password [•••••] >
Hit return key to accept default
? Frontend Web service instance name [APG-WS] >
Hit return key to accept default
? Topology Service hostname or IP address [localhost] >
Hit return key to accept default
?Web-Service gateway hostname or IP address [localhost] >
Hit return key to accept default
? Web-Service port number [48443] >
Hit return key to accept default
? Authentication schema [2] >
Key in 1 and press return
? Web-Service username [admin] >
Hit return key to accept default
? Web-Service password [•••••] >
Hit return key to accept default
? Event server hostname or IP address [localhost] >
Hit return key to accept default
? Event server port number [52001] >
Hit return key to accept default
? Configure Alert consolidation (yes/no) >
Key in ‘n’ and press return
? Specify custom naviseccli path (yes/no) >
Key in ‘n’ and press return
? Do you want to specify another VNX system (yes/no) >
Key in ‘n’ and press return
? Use advanced settings (yes/no) >
Key in ‘n’ and press return
? Do you want to start the installed services now? (yes/no) [y] >
Key in ‘y’ and press return
5. Start services:
Windows:

mange-modules.cmd service start all (alternatively you may use server manager/services.msc and start all services starting with VNX)

Linux:

./manage-modules.sh service start all

6. Verify services are running:
Windows:

manage-modules.cmd service status all (alternatively you may use server manager/services.msc and view services starting with VNX)

Linux:

./manage-modules.sh service status all

Related:

  • No Related Posts

VNX: Getting “tar: This does not look like a tar archive” error while untaring PUHC script

Article Number: 483910 Article Version: 3 Article Type: Break Fix



VNX Operating Environment,VNX OE for File

While untaring the PUHC script, the following message appears:

[root@vnxnkdc01cs0 nasadmin]# tar -xzvf upgrd-ckv11-29.tar.gz

tar: This does not look like a tar archive

tar: Skipping to next header

tar: Archive contains obsolescent base-64 headers

tar: Error exit delayed from previous errors

It looks like the browser decompressed the tar.gz file in a different way when downloaded.

Decompress the file using:

# gzip -d file.tar.gz

After that continue with the procedure in KB article 304256 – VNX Unified: Pre-upgrade Health Check with step 9.


[nasadmin@VNX ~]$ tar xzvf upgrd-ckv11-29.tar.gz

tar: This does not look like a tar archive

tar: Skipping to next header

tar: Archive contains obsolescent base-64 headers

tar: Error exit delayed from previous errors

[nasadmin@VNX ~]$ gzip -d upgrd-ckv11-29.tar.gz

[nasadmin@VNX ~]$ ll

total 98468

drwxrwxr-x 2 nasadmin nasadmin 4096 Dec 10 11:22 celerra

-rw——- 1 nasadmin nasadmin 1378 Apr 21 14:52 dead.letter

-rw-rw-r– 1 nasadmin nasadmin 0 Oct 22 2015 group

-rw-rw-r– 1 nasadmin nasadmin 58 Nov 4 2015 homedir

-rw-rw-r– 1 nasadmin nasadmin 277 Oct 22 2015 ldap.conf

drwxrwxrwx 2 nasadmin nasadmin 4096 Dec 10 11:30 nas_tool

-rw-rw-r– 1 nasadmin nasadmin 71 Oct 22 2015 nsswitch.conf

-rw-rw-r– 1 nasadmin nasadmin 202 Oct 22 2015 passwd

-rw-rw-r– 1 nasadmin nasadmin 20480 Dec 15 12:49 qtree.tar.gz

-rwxr-xr-x 1 nasadmin nasadmin 9236 May 9 14:45 runquotareport.ksh

-rw-r–r– 1 root root 19377 May 17 15:38 screenlog.0

-rw-r–r– 1 root root 22491 May 17 15:15 screenlog.1

-rw-r–r– 1 root root 4982 May 17 13:31 screenlog.2

-rw-r–r– 1 nasadmin nasadmin 5619914 May 24 15:47 upgrd-ckv11-29.tar

-rw-rw-r– 1 nasadmin nasadmin 5712 Jan 11 13:03 viruschecker.conf

[nasadmin@VNX ~]$ tar xzvf upgrd-ckv11-29.tar

upgrd-ckv11-29.bin

upgrd-ckv_O

upgrd-ckv_N

check_nas_upgrade_5.4.31.2.tar.gz

check_nas_upgrade_5.5.42.1.tar.gz

check_nas_upgrade_5.6.52.2.tar.gz

check_nas_upgrade_6.0.70.4.tar.gz

check_nas_upgrade_7.0.54.5.tar.gz

check_nas_upgrade_7.1.79.8.tar.gz

check_nas_upgrade_8.1.6.101.tar.gz

Related:

  • No Related Posts

VNX M&R Cannot query by File System by its name in the Search box

Article Number: 495175 Article Version: 2 Article Type: Break Fix



VNX Family Monitoring & Reporting 2.2

From a list of all the File Systems on a Data Mover, user tries to search by File System name for one out of 200 File Systems. But the query always returns “No results found”.

User-added image

This works as designed. When searching for components on the Web Portal, user can only search by System name, model or IP.

Upgraded to VNX M&R 2.2 from VNX M&R 1.x

User can search by a system name.

Illustration:

User-added image

Related:

  • No Related Posts

Re: Can I restore backup from physical cartridge which is don’t have barcode sticker and no information about backed up data

To recover data that is on this tape, the tape volume and its contents must first be cataloged into the NetWorker Media database.

  1. Review the output file out.txt. Find the client name whose data you want to recover from.
  2. Ensure that the client name resolves to an i.p address
  3. At this point, I strongly urge you to make a bootstrap backup before proceeding further.
  4. In NMC, create the NetWorker client, using the same name as reported in the output file.
  5. Now to populate the NetWorker Media Database. You will follow the same steps 1-7 from above.
  6. To scan the entire tape, use: scanner -m (drive) >out2.txt 2>&1

After the scanner command completes:

  1. Eject the tape using: nsrjb -uv -f (drive)
  2. Go back into the drive properties and un-select the Read-Only flag
  3. use the following to verify that NetWorker has information on the volume:
    1. mminfo -avot (NetWorker volume name)

At this point, the mminfo should list all the backups that are on that tape volume. However, they would be in recoverable mode only.

Depending on what you want to recover, you can either perform a saveset recovery (for file system backups only), or you may still have to make the saveset browsable by using the scanner -i command .

For example: if you wanted to catalog the saveset=123456789 so that you can then “browse” and select what files you want to recover, or if this backup was done using one of the NetWorker modules, then you load the tape back into a tape drive, and run:

mminfo -avot -q ssid=123456789 -r mediafile,mediarec

scanner -i -f (mediafile#) -r (mediarec#) -S 123456789 (drive)



If successful, then the following will show that the saveset is now browsable:



mminfo -avot -q ssid=123456789



And you can now proceed with the recovery.

Related:

  • No Related Posts