In our BSP all drivers are test signed currently with whatever certificates are supplied in Program Files(x86)\Windows Kits\10\tool\certificates folder. Some of these certificates expired 2/1/2022 and now PackageGen fails and we can no longer build an FFU. Where do I find the new certificates? I already tried Update for Windows OEM HAL Extension but this does not fix our build issue. I am not experienced with how certificates work or what to do. Can anyone help? We use Visual Studio 2017 for building our BSP.
Related
I'm supporting a 32-bit, MFC-based application. For deployment to customers an MSI installer file is created via Visual Studio 2015. I have some customers reporting that the cannot install the application due to Microsoft Defender reporting a severe warning:
Exploit:O97M/CVE-2017-11882.JR!MTB
On my side, Norton Internet Security shows all the files to be clean. MalwareBytes also shows all files to be clean. How do I prevent this warning from showing up on my customer side?
Digital Signing: The setup can obviously be infected on the end user's PC even if your original setup is not - or your own setup could contain real malware or a false positive. Digital signing can help a bit - as stated by others. A digital signature verifies that the setup has arrived unchanged from the vendor. Certificates are not 100% reliable, and they are also expensive if you get an EV certificate ("Extended Validation Certificate").
Signtool.exe: See this old answer: Odd 'Program name' when installing signed msi installer. For ad-hoc signing I suppose you can try the signwizard as shown here. For build automation you would want the full command line. I haven't tested that in a while, maybe try this answer.
Warning: Be careful not to sign malware! Obviously. Then you have: signed malware. In that sense it is proven - certified even - to come from you. Irony.
VirusTotal.com: You should run scan on all binaries by zipping them and uploading to virustotal.com as your first step. This is screening for both malware and false positives. Sometimes I try the Kaspersky checker too. ESET has a free scan feature for your computer (not uploaded files): https://www.eset.com/int/home/online-scanner/ and also a "SysInspector" tool which can help diagnose potential infections on any computer.
SmartScreen: Windows Defender includes SmartScreen - a trust-based feature which flags setups that are unknown, unsigned and deemed unsafe. Here is some information: Windows Installer, Digital Certificates and SmartScreen
See these existing answers:
How can i generate windows certificate so my msi doesn't shows warning to users
Microsoft Defender Smart Screen Preventing my MSI to run
Process Explorer: A nifty feature of Process Explorer from Sysinternals / Microsoft is the ability to scan every process on your computer and using VirusTotal.com from inside the tool. See this video. Here is a screenshot of the tool in action - it has found malware running on the PC:
Links:
InstallShield: Digital Signing and Security
Using SignTool to Sign a File
Thanks for all of the ideas.
The problem seemed to go away with signing via adding this command to the "PostBuildEvent"
"C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe" sign /a $(BuiltOuputPath)
I am trying to remote debug an Asp.Net Core Web Application (with Web API) project deployed as an Azure App Service with Visual Studio 2017 Professional.
Followed the instructions as documented here. Essentially, using the Server Explorer-->App Service-->Attach Debugger
Also, enabled the necessary firewall ports as mentioned. The ones I opened are TCP (4022, 4023) and UDP (3702). Also, ensure remote debugger application is in allowed list of apps in Windows Firewall. Documentation for the firewall steps.
Despite all the settings, I am getting following error
System.Runtime.InteropServices.COMException (0x89710023): Unable to connect to the Microsoft Visual Studio Remote Debugger named 'essamplepoc2.azurewebsites.net'. The Visual Studio 2017 Remote Debugger (MSVSMON.EXE) does not appear to be running on the remote computer. This may be because a firewall is preventing communication to the remote computer. Please see Help for assistance on configuring remote debugging.
at Microsoft.VisualStudio.Debugger.Interop.Internal.IDebuggerInternal120.ConnectToServer(String szServerName, VsDebugRemoteConnectOptions[] pConnectOptions, CONNECT_REASON ConnectReason, Int32 fIncrementUsageCount, IDebugCoreServer3& ppServer)
at Microsoft.VisualStudio.Web.Azure.MicrosoftWeb.Operations.RemoteDiagnosticsSessionBase.ConnectToServer(String site, String user, String password)
Any suggestion would be helpful.
The issue is resolved. We had to open outbound ports 4024 for VS 2019, 4022 for VS 2017 and 4020 for VS 2015 on corporate firewall.
For more info check these out:
https://learn.microsoft.com/en-us/visualstudio/debugger/remote-debugger-port-assignments?view=vs-2019
https://learn.microsoft.com/en-us/visualstudio/debugger/configure-the-windows-firewall-for-remote-debugging?view=vs-2019
I also had this problem. I solved it by changing the Platform from 32-bit to 64-bit in Application Settings as I am trying to debug from 64-bit machine.
It seems remote debugging is not turned on for your App Service.
Open your App Service in the Azure portal and go to Application Settings. Then turn Remote Debugging to On and select Visual Studio Version to 2017.
It should look like this:
Screenshot source
I hope this helps.
First, what did NOT work. Opening the port in my Firewall did not work for me. Restarting my local machine did not work, neither did restarting the app in Azure, nor updating VS2019 with the installer. I kept getting:
System.Runtime.InteropServices.COMException (0x89710023): Unable to connect to the Microsoft Visual Studio Remote Debugger named 'empirepipedriveapi-newversion.azurewebsites.net'. The connection with the remote endpoint was terminated.
Finally, what DID work, I deleted the deployment slot and then added it again, I deleted the publish profile in Visual Studio 2019 and recreated it again, a published the app (without even recompiling it) and then WAS able to connect (I did refresh the available slots in the Cloud Explorer first just to be overly careful). I believe, and this is the 2nd time in about a year, that, on rare occasion, the deployment slot can become corrupted. I noticed this time when I published the app, it took longer and it seemed much more activity took place, leading me to believe that there was code in the old slot that was is not refreshed on each and every publish and it must have become corrupted.
I tried to install the latest VS 2017 Update yesterday and since then I cannot get it to finish this.
This worked pretty fine in the last months and stopped working yesterday.
I already tried to do the following:
Uninstall VS 2017
Remove folder %PROGRAMFILESx86%\Microsoft Visual Studio\2017
Remove folder %PROGRAMDATA%\Microsoft\Visual Studio
Restart machine
I have a 50 MBit/s download rate and all other apps are working just fine. If I look into the logs I can see failed downloads when I abort the instalation. When I pick one of the URLs there and just download the vsix directly via the browser it just works.
Is there any caching or network setting that might be useful in this case?
UPDATE
I have tried 2 downloads (WLAN) from MS servers right now:
Has MS issues on certain download servers maybe and what to do or whom to tell in those cases?
I had the same problem with VS2017 Preview. I disabled IPV6 in the network adapter properties. After that the installer ran with full download speed.
After some heavy investigation and because of the feedback of trinitrotoluol I solved the issue by using an external VPN endpoint. That means, that my German hoster (Telekom) has got problems with some Microsoft download-servers. We contacted them but (not very suprisingly) there is no way to encourage them to examine their network a little bit deeper. So turns out that we have to wait until they fix this back or use a VPN client for such cases.
change download location via hosts (C:\Windows\System32\drivers\etc) entries:
I checked alternative servers with ping-test.ru
For example:
93.184.215.201 download.visualstudio.microsoft.com
or
68.232.34.200 download.visualstudio.microsoft.com
or
192.229.232.200 download.visualstudio.microsoft.com
or
27.22.54.160 download.visualstudio.microsoft.com
I'm developing application in C++ (cross-platform; Windows, Mac and Linux) that needs to communicate securely with servers using https protocol with libcurl (built with winssl/darwinssl/openssl on Windows/Mac/Linux respectively). I've changed a curl option, CURLOPT_SSL_VERIFYPEER from 0 to 1 which should help prevent MitM issues.
This has caused issues that an initial search points to turning that option off, but after digging deeper I found:
Get a CA certificate that can verify the remote server and use the proper option to point out this CA cert for verification when connecting. For libcurl hackers: curl_easy_setopt(curl, CURLOPT_CAPATH, capath); from curl docs
and
Get a better/different/newer CA cert bundle! One option is to extract the one a recent Firefox browser uses by running 'make ca-bundle' in the curl build tree root, or possibly download a version that was generated this way for you.
from curl docs
I actually use CURLOPT_CAINFO to the bundle as I had seen some word of issues using CURLOPT_CAPATH on Windows; curl docs. I have downloaded and installed this bundle along with the application on Windows and Mac and I'd like to know if this is the correct way to do it or if there is a better practice.
Initially this caused issues for users of the application running behind some corporate networks or proxy which seemed to get fixed by building libcurl against winssl instead of openssl on Windows; though potentially disguising itself as a firewall issue, still unclear although it seems likely.
Sorry for the length.
Is anything silly about installing the ca-cert-bundle.crt along with the application, and is there anything that should be done differently to communicate securely with the server from this installed application?
A slightly separate, but still very related, issue I have is CURLOPT_CAINFO on Linux giving the error:
error setting certificate verify locations:
CAfile: ../share/my_application/curl-ca-bundle.crt
CApath: none
Though attempting to open the file for reading from within the application does work successfully. Edit: This issue I solved by NOT setting the CURLOPT_CAINFO field on Linux (leaving it blank) and adding the dependency package ca-certificates to the application package. The default path is correctly /etc/ssl/certs/ca-certificates.crt and seems to be working. To me this feels a bit better than installing the bundle with the application.
Edit2: Although solved it appears the ca-certificates package sometimes doesn't install ca-certificates.crt and instead ca-bundle.crt and the locations vary on different distros as this source, happyassassin.net shows that different Linux systems store the CA bundles in different locations. It did not seem to have a clear answer as to HOW to handle this. Should I be using a value in the configuration file that the user can then modify, or any other thoughts on the subject?
Edit3: Some users have pointed out that my name exists in one of the paths curl looks for, I'm not entirely sure how that is possible as the only thing I've specified for curl is where I built openssl/cares libraries...
I realize this is a loaded/multipart question but it is all on the same subject as the title states, I'd appreciate any help.
Thanks.
In my opinion, it is better to use system certificate then package certificates with application (if you are not using some special certs). For the linux it should be easy according to https://serverfault.com/questions/394815/how-to-update-curl-ca-bundle-on-redhat And for windows you can either use winssl or create the file from system https://superuser.com/questions/442793/why-cant-curl-properly-verify-a-certificate-on-windows Configure cURL to use default system cert store
A default libcurl build is setup to attempt to use the "right" CA bundle.
Linux
A libcurl built on Linux will scan and check where the CA store is located on your system and use that. If you install libcurl on a regular Linux distro, it should've been built to use the distro's "typical" CA store.
macOS
If you build libcurl for mac and tell it to use the Secure Transport backend, it will automatically use the macOS CA store. So will the default-installed curl and libcurls that come shipped bundled with macOS from Apple.
Windows
If you build libcurl for Windows to use Schannel (the windows TLS system) it will by default use the Windows CA store.
Other setups
If you deviate from these setups, you basically opt to not use the CA store that comes bundled in the operating system you're using. Then you need to handle and update the CA store yourself.
I am trying to install an MSExchange 2016 in an EC2 instance from scratch without success. By from scratch, I mean I start from a new EC2 instance without any AD yet installed.
I am not very familial with Windows Server. I got a lot of problem during the installation. By digging the web, I fixed a lot of them, but I think there is something I miss to succeed in my installation. Any help would be greatly appreciated
Here is the procedure I followed:
I created an EC2 Windows Server 2012RC2 instance
I created a simple Active Directory in AWS.
I provided the AD DNS to my Windows Server (via Network and Sharing Center, properties of Internet Protocol v4)
I joined the server into that AD (Via Control Panel > System and Security > System, change computer workgroup to the domain defined in my AWS Simple AD)
Restart computer
Log into the server as Administrator, with the AD domain
Download Exchange from here
Set-up the active directory, as in this procedure: https://judeperera.wordpress.com/2015/07/24/step-by-step-guide-for-installing-exchange-server-2016-preview/
The Step 4.1. of that procedure indicates to execute the following code
Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms
When I execute it, I get the following error:
I do not understand what I need to do/fix to continue the installation.
Thanks in advance for your help!
The issue you are encountering is that Simple Directory is not an Active Directory product, it is powered by Samba v4. What you need is to setup a Microsoft Active Directory (Enterprise Edition) or Microsoft AD, which is powered by Windows Server 2012 R2. The Simple AD is powered by Samba v4 and is simply Active Directory compatible but does not support the added schema features which are needed by Exchange Server 2016.
The other option is to back away from hosting your own instance of Exchange server and instead take a look at AWS WorkMail. It is an exchange like service which supports active sync with Outlook 2007+ and all current mobile smart devices such as Android and iOS. I currently use this and it took a lot of the headache out of managing my own mail server as the complexities are offloaded to the AWS environment and all you need to do it add mail accounts and group addresses.
Either option should solve your issue.