Example:
@echo off
setlocal EnableDelayedExpansion EnableExtensions
for /F %%a in (file.txt) do (
set file_content=%%a
for /f "tokens=*" %%k in (' %file_content%') do (
set command_result=%%k
echo !file_content! !command_result!
)
)
ENDLOCAL

First, what’s changed in OfficeScan from version 10.0 SP1?

- Active Directory Integration
- Smart Protection Solutions
- Security Compliance
- Virtual Desktop Support
- Role-based administration
- General Product enhancements

So, what is my experience with the new features?

Active Directory Integration
Closer integration with active directory. Personally not tested.

Smart Protection Solutions
I guess this is enhancements to the file reputation and the implementation of a “local” web reputation server.
Tested this one, works fine. Good idea to include a local alternative, instead of having all your clients talk to “the cloud”. The new version of the TMCSS (Cloud Scan Server) also works with OfficeScan 10.0 SP1.

You can either perform a fresh install, or upgrade from 1.x.

Security Compliance
Not tested.

Virtual Desktop Support
According to Trend, OfficeScan is now “VDI”-aware. And supports VMware View 4 and Citrix XenDesktop 4.
Anyone running those products tested?

Granular Role-based Administration
Pretty much standard role based administration, with the possibility to use Active Directory user accounts. Also single sign on support.

General Product enhancements
Just a bunch of smaller product enhancements.

They fixed stuff related to:
- Update Agent
- Exception list
- Firewall
- Logs
- Scan Settings
- Web Reputation
- Plug in program updates

Update Agent
You can now have update agents separately download components, settings and program updates. A new report tool for update agents has also been implemented.

Exception list
There are now separate lists for Behavior Monitoring and Device control exceptions. In 10.0 they were the same.

Firewall
It is now possible to make exceptions for software on the Certified Software List, or block specific applications.

Also, when installing OfficeScan server from scratch, you will be asked if you want to enable the OfficeScan firewall, AND if you want to enable the firewall for server platforms. Earlier, if you enabled the firewall, it would be enabled both for workstations/laptops AND servers. This is great, because the firewall is not recommended for server platforms, but for client platforms. So you can get away with just one OfficeScan server (if you want to). In other words, no need to have dedicated server without the firewall enabled. You might of course still want to do this, so you can patch the client server, separate from the server server (server server server? ).

Logs
Enhancements of the logging feature will ensure consistency between time settings on OfficeScan clients, server and Control Manager. In other words “unified time stamping”.

Scan Settings
The following configuration options are now available on the local client (as long as the client has privileges to configure scan exclusions):
- Add, remove or overwrite files and directories from the client scan exclusion list.
- configure OLE exploit detection settings
- Configure settings for action on probable virus malware (scan actions on heuristic and generic detection)
- Clean Spyware/grayware in zipped files setting
- Use wildcards in the scan exclusion lists.

They also added additional options in the web gui. These are not listed in the release notes. But I’ve found some of them, and the most important one is the option to configure actions on generic/heuristic while using Active Action.
But I’m bit confused, since this is not an option if you use “use the same actions for all”.
Even if you configure the same actions for all types, you will have to specify “1st” and “2nd” scan action in the ofcscan.ini file.

As far as I know OfficeScan will still “Pass” potential security threats, if not configured with “1st” and “2nd” action when using the same actions for all types.

Web reputation settings
You can now configure web reputation policies and assign them to one, multiple or all OfficeScan clients.

Plug in program updates
OfficeScan can now automagically download plug in program updates from the first source in the server update source list. This includes Trend Micro Control Manager.

So, except from the GUI-bug mentioned in an earlier post, it should be safe to upgrade to version 10.5. I have not experienced any other problems. Have you?

Process Explorer:
http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx

They also updated som other tools:

VMMap
http://technet.microsoft.com/en-gb/sysinternals/dd535533.aspx

DiskView
http://technet.microsoft.com/en-gb/sysinternals/bb896650.aspx

Read the entire blog post here:
http://blogs.technet.com/sysinternals/archive/2010/03/25/updates-process-explorer-v12-vmmap-v2-62-diskview-v2-4-sdelete-v1-7.aspx

Exploitation of the exploit crashes the system. This is done by sending a NetBios header that specifies that the SMB-packet is 1, 2 or 4 bytes larger or smaller than what it actually is.

When the system crashes, there is no BSOD, the system simply freezes. And there is no traces in the event logs (after reboot).

When the system receives the packet, it goes into an infinite loop.

The crash itself happens in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure() (which is caused by an infinite loop).

The vulnerability could possibly be exploited through IE.

And the proof of concept works by:

1. Running the python code on a *nix box, and ensuring port 445 is open.
2. Connecting through SMB to the *nix box.

Read more:
http://isc.sans.org/diary.html?storyid=7573
http://blog.trendmicro.com/new-smb-zero-day-exploit/
http://praetorianprefect.com/archives/2009/11/how-to-crash-windows-7-and-server-2008/
http://g-laurent.blogspot.com/2009/11/windows-7-server-2008r2-remote-kernel.html