Shulou(Shulou.com)06/02 Report--

Problem description:

1) 50% of the 300 clients in a unit restart automatically and have a blue screen.

2) suspected virus

3) by shutting down the server, the influence of non-server is eliminated.

4) by patching, it is found that the computer will not restart after updating 2 patches.

The key patch still needs to be made.

Windows 7 KB4012212

KB4012598 for Windows 2008 R2

5) always thought that all the patches were automatically updated by some antivirus software, but most of them were not updated.

Solution:

1) antivirus software is suspected to be blackmail virus

A unit of these 300 computers are intranet, do not allow access to the Internet, according to the restart phenomenon, antivirus software technicians suspected of blackmailing the virus.

Restart phenomenon:

a. Some computers restart, some do not restart

b. Some computers restart with a blue screen

Antivirus software: (analysis)

A. there is a blackmail virus, there is a restart phenomenon.

B. there is blackmail virus, restart phenomenon and blue screen phenomenon.

C. Why is the blackmail virus file not encrypted?

Explanation: after the blackmail virus exploits the virus in the loophole, it needs to obtain the private key on the public network, but it cannot be obtained online, so it cannot be encrypted.

PS:

Unexpectedly, there is still this truth, in view of the intranet of government units, blackmail virus can not be encrypted!

2) set Windows to update regularly and do not restart

In a Windows domain environment, Windows automatic updates are not configured by default for all add-domain clients.

Windows 2012 R2

Windows 7

For the Windows domain environment, all computers with domains need to be configured to download and install updates at 12:00 on a regular basis.

Remote Desktop to Domain Controller Server

Select-tools-Group Policy Management

Select-Lin: contoso.com

Select-Domain-contoso.com-Default Domain Policy

Select-Default Domain Policy- right-Edit

Select-computer configuration-policies-Administrative templates-Windows components-Windows updates

Double-click-configure automatic updates (configure as shown below)

Double-click-always restart at the scheduled time

Double-click-allow automatic updates to install now

Set up several other configurations in the same way.

In view of the above settings, if any anomalies are found, please make corresponding changes according to the actual situation.

Forcibly update the group policy on the client.

Gpupdate-force

C:\ Users\ Administrator > gpupdate / Force

Updating policy.

The computer policy update completed successfully.

The user policy update completed successfully.

C:\ Users\ Administrator >

Windows 2012 R2

Windows 7

3) set Windows update to start automatically

The computer Windows Update service that joins the Windows domain by default may be automatic and running. (most probably!)

The Windows Update service for computers that join the Windows domain by default may be disabled and not running. It's possible!

The computer Windows Update service that joins the Windows domain by default may be manual and not running. It's possible!

Remote Desktop to Domain Controller Server

Select-tools-Group Policy Management

Select-Lin: contoso.com

Select-Domain-contoso.com-Default Domain Policy

Select-Default Domain Policy- right-Edit

Select-computer configuration-Policy-Windows Settings-Security Settings-system Services

Select-Windows Update Service

Client:

4) antivirus software specializes in killing viruses

If this happens, you have anti-virus software installed throughout the network, it is recommended to pull anti-virus software engineers to solve the problem.

The operating system failed to update, and antivirus software also has something to do with.

The customer originally planned to use antivirus software to install these updates in bulk!

I never thought that Windows automatic updates were not configured. Some Windows automatic update services are disabled, some are manual, and none of them are started, so they cannot be installed.

5) Summary

If you want to prevent the blackmail virus!

a. All plus domain computers are equipped with antivirus software. (used by friends)

b. All computers with domains are configured with Windows automatic updates through Group Policy.

c. All computers with domains are configured with Windows automatic service automatically through Group Policy, which is set to start.

d. It is recommended that you deploy WSUS, and all plus domain computers update patches regularly through WSUS.

e. Internal important files, regular backup is recommended.

It is best to back up 3 copies, 1 copy for Windows,1, 1 copy for Linux file server, 1 copy for tape drive.

If you can synchronize these three documents on a regular basis, you need to consider!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.