Using the FPCCacheContents Object I was able to force-cache any file I wanted for any duration I wanted. 

1.  I downloaded Cain&Abel executable from source #1 and Kaspersky blocked it.  I verified that traffic was coming from souce #1 with Wireshark.
2.  I force-cached Cain&Abel executable from source #2 to avoid IE caching or anything that might invalidate this test.  The item now exists in ISA cache.
3.  I downloaded Cain&Abel executable from source #2 again.  I verified that traffic was indeed coming from ISA Cache with Wireshark. 
I turned up KAV log files to Debug and verified that the Cain&Abel executable has not been flagged the first time it was downloaded.  Kaspersky blocked Cain&Abel from ISA Cache.
 
Conclusion:

• HTTP Kaspersky engine interfaces with cache and routed requests. 
• Anything can be forced into ISA cache.

See the ISA Monitor Utility for cache control.  http://sync-io.net/IsaTools.aspx

Setting up a Collector Initiated Subscription:

1. Download and install WS-Management/WINRM on client and collector computers.  Configure WINRM using command "winrm quickconfig".  Event Viewer will be appended with a Microsoft-Windows-Forwarding/Operational log.

2. Configure WECUTIL on collector computer using command "WECutil QC".

3. Import subscription using command 'WECUTIL cs sub_CI_Pull0.xml' on the collector computer.

NOTE: Modify sub_CI_Pull0.xml before importing it.  I used a domain account with administrative privilages.  The Event Selection xpath syntax is sensitive.  I was unable to create a query for the Security log.  (Security Log Permissions)

4.  Run eventvwr.msc on the collector computer.  Right click on your subscription and view Runtime Status.  Specified clients have to display a green, Active status.  You will see events appearing in the Windows Logs\Forwarded Events log shortly.

Setting up a Source Initiated Subscription:

Source Initiated subscription is the preferred way of forwarding events as it is much easier deployed via Group Policy.

Repeat above steps 1 through 4, replacing sub_CI_Pull0.xml in step 3 with sub_SI0.xml.

The extra step to perform on XP/2003 clients is to tattoo the registry at:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager

and then restart the WINRM service on the client.  These extra steps should produce event 104 in your client's Windows Logs\Forwarded Events log with the message: "The forwarder has successfully connected to the subscription manager at address <FQDN>.", followed by event 100 with the message: "The subscription <sub_name> is created successfully."

WINRM notes:

•    WINRM configuration has not been altered from the default.  It seems that setting TrustedHosts variable is not necessary (winrm set winrm/config/client @{TrustedHosts="wildcard_machine_name_here"})

EventCollector notes:

•    The Create Subscription GUI did not work for me at creating a collector initiated subscription.
•    For some reason I started getting an Access Denied error with this set up and I had to either: change the User Account in Advanced Subscription Settings from Machine Account to a Specific User account OR restart the WINRM service on the client.
  

Please post comments and ideas you have.  I am interested in how far we can go with this XP<-->2008 collector setup.

Reference Links:

http://blogs.technet.com/otto/default.aspx

http://support.microsoft.com/kb/936059

http://msdn.microsoft.com/en-us/library/aa384291%28VS.85%29.aspx

http://certcities.com/editorial/columns/story.asp?EditorialsID=292

http://technet2.microsoft.com/windowsserver/en/library/30757b93-7291-4254-b15e-f0aa5f45ac541033.mspx?mfr=true

http://technet.microsoft.com/en-us/magazine/cc137748.aspx

http://support.microsoft.com/kb/912309

http://openwsman.org/book/export/html/17

http://blogs.technet.com/otto/archive/2007/02/09/sample-vista-ws-man-winrm-commands.aspx

http://msdn.microsoft.com/en-us/library/bb870973%28VS.85%29.aspx

http://msdn.microsoft.com/en-us/library/bb736545%28VS.85%29.aspx

http://msdn.microsoft.com/en-us/library/bb427443%28VS.85%29.aspx

http://www.microsoft.com/downloads/details.aspx?familyid=845289ca-16cc-4c73-8934-dd46b5ed1d33&displaylang=en

http://support.microsoft.com/kb/912030

http://www.microsoft.com/technet/scriptcenter/newswire/winrm.mspx

http://download.microsoft.com/download/5/D/6/5D6EAF2B-7DDF-476B-93DC-7CF0072878E6/wsm.doc

http://en.wikipedia.org/wiki/WS-Management

http://technet2.microsoft.com/WindowsVista/en/library/8fd4aad5-50bc-4389-bdae-e09ee464e46d1033.mspx?mfr=true

http://msdn.microsoft.com/en-us/library/aa385231%28VS.85%29.aspx

Reference Posts:

http://forums.technet.microsoft.com/en-US/winserverManagement/thread/d6fd73ed-2e6d-43d1-943b-a45f9d81a461/

http://forums.technet.microsoft.com/en-US/winserverManagement/thread/a4e8122a-3dc1-4954-bee7-bafed1fdb08e/

http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.windows.server.networking&tid=7dd38777-19d5-464d-aaeb-f31424b04ce1&cat=&lang=&cr=&sloc=&p=1

Attachments:

sub_CI_Pull0.xml (1.30 KB) 

I recently came across MalwareDomains.com.  They provide a list of domain names that have been associated with malware.  The list contains over 21000 valid entries and I have decided to integrate it with ISA 2006 since it's rare to find such a free resource that is actually kept up to date.

The import tool is available here: http://sync-io.net/IsaTools.aspx

Basically, you're able to import the domain.txt file into ISA as a URL or DNS set.  Then you just set your deny access rule and away you go.  This utility can run as a scheduled task.

The following code has been tested on Windows 2003 SP2.  The calling user account must have 'Assign Primary Token' and 'Increase Quota' permissions to properly execute CreateProcessAsUser; see MS KB285879. 

Public Function RunProc(ByVal CMD As String, ByVal ARG As String) As String
        Dim er As Int16
        Dim exitCode As System.UInt32 = Convert.ToUInt32(123)
        
        Dim saThreadAttributes As SECURITY_ATTRIBUTES = New SECURITY_ATTRIBUTES
        saThreadAttributes.nLength = Marshal.SizeOf(saThreadAttributes)

        Dim impToken As System.IntPtr = IntPtr.Zero
        Dim priToken As System.IntPtr = IntPtr.Zero

        If LogonUser("DomainUser", "Domain", "Passwd", LogonType.LOGON32_LOGON_INTERACTIVE, _
               LogonProvider.LOGON32_PROVIDER_DEFAULT, impToken) Then
            If DuplicateTokenEx(impToken, &H2000000, Nothing, SecurityImpersonationLevel.SecurityDelegation, TOKEN_TYPE.TokenPrimary, priToken) Then

                Dim pi As PROCESS_INFORMATION = New PROCESS_INFORMATION
                Dim si As STARTUPINFO = New STARTUPINFO
   si.cb = Marshal.SizeOf(si)
                si.lpDesktop = IntPtr.Zero

                Dim saProcessAttributes As SECURITY_ATTRIBUTES = New SECURITY_ATTRIBUTES
                saProcessAttributes.nLength = Marshal.SizeOf(saProcessAttributes)

                If Not CreateProcessAsUser(priToken, CMD, CMD & " " & ARG, saProcessAttributes, _
                saThreadAttributes, False, 0, IntPtr.Zero, "c:\", si, pi) Then

                    er = Marshal.GetLastWin32Error
                    RunProc = ("err runas  " & er)

                Else
                    WaitForSingleObject(pi.hProcess, Infinite)
                    GetExitCodeProcess(pi.hProcess, exitCode)
                End If
                CloseHandle(priToken)
                CloseHandle(impToken)
                CloseHandle(pi.hProcess)
                CloseHandle(pi.hThread)
           End If
        End If
End Function

Let's pretend that Joe Smith working for company A just got an offer from company B to steal company A's products database for one million dollars.  However company A already has aleady secured their system pretty tightly.  All external storage such as USB has been blocked, there are no floppies and Joe does not even have outside email access.  Joe, however, does have CIFS access to the precious database.  So he decides to bring a laptop from home, plugs into the network and obtains an IP from the DHCP server.  He attempts to join Company A domain but is denied since he is not an administrator.  Joe decides to navigate to '\\FileServer\Databases'.  Windows prompts him for a username and password, so Joe types in 'CompanyA\JoeSmith' and his usual domain password.  Voila, he gained access to the Databases share and now is copying data from the file server onto his laptop; hands the data to company B and receives a million dollars.  Scary, isn't it?

Wouldn't it be much better if Joe brought his laptop, obtained and IP but when he tried to access the shared folder all he would receive was an Access Denied message?  Here is how:

First of all this setup works because the Windows machine itself is a security principal with an account name and password in Active Directory Services.

We need to create two IPSEC policies, one for the file server and the second one for all clients. 

File Server Setup:

IP Filter List will contain the following source ports:
TCP 137
TCP 139
TCP 445
UDP 137
UDP 139
The source IP address will be the file server's IP address and the destination subnet will be any client grouping you choose. 

The Filter Action will be a custom filter to negotiate security.  Inside the Custom Security Methods use MD5 to protect 'data and address integrity without encryption'.  Note: Enabling encryption will affect SMB/CIFS performance.

Client Setup:
The IP Filter List will contain the same source ports as the File Server setup did.  However the source address will be the File Server's IP address and the destination address will be My IP Address.
The Filter Action will be the same custom filter as in the setup above.

After applying the IPSEC policy through GPO, you can use the IPSEC Monitor MMC to view statistics and associations.  Sniffing the cable should produce ISAKMP protocol between the client and server.  Any existing CIFS connections will not survive IPSEC taking effect, so remember to do this overnight or force a client reboot.  Turning up event logging is also a good way to debug any failed key exchanges.

Another approach is individual share protection by using the 'NTLM Authenticator' user.

Every software company seems to be coming out with the next best way to protect your computer from malware, including viruses.  What happened to educating users on the risks of downloaded content execution and strategies of malware distribution? 

I have included on Syncio's web site a guide to malware identification.  This article is aimed at the more knowledgable user who wishes to identify the infection prior to removing it. 

http://sync-io.net/Community/Rainbow/MalwareIdentity.mht

A great resource for computing and networking concepts can be found at about.com.

http://compnetworking.about.com/od/basicnetworkingconcepts/

http://www.about.com/compute/

NSA has developed guides to securing your operating system.

http://www.nsa.gov/snac/downloads_os.cfm?MenuID=scg10.3.1.

In an upcoming blog I will describe the practical ways of recognizing malware before it infects your computer...