cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
mikef2112
Fanfold Paper
Posts: 16
Registered: ‎02-22-2019
Location: US
Views: 270
Message 21 of 28

Re: Why are a number of my 430's and 450's doing LDAP reconnaissance queries by Lenovo scheduled tas

Good call on the foundation service, that wasn't running. I re-enabled it and started back up and then the folder and scheduled task got cleared out. Unfortunately I won't know until tomorrow morning about the LDAP queries.

mikef2112
Fanfold Paper
Posts: 16
Registered: ‎02-22-2019
Location: US
Views: 237
Message 22 of 28

Re: Why are a number of my 430's and 450's doing LDAP reconnaissance queries by Lenovo scheduled tas

I think it is working, although it seems to require a manual restart of the foundation service to act upon the registry key and do the cleanup. Rebooting the machines after setting the key isn't clearing the folder or scheduled task but it does work 4-5 minutes after a manual restart of the service.

I think the LDAP queries are stopping but a number of the machines ran them this morning because of the problem above so I will find out tomorrow for them.

Lenovo Staff
Lenovo Staff
Posts: 5,174
Registered: ‎10-29-2009
Location: NC
Views: 234
Message 23 of 28

Re: Why are a number of my 430's and 450's doing LDAP reconnaissance queries by Lenovo scheduled tas


@mikef2112 wrote:

it seems to require a manual restart of the foundation service to act upon the registry key and do the cleanup. Rebooting the machines after setting the key isn't clearing the folder or scheduled task but it does work 4-5 minutes after a manual restart of the service.

 


I do not understand what you are seeing, and I can't reproduce it here.  Unless you changed it, System Interface Foundation Service is set as "Automatic" startup type which means the service will start automatically after rebooting.  So rebooting should be the same thing as manually restarting the service.  In a previous message, you mentioned that you found a machine where the service was not running.  I don't understand that either.

 

Anyway, it does seem like you have a handle on how to configure the registry to disable the GenericTelemetryPlugin, so please check in again tomorrow to let me know if these machines are still doing account/user queries.  Thanks again for your help with this.

mikef2112
Fanfold Paper
Posts: 16
Registered: ‎02-22-2019
Location: US
Views: 193
Message 24 of 28

Re: Why are a number of my 430's and 450's doing LDAP reconnaissance queries by Lenovo scheduled tas

I agree, it is very strange and I am not sure how to explain it exactly. The System Interface Foundation service was stopped and disabled on one of the machines I was working with, I think several people were trying to do different things to isolate the issues. After re-enabling and starting it back up, the task and folder cleanup process worked as expected. 

 

On another machine, the registry key was set and the machine was rebooted several times. None of the Lenovo services were disabled or stopped there. The scheduled tasks came back reboot after reboot until I ran 'sc \\client stop ImController' and 'sc \\client start ImController' from the local domain controller using my admin account, after that was done about 5 minutes later the folder and the third scheduled task under TimeBasedEvents just disappeared like nothing was ever wrong.

 

I don't know...<shrug>

 

Fortunately the LDAP queries have stopped at this point for all of the clients I have been able to reach so far. There are a couple left where people are out of the office or something, but the Azure ATP portal is clear today, so the workaround is successful. Any word on the next update?

Lenovo Staff
Lenovo Staff
Posts: 5,174
Registered: ‎10-29-2009
Location: NC
Views: 185
Message 25 of 28

Re: Why are a number of my 430's and 450's doing LDAP reconnaissance queries by Lenovo scheduled tas

There are a couple ways forward.  This registry entry could be the permanent solution if you want it to be.  You don't lose anything by disabling the GenericTelemetryPlugin, except that the machines will no longer send anonymous usage statistics to Lenovo (if the end user opted into this). 

 

The other option:  I have a trial version of the GenericTelemetryPlugin which should fix the problem.  To test it, you would have to remove the registry entry that was added previously (so that the GenericTelemetryPlugin is re-enabled), and then replace some DLL files.  Below is a link to download a .zip if you want to try it out.  Unzip and then take a look at install_trial_plugin.bat to see how I tested this.  You can probably use it as-is.  Key point is to start on a machine that only has the 2 scheduled tasks, then run the .bat file and wait 5+ minutes, there should now be 3 scheduled tasks and the version of c:\ProgramData\Lenovo\ImController\Plugins\GenericTelemetryPlugin\x86\GenericTelemetryPlugin.dll should be 1.3.0.3.  This is how you know that the machine is running the trial version, then you can check for the account/user queries again.

 

https://1drv.ms/u/s!ApXWjQB7_a1bhf1NSEJsLa3J2Z0XKA

mikef2112
Fanfold Paper
Posts: 16
Registered: ‎02-22-2019
Location: US
Views: 172
Message 26 of 28

Re: Why are a number of my 430's and 450's doing LDAP reconnaissance queries by Lenovo scheduled tas

I am testing the trial version now. The install worked fine, the third scheduled task showed up with no problems. I will let you know what I see tomorrow. I wouldn't deploy it anywhere but testing on one of the prior affected machines is okay until the next production release includes it.

 

As far as which way to go at that point it isn't up to me. Smiley Happy I will let management know the options and I will implement the one they want. Either way is fine with me as long as I get the issue cleared up from the machines and the noise cleared up from the ATP portal.

 

 

Lenovo Staff
Lenovo Staff
Posts: 5,174
Registered: ‎10-29-2009
Location: NC
Views: 103
Message 27 of 28

Re: Why are a number of my 430's and 450's doing LDAP reconnaissance queries by Lenovo scheduled tas


@mikef2112 wrote:

I am testing the trial version now. The install worked fine, the third scheduled task showed up with no problems. I will let you know what I see tomorrow. I wouldn't deploy it anywhere but testing on one of the prior affected machines is okay until the next production release includes it.

 

As far as which way to go at that point it isn't up to me. Smiley Happy I will let management know the options and I will implement the one they want. Either way is fine with me as long as I get the issue cleared up from the machines and the noise cleared up from the ATP portal.

 


Just checking in to see how the testing is going with the trial version, or if there is anything else I can do to help with this.

Highlighted
mikef2112
Fanfold Paper
Posts: 16
Registered: ‎02-22-2019
Location: US
Views: 88
Message 28 of 28

Re: Why are a number of my 430's and 450's doing LDAP reconnaissance queries by Lenovo scheduled tas

I haven't seen any new alerts in the Azure ATP portal so the trial version appears to be working so far, thanks.

Check out current deals!


Shop current deals