Antidote delivery manager utilization, Major worm attack – Lenovo ThinkPad Edge 15 User Manual
Page 143
notify the user of progress of the Antidote Delivery Manager script on the client machine. The NETWK
command enables or disables networking or restricts networking to a limited group of network addresses.
The INRR command can be used to determine if the Windows 2000, Windows XP or Windows Vista is
running or if the computer is in the Rescue and Recovery environment. The REBOOT command can be used
to shut down the computer and specify that it should boot either to Windows 200, Windows XP or Windows
Vista or to the Rescue and Recovery program. The MSGBOX application allows for communication with the
user by displaying a message in a pop-up box. The message box can optionally contain OK and Cancel
buttons so the message can act differently based on input from the user.
Certain Microsoft commands are also available to Antidote Delivery Manager. The permitted commands
include all commands built into command shell, for example DIR or CD. Other useful commands, such as
reg.exe to change the registry and chkdsk.exe to verify disk integrity, are available.
Antidote Delivery Manager utilization
The Antidote Delivery Manager system can be used to complete a wide variety of tasks. The following
examples demonstrate how the system might be used.
• Simple system test - Display notificationThe most basic use of the system is to display a single
message to the user. The easiest way to run this test and also test other scripts before deployment is to
place the message in a repository that is a local directory on the administrators personal computer. This
placement allows rapid testing of the script with no impact to other machines.
• Script preparation and packagingWrite a go.rrs script on any machine where Antidote Delivery Manager
has been installed. Include a line: MSGBOX /MSG "Hello World" /OK. Run the APKGMSG command on the
directory containing go.rrs to create a message.
• Script executionPlace the message file in one of the repository directories on your machine and observe
correct operation. When the mail agent runs next, a message box displays with the “Hello World” text.
Such a script is also a good way to test network repositories and to demonstrate features, such as the
checking of repositories on resume from suspend mode.
Major worm attack
This example demonstrates one possible approach to combat a major virus. The basic approach is to turn
off networking, then reboot to the Rescue and Recovery program, retrieve fixes, perform repairs, then boot
back to Windows XP, install patches, and finally restore networking. A single message might be used to
perform all of these functions through the use of flag files and the RETRYONERROR command.
1. Lockdown phaseTo accomplish lockdown phase, inform the user what is about to happen. If the
attack is not extremely serious, the administrator can give the user the option to defer the fix until
later. In the most conservative case, this phase would be used to disable networking and provide
a short window, such as 15 minutes, for the user to save work in progress. The RETRYONERROR
command is used to keep the script running and then the machine can be rebooted into the Rescue
and Recovery environment.
2. Code distribution phase an repair phaseNow that the threat of infection has been removed by
disabling the network and rebooting to the Rescue and Recovery program, additional code can be
retrieved and repairs accomplished. The network can be enabled or only certain addresses can be
permitted for the time required to retrieve additional files. While in the Rescue and Recovery program,
virus files can be removed and the registry can be cleaned up. Unfortunately, installing new software or
patches is not possible because the patches assume that Windows XP is running. With networking still
disabled and all virus code removed, it is safe to reboot to Windows XP to complete repairs. A tag file
written at this time directs the script to the patch section after the reboot.
3. Patch and recovery phaseWhen the machine reboots in Windows XP, Antidote Delivery Manager
begins processing again even before the user can log in. Patches should be installed at this time. The
machine can be rebooted if the newly installed patches require it. Now that all cleanup and patching has
been completed, the network can be enabled and the user is informed that normal operation is possible.
Appendix B. Antidote Delivery Manager
135