Anvitirus - COVID-19 & FREE Sophos Home Commercial Edition for employees's personal PCs and Macs Sophos Customers

I am taking note about opportunity given, COVID-19 time period, by Sophos to all customers.

Sophos Customers can protect their emplyees's personal PCs and Macs with Sophos Home Commercial Edition for free.


Indeed here they are all blog articles that relate to Sophos products, issues or technical information.
https://www.alessandromazzanti.com/search?q=SOPHOS

 

[UPDATE 2020.04.03]

https://www.linkedin.com/posts/sophos_make-sure-youre-protecting-those-home-computers-activity-6651468510415380481-OQCZ 

Security - TLS 1.0 & 1.1 End of Life/support for several products

I would like to share news that TLS 1.0 and 1.1 will no longer be supported after 31 Th March 2020.

Reading whole article you will see that it would not be a sort of "Big Bang" but in any case I hope that these information would be useful for someone  (*)

CISCO UMBRELLA

All endpoints with Cisco umbrella will require TLS 1.2 after that date (*)

https://support.umbrella.com/hc/en-us/articles/360033350851-End-of-Life-for-TLS-1-0-1-1-

CISCO ANYCONNECT

"Cisco Umbrella will continue to support Cisco Any Connect and Cisco Umbrella Roaming Client versions that require TLS 1./0/1.1 until September 30th 2020. All other uses of TLS 1.0 and 1.1 will be discontinued as planned on March 31st. "

https://support.umbrella.com/hc/en-us/articles/360033350851-End-of-Life-for-TLS-1-0-1-1-

TLS 1.0 & 1/1 - Deprecated

Protocols are deprecated


BROWSER MICROSOFT, APPLE, GOOGLE & MOZILLA

Microsoft, Apple, and Mozilla have all announced that their browsers will no longer support TLS 1.0 and 1.1 as of March 2020. 

TLS 1.2 #HOW TO VERIFY

You can use this website to verify your browser health:

https://www.ssllabs.com/ssltest/viewMyClient.html. 

Otherwise if you want to verify website using FQDN you can use same website but at below link/section:
https://www.ssllabs.com/ssltest/


.NET (Note: Any Connect requires .NET)

Native TLS 1.2 requires .NET framework 4.6.2+. Prior versions require registry edits (4.x) or Registry edits and manual hot fix patches (3.5).

More information can be found here:

https://support.umbrella.com/hc/en-us/articles/115005871543-Requirements-for-forcing-TLS-1-2-on-the-Connector-and-Roaming-Client.

This applies to Umbrella software running on .NET framework - currently AD Connector and Roaming client.

.NET #Check your version

Follow this article

https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed

DISABLE #TLS 1.0 and TLS v1.1 DISABLE at #O.S level

It can be disabled at the O.S. level (IIS)https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat

TLS 1.2 #HOW TO ENABLE on earlier versions .NET 3.5.1

The .NET framework version 3.5.1 and earlier versions did not provide support for applications to use Transport Layer Security (TLS) System Default Versions as a cryptographic protocol. This update enables the use of TLS v1.2 in the .NET Framework 3.5.1.

Check these register tips

[whole article here]

TLS 1.2 #HOW TO ENABLE on NEWER versions .NET 4.6.2+

Apply these register tips

[whole article here]

UMBRELLA #OLD clients #FORCE TLS 1.2

If you are unable to update Umbrella/Any Connect client to use TLS 1.2 you need to follow these article steps.

https://support.umbrella.com/hc/en-us/articles/115005871543-Requirements-for-forcing-TLS-1-2-on-the-Connector-and-Roaming-Client

MOZILLA FIREFOX 74chante

With 74.0 release TLS 1.0 is disabled, but you can re-enable it about:config --> Tls and change below values

https://www.trishtech.com/2020/03/how-to-enable-tls-1-0-and-tls-1-1-in-mozilla-firefox-74/

Pay attention to below advice:



GOOGLE CHROME 81

Google chrome version 81 will remove TLS 1.0 and TLS 1.1 support:

https://developers.google.com/web/updates/2020/02/chrome-81-deps-rems


APPLE/SAFARI

Will remove support for TLS 1.0 and 1.1 from Safari in March 2020 via updates to Mac OS and iOS.

INTERNET EXPLORER/EDGE

There are rumors that support will be removed in early 2020

SECURITY AWARENESS/WEAKNESS

These old protocols are not patch-able (NIST) versus actual vulnerabilities such as poodle, beeast and others.
- Checking client-side vulnerability:

   https://www.poodletest.com/

- Checking server-side vulnerability:

   http://www.poodlebleed.com

(*) I strongly believe on this assumptions but at the same time I am aware that I am too naive.

George Bernard Shaw

"If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas."

https://en.wikiquote.org/wiki/Talk:George_Bernard


<=================>

Linkedin article

https://www.linkedin.com/pulse/security-tls-10-11-end-lifesupport-several-products-mazzanti-1e

[Update 2020.03.27]

Here it is Microsoft article that explain if and how to disable TLS 1.0 and 1.1 on windows 2012 R2 for exemplificative purpose:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786418(v=ws.11)

[update 2020/04/06]

Due to Covid-19 there are more delays than expected, here it is an interesting article that give you more explanations.

https://nakedsecurity.sophos.com/2020/04/02/covid-19-forces-browser-makers-to-continue-supporting-tls-1-0/ 

[update 2025.08.20]

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]

"SystemDefaultTlsVersions"=dword:00000001

"SchUseStrongCrypto"=dword:00000001

 

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]

"SystemDefaultTlsVersions"=dword:00000001

"SchUseStrongCrypto"=dword:00000001

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]

"SystemDefaultTlsVersions"=dword:00000001

"SchUseStrongCrypto"=dword:00000001

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]

"SystemDefaultTlsVersions"=dword:00000001

"SchUseStrongCrypto"=dword:00000001

https://learn.microsoft.com/en-us/intune/configmgr/core/plan-design/security/enable-tls-1-2-client

https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls

2012 - How to install .NET 3.5 Framework

During these years I had necessity to install .NET 3.5 framework on server 2012 R2/Windows 10.

One problem that I faced was that DVD installation media was unable to locate installation binaries and server/client relates to WSUS server (that it hadn't binaries).

To discard WSUS pointing and to force internet download binaries you need register key change and us proper command.

Here they are some errors prompted:

Windows couldn’t complete the requested changes.

The changes couldn’t be completed. Please reboot your computer and try again.

Error code: 0x800F0954

Executing this command

DISM /Online /Enable-Feature /FeatureName:NetFx3 /All

C:\Windows\system32>DISM /Online /Enable-Feature /FeatureName:NetFx3 /All

Deployment Image Servicing and Management tool

Version: 6.3.9600.19408

Image Version: 6.3.9600.19397

Enabling feature(s)

[===========================66.6%======                    ]

Error: 0x800f0906

The source files could not be downloaded.

Use the "source" option to specify the location of the files that are required t

o restore the feature. For more information on specifying a source location, see

 http://go.microsoft.com/fwlink/?LinkId=243077.

The DISM log file can be found at C:\Windows\Logs\DISM\dism.log

Fix is to:

1. Execute regedit.exe with Administrative rights.
2. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
3. Search for UseWUServer and set it to 0
4. Restart PC/Server.

More information could be found at below article:

https://www.winhelponline.com/blog/error-0x800f0954-net-framework-3-5-optional-feature-dism/

Extra IT - Corona Virus Self-certification web site #Italy Legislation only

E' stato registrato recentemente un sito web sul quale poter scrivere (per recepire i DL italiano sul Corona Virus) l'autocertificazione dei propri spostamenti da portarsi sul proprio smartphone.

Tale sito offre due app (android ed IPAD) per avere sempre sul proprio cellulare tale copia compilata e da presentare se richiesta:

https://autocertificazionespostamenti.it/

<==============>

It was recently registered, only for Italy legislation (corona virus), a website that permit to have self-certification  filled up about any movement. Mobile phone app for Android and iOS are also available.

https://autocertificazionespostamenti.it/

You might interested about these articles (mainly in italian language)

Health - Corina Virus, some considerations

Health - Sport permitted during Corona Virus alarm #Italy legislation only

Server - Disk Raid and IOPS Calculator

Here it is an interesting link:

https://www.expedient.com/knowledgebase/tools-and-calculators/disk-raid-and-iops-calculator/

It permit to calculate IOPS about chosen RAID, DISKS and Read/Write percentage

Windows 10 - Automatic metric & Change network adapters priority

On Windows 10 each network interface receives a different priority (network metric) that will define primary connection that your system will use.

Sometimes configuration should be manually, especially when you have more than a network cards both connected.

start --> ncpa.cpl

Using powershell:

Get-NetIPInterface

Identify your network cards (changing  -InterfaceIndex value accordingly) based on previously output list and assigning -InterfaceMetric  nn value:

Set-NetIPInterface -InterfaceIndex 17 -InterfaceMetric 15

and later use this command to enable configuration

Set-NetIPInterface -InterfaceIndex 17 -InterfaceMetric 15 enabled