I passed by Wright-Patt Air Force base many times over the years with all the trips between Oklahoma and Pennsylvania or New York and always wanted to stop at the National Museum of the United States Air Force. I’m in Columbus, OH for work and Wright-Patt just over an hour away so I headed down there for the day. Get collection of warbirds and lots of good nose art there. Here are the better shots of the planes I took today.
Excerpt from my latest blog post at Cigital…
More and more organizations are using static analysis tools to find security bugs and other quality issues in software long before the code is tested and released. This is a good thing, and despite their well-known frustrations like high false positive rates and relatively slow speeds, these tools are helping improve the overall security of software. Unfortunately, these known frustrations may also introduce a dangerous blind spot in these tools which do not know modern frameworks as well as they know the base languages.
The blind spot
Frameworks are doing more and more of the basic work—providing common functionality of an application. This is a fantastic leap forward in terms of productivity and the ability to release software faster and faster. This frees up more time to focus on the core business functionality of applications.
Sometimes these frameworks are clearly separate things (like Spring, for example) and sometimes they are a mix of basic functionality and advanced features (like the .Net Framework where the tools understand some features but not others). These frameworks are virtually exploding around us, offering many options to take care of the basic drudge work of application writing.
This explosion is happening fast and it seems to be accelerating. New versions and even new frameworks are appearing faster than most can keep up with. Static analysis tools are doing a decent job keeping up with basic languages. However, there is almost no way they can keep up with all these frameworks and handle even a few of them well, let alone all of them. As these frameworks take care of more and more of the plumbing within applications, this inability to understand what they are doing creates a blind spot in which code gets scanned and nothing gets reported.
Frameworks create data flows that the static analysis tools may be blind to. They introduce sources of tainted data that the static analysis tools know nothing about. Therefore, there is nothing to trace to the sinks created in code where problems could occur. These frameworks may introduce new sinks, but since the tools do not know of them, the sources in code cannot be traced to them. They also provide functionality behind the scenes that the static analysis tools do not see at all.
If the static analysis tools cannot see it, they cannot report it. If they do not report it, organizations are left feeling secure when they are not.
False positives are annoying. False negatives are dangerous.
There’s a more direct solution available but the original solution I found is below.
In the last month or so, my copy of Acronis True Image 2016 has been hanging during the scheduled backup every night. It hangs while showing the calculating remaining time status. Seems to fit the description talked about in the Acronis forums. The posted solution that seem to make the most sense was the problem with Microsoft’s Volume Shadow Copy (the VSS service) features but I didn’t want to just disable that service as suggested.
Looking for the Solution
Being a techie and knowing Windows pretty well I knew services could be enabled and disabled from the command line using the SC commands. I figured combining that with True Image’s ability to run commands before and after a backup I could disable and reenable VSS and fix the problem. The problem with that is the SC commands require admin level privileges to run. Trying to automate that without causing a User Access Control (UAC) prompt was something to overcome. I didn’t know that this would be a problem while the backup was being run but I knew I didn’t want it to be one.
While looking for a way around that I found this post at How-To Geek and another at TechRepublic. They talk about using an on demand scheduled task set to use elevated privileges and then calling that task from a lower privilege session via the schtask command. Seemed to fit my needs nicely. Continue reading “Fixing an Acronis True Image 2016 Hang During Backup”