commando-vm
commando-vm copied to clipboard
mandiant
commandovm.win10.config.fireeye package installs successfully but does not change background
Issue
There seems to be a bug in our reboot checking that causes the package to install "successfully" but does not make any changes to the system as shown below:
Note that the logging provides an error message and causes the rest of the package to fail, but chocolatey considers this package as installing successfully.
Solution
Restart your machine and force reinstall the config package:
cinst -y commandovm.win10.config.fireeye -f
I tried the force reinstall config command that you suggested as a solution but I am still getting no changes made to the system.
Attached is my chocolatey.log
Yes, several times.
From: day1player @.> Sent: Wednesday, September 29, 2021 10:48 AM To: mandiant/commando-vm @.> Cc: bajanray @.>; Mention @.> Subject: Re: [mandiant/commando-vm] commandovm.win10.config.fireeye package installs successfully but does not change background (#150)
@bajanrayhttps://github.com/bajanray did you reboot?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/mandiant/commando-vm/issues/150#issuecomment-930249596, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AV2VJ47VOPUB7M2II7WV6HLUEMRNHANCNFSM4OPHLPHQ. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
@bajanray what version of Windows are you on? Could you tell me if there are shortcuts on the desktop? Is your hostname changed to Commando? If you type ping does it use the python version or actual ping?
- I'm on Windows 10 Enterprise - Version 21H1
- Yes, there is shortcuts on the desktop. A Tools folder that is empty, Recycle Bin, This PC icon and two hidden desktop.ini files
- My hostname is not changed to Commando
- When I type ping, it uses the actual ping. Not the python version.
From: day1player @.> Sent: Wednesday, September 29, 2021 11:29 AM To: mandiant/commando-vm @.> Cc: bajanray @.>; Mention @.> Subject: Re: [mandiant/commando-vm] commandovm.win10.config.fireeye package installs successfully but does not change background (#150)
@bajanrayhttps://github.com/bajanray what version of Windows are you on? Could you tell me if there are shortcuts on the desktop? Is your hostname changed to Commando? If you type ping does it use the python version or actual ping?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/mandiant/commando-vm/issues/150#issuecomment-930286411, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AV2VJ4YY722ZFNZDWHKKYJDUEMWD3ANCNFSM4OPHLPHQ. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
@bajanray interesting, it seems like the entire install failed. I would restart at the beginning running the install.ps1 script
So, I went back to my snapshot at the very beginning and double checked to make sure that Windows Defender was disabled and the group policy setting to disable Windows Defender was not turned on. So, I turned it on and made sure that no reboots were pending from Windows Updates and then ran the install.ps1 script.
It got further in the install process than before but then afterwards it just failed saying it couldn't install one of the Install-Obfuscation PowerShell scripts. Checked the chocolatey log and it said my anti-virus stopped the install. Sure, enough Windows Defender's real-time monitoring was turned back on for some reason and was blocking a whole bunch of the offensive PowerShell scripts.
I had to finally suspend the MsMpEng service and turn back on the disable Windows Defender group policy setting, reboot and then re-run the install script and it finally completed successfully.
I don't know why this install script gave me so much trouble. I have used the Flare-VM install script using the same Windows 10 version build and it didn't give me any problems.
Thanks for all of your help. bajanray
From: day1player @.> Sent: Wednesday, September 29, 2021 1:34 PM To: mandiant/commando-vm @.> Cc: bajanray @.>; Mention @.> Subject: Re: [mandiant/commando-vm] commandovm.win10.config.fireeye package installs successfully but does not change background (#150)
@bajanrayhttps://github.com/bajanray interesting, it seems like the entire install failed. I would restart at the beginning running the install.ps1 script
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/mandiant/commando-vm/issues/150#issuecomment-930390006, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AV2VJ45TEUMJKQQI6P464DDUENEZDANCNFSM4OPHLPHQ. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
Honestly there is a lot more "malware" on the Commando-VM build than there is on Flare-VM, and Defender is a total PITA.. Defender used to be able to be disabled with a powershell script, but recently with Tamper Protection it turns itself back on, and somehow even that seems to have gotten worse. The only reliable way to disable it currently is through Group Policy, and is described here. Which is also why the recent install script has checks to make sure the service is not running. It is rather annoying, no doubt. Glad you were able to figure it out in the end 😄
Yes, I concur that Defender is indeed a PITA...lol. Thanks for your quick responses and all of your help.
From: day1player @.> Sent: Thursday, September 30, 2021 1:23 PM To: mandiant/commando-vm @.> Cc: bajanray @.>; Mention @.> Subject: Re: [mandiant/commando-vm] commandovm.win10.config.fireeye package installs successfully but does not change background (#150)
Honestly there is a lot more "malware" on the Commando-VM build than there is on Flare-VM, and Defender is a total PITA.. Defender used to be able to be disabled with a powershell script, but recently with Tamper Protection it turns itself back on, and somehow even that seems to have gotten worse. The only reliable way to disable it currently is through Group Policy, and is described herehttps://github.com/mandiant/commando-vm#pre-install-procedures. Which is also why the recent install script has checks to make sure the service is not running. It is rather annoying, no doubt. Glad you were able to figure it out in the end 😄
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/mandiant/commando-vm/issues/150#issuecomment-931517461, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AV2VJ42TZK6LNHOF5J7PIG3UESMI3ANCNFSM4OPHLPHQ. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
