With the new Fixlet Debugger v 8.1.551 option to Evaluate Using ‘Local Client Evaluator’, I need help formatting an expression that returns the relevant fixlet name with associated relevance. With multiple relevant fixlets on an endpoint, the following concatenates the names followed by the relevance(s), which is expected with this code. What im trying to do is seperate them out like in the following example using ‘substring seperated by’ (or something) -
q: concatenation of (values of headers “Subject” of relevant fixlets whose (value of header “Subject” of it as lowercase starts with “ms” as lowercase AND value of header “Subject” of it as lowercase does not contain “corrupt”) of sites whose (name of it = “Enterprise Security”)) & " : " & concatenation " AND " of (values of headers “X-Relevant-When” of relevant fixlets whose (value of header “Subject” of it as lowercase starts with “ms” as lowercase AND value of header “Subject” of it as lowercase does not contain “corrupt”) of sites whose (name of it = “Enterprise Security”))
(Desired output)
A: MS01-001 : Relevance
A: MS02-001 : Relevance
To clarify a few points, we dont use the ‘Support Center’/Client UI, the Excel Connector and console access is restricted. This code would be run locally by the SA’s to expose the relevance which would assist in debugging why a fixlet is reporting relevant.
q: (values of headers “Subject” of it; “-----------------------------------”; values of headers “X-Relevant-When” of it; " "; " ") of relevant fixlets whose (value of header “Subject” of it as lowercase starts with “ms” as lowercase AND value of header “Subject” of it as lowercase does not contain “corrupt”) of sites whose (name of it = “Enterprise Security”)
A: MS11-006: Vulnerability in Windows Shell Graphics Processing Could Allow Remote Code Execution - Windows XP SP3
A:
A: ((name of it = “WinXP”) AND service pack major version of it = 3) of operating system
A: ((exists file “shell32.dll” whose (version of it < ") of it) OR (exists file “shimgvw.dll” whose (version of it < “6.0.2900.6072”) of it)) of (system folder)
A: (not exists key “hklm\software\microsoft\updates\windows xp\sp4\kb2483185” of registry)
A:
A:
A: MS11-007: Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution - Windows XP SP3
A:
A: ((name of it = “WinXP”) AND service pack major version of it = 3) of operating system
A: (exists file “atmfd.dll” whose (version of it < “5.1.2.231”) of it) of (system folder)
A: (not exists key “hklm\software\microsoft\updates\windows xp\sp4\kb2485376” of registry)
A:
A:
A: MS11-010: Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege - Windows XP SP3
A:
A: ((name of it = “WinXP”) AND service pack major version of it = 3) of operating system
A: (exists file “csrsrv.dll” whose (version of it < “5.1.2600.6055”) of it) of (system folder)
A: (not exists key “hklm\software\microsoft\updates\windows xp\sp4\kb2476687” of registry)
A:
A:
A: MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege - Windows XP SP3
A:
A: ((name of it = “WinXP”) AND service pack major version of it = 3) of operating system
A: ((exists file “ntkrnlmp.exe” whose (version of it < “5.1.2600.6055”) of it) OR (exists file “ntkrnlpa.exe” whose (version of it < “5.1.2600.6055”) of it) OR (exists file “ntkrpamp.exe” whose (version of it < “5.1.2600.6055”) of it) OR (exists file “ntoskrnl.exe” whose (version of it < “5.1.2600.6055”) of it) OR (exists file “ntdll.dll” whose (version of it < “5.1.2600.6055”) of it)) of (system folder)
A: (not exists key “hklm\software\microsoft\updates\windows xp\sp4\kb2393802” of registry)
A:
A:
A: MS11-012: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege - Windows XP SP3
A:
A: ((name of it = “WinXP”) AND service pack major version of it = 3) of operating system
A: (exists file “win32k.sys” whose (version of it < “5.1.2600.6064”) of it) of (system folder)
A: (not exists key “hklm\software\microsoft\updates\windows xp\sp4\kb2479628” of registry)
A:
A:
Excellent, here’s a slighly better formatted expression (for me anyway) … Thanks !
q: (values of headers “Subject” of it; “Q:” & concatenation " AND " of values of headers “X-Relevant-When” of it; " "; " ") of relevant fixlets whose (value of header “Subject” of it as lowercase starts with “ms” as lowercase AND value of header “Subject” of it as lowercase does not contain “corrupt”) of sites whose (name of it = “Enterprise Security”)
A: MS10-055: Vulnerability in Cinepak Codec Could Allow Remote Code Execution - Windows 7 (x64)
A: Q:((name of it = “Win7”) AND service pack major version of it = 0) of operating system AND (exists file “iccvid.dll” whose (version of it < ") of it) of (( folder “SYSWOW64” of (windows folder))) AND not pending restart “aa2800445d0d29236070ba69319470b40262d53d”
A:
A:
A: MS10-083: Vulnerability in COM Validation in WordPad Could Allow Remote Code Execution - Windows 7 (x64)
A: Q:((name of it = “Win7”) AND service pack major version of it = 0) of operating system AND ((exists file “WordpadFilter.dll” whose (version of it < “6.1.7600.16385”) of it) OR (exists file “wordpad.exe” whose (((it >= “6.1.7600.20000” AND it < ") OR (it >= “6.1.7600.16000” AND it < ")) of version of it) of it)) of ((folder “WINDOWS NT\ACCESSORIES” of (value “ProgramFilesDir” of key “HKLM\Software\Microsoft\Windows\CurrentVersion” of x32 registry as folder))) OR ((exists file “WordpadFilter.dll” whose (version of it < “6.1.7600.16385”) of it) OR (exists file “wordpad.exe” whose (((it >= “6.1.7600.20000” AND it < ") OR (it >= “6.1.7600.16000” AND it < ")) of version of it) of it)) of ((folder “WINDOWS NT\ACCESSORIES” of (value “ProgramFilesDir” of key “HKLM\Software\Microsoft\Windows\CurrentVersion” of x64 registry as folder))) OR (exists file “ole32.dll” whose (((it >= “6.1.7600.20000” AND it < ") OR (it >= “6.1.7600.16000” AND it < ")) of version of it) of it) of ((folder “” of (system wow64 folder))) OR (exists file “ole32.dll” whose (((it >= “6.1.7600.20000” AND it < ") OR (it >= “6.1.7600.16000” AND it < ")) of version of it) of it) of ((folder “” of (system x64 folder))) AND not pending restart “856845f208810f94182d8201f750f7be657d18e6”