Note that some people with Windows 2003 are getting an error when trying to log in with remote desktop into a Windows 2003 server after applying KB4013429 patch.
Thanks for the great work and the warnings! Anyone else seeing side-effects?
One of five domain controllers in my environment failed to start the DNS Server service automatically post-reboot, but the service started up fine manually. I imagine it was a timing issue while some of the post-reboot activities were running to complete the patch. This did not occur on my other 5 DCs, nor did I see any other issues (yet).
our security scanning tool is looking for the lsasrv.dll file version, I’m trying to build fixlet matching the same detection logic so we will not have conflicts in the reports. Since these are OS protected file, any alternate ways to read the file version on BigFix?
Win10
Q: version of file "C:\Windows\System32\lsasrv.dll"
E: Singular expression refers to nonexistent object.
Win7
Q: version of file "C:\Windows\System32\drivers\srv.sys"
E: Singular expression refers to nonexistent object.
I suppose your Windows is 64-bit. BigFix agent is 32-bit app and reference to C:\Windows\System32 is redirected to C:\Windows\Syswow64.
Try native file or x64 file instead of file.
So I’m new to using BigFix and just so happened to inherit it not long before WannaCry. It seems that Windows 10 Creator are all set, but builds 1607 and 1511 (1511 more precisely) still show up as being “vulnerable” based on the relevancy towards the top. When I try to run the most recent auto baseline that’s created, apply it to those machines, almost all of them come back “not relevant” (for 1511 with 10.0.10586 and 10.0.10586.916). I’m thinking the patches that are need above, are not being grabbed by the baseline.
How can I go about this? Should I make a new baseline, apply it to those machines, and pick out all the components or “patches” above?
I know we’ve been hearing that ALL windows 10 are fine, but my agency still wants them patched.
Many of previous fixlets for Windows 10 v1511 and v1607 are superseded. Please make sure your baseline has included the latest fixlets:
401947303 MS17-MAY: Cumulative Update for Windows 10 Version 1511 - Windows 10 Version 1511 - KB4019473 KB4019473 Security Update
401947301 MS17-MAY: Cumulative Update for Windows 10 Version 1511 - Windows 10 Version 1511 - KB4019473 (x64) KB4019473 Security Update
401947211 MS17-MAY: Cumulative Update for Windows 10 Version 1607 - Windows 10 Version 1607 - KB4019472 KB4019472 Security Update
401947209 MS17-MAY: Cumulative Update for Windows 10 Version 1607 - Windows 10 Version 1607 - KB4019472 (x64) KB4019472 Security Update
Since Windows 10 patches are cumulative, applying the latest patches should server the purpose.
That isn’t easy because you’d have to use relevance that looks for a pending restart from one of those patches specifically, or you’d have to find the installdate of every one of those patches and if any of them are more recent than the last reboot, then it need to reboot for it to take effect.
There isn’t a simple answer to what you are asking, but this is close: You would be better off looking at the version of the affected file, because it should be the case that if that file is older than the minimum needed to not be vulnerable, but the patch has been applied, then that should mean a reboot is required.
@Sreehari Everyone who responds in this forum is volunteering their time. If you have an immediate need, you should pay for Professional Services, otherwise we will do our best to help you figure out a solution to your problem, but on our own time.
Thanks for the reply. Oh! I am not aware about it. May I know how this payment works.
anyway i managed to create relevance. here is the one, hope it might help someone.
(exists descriptions of records whose (event id of it = 2 AND description of it contains “KB4012215 was successfully changed to the Installed state”) of event log “Setup” ) or (exists descriptions of records whose (event id of it = 2 AND description of it contains “KB4012212 was successfully changed to the Installed state”) of event log “Setup” ) or (exists descriptions of records whose (event id of it = 2 AND description of it contains “KB4012214 was successfully changed to the Installed state”) of event log “Setup” ) or (exists descriptions of records whose (event id of it = 2 AND description of it contains “KB4012217 was successfully changed to the Installed state”) of event log “Setup”) or (exists descriptions of records whose (event id of it = 2 AND description of it contains “KB4012213 was successfully changed to the Installed state”) of event log “Setup” ) or (exists descriptions of records whose (event id of it = 2 AND description of it contains “KB4012216 was successfully changed to the Installed state”) of event log “Setup”)
If anyone has been compromised by this worm, there is some hope. It’s happened faster than I expected, but it looks like the encryption has already been broken due to a flaw in the code. Don’t reboot your compromised host, and go read
Security researchers have a fix for victims of the ‘WannaCry’ ransomware
I wanted to share a couple other analyses I have been using in trying to look for indicators of compromise:
(exists running application “tasksche.exe”) or (exists running application “mssecsvc.exe”)
Based on my research, one of these processes should run when the ransomware is trying to encrypt the disk.
exists files whose ((name of it as lowercase = “tasksche.exe”)) of (folder it; descendant folders of folder it) of (“c:\programdata”; “”) whose (exists folder it)
This is looking for that exe which is reported to live in a random generated child folder of c:\programdata. This doesn’t run often, as it is a recursive check of child folders and could take some time and resources. Basically if this returns True, we are treating it as a possibly compromised system.
exists files whose ((name of it as lowercase = “mssecsvc.exe” or name of it as lowercase = “tasksche.exe”)) of (folder it) of (“c:\windows”; “”) whose (exists folder it)
Checks for other locations of the offending executables. Basically if this returns True, we are treating it as a possibly compromised system.
Please note the following fixlets have been released providing an alternative method to patching that will help defend systems against the WannaCry malware:
From: autonotify@us.ibm.com
To: bigfix-announcements@bigmail.bigfix.com
Date: 05/24/2017 05:04 AM
Subject: [BigFix-Announcements] BES Auto Notification: New Fixlets Published in Fixlet Site: 'Patches for Windows'
Sent by: "BigFix-Announcements" <bigfix-announcements-bounces@bigmail.bigfix.com>
--------------------------------------------------------------------------------
Fixlet Site - 'Patches for Windows'
Current Version: 2764 Published: Wed, 24 May 2017 02:18:56 GMT
New Fixlets:
============
***************************************************************
Title: 2696547: Disable SMBv1 in Windows and Windows Server - Enable Workaround (Disable SMB v1) - Windows 7 / Windows 8 / Windows Vista / Windows Server 2008 / Windows Server 2008 R2 / Windows Server 2012 - KB2696547
Severity: Unspecified
Fixlet ID: 269654701
Fixlet Link: https://support.microsoft.com/kb/2696547
Fixlet Description: This fixlet will disable SMBv1 on Windows and Windows Servers, providing the alternative method for customers who can not apply MS17-010 patch. This security update MS17-010 resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.Note: Affected computers may report back as 'Pending Restart' once the update has run successfully, but will not report back their final status until the computer has been restarted.
Important Note: There are known issues associated with the installation of this update. Machine with SMBv1 disabled will not be able to access files and folders on Windows Server 2003, which can only negotiate SMBv1. For more information please review The Derecation of SMBv1.
***************************************************************
Title: 2696547: Disable SMBv1 in Windows and Windows Server - Disable Workaround (Disable SMB v1) - Windows 7 / Windows 8 / Windows Vista / Windows Server 2008 / Windows Server 2008 R2 / Windows Server 2012 - KB2696547
Severity: Unspecified
Fixlet ID: 269654703
Fixlet Link: https://support.microsoft.com/kb/2696547
Fixlet Description: This fixlet will install SMBv1 on Windows and Windows Servers, providing the method for customers who have removed SMBv1 to restore the SMBv1 service. Disabling SMBv1 on Windows and Windows Servers provides the alternative method for customers who can not apply MS17-010 patch. This security update MS17-010 resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.Note: Affected computers may report back as 'Pending Restart' once the update has run successfully, but will not report back their final status until the computer has been restarted.
Important Note: There are known issues associated with the disabling of SMB v1. Machine with SMBv1 disabled will not be able to access files and folders on Windows Server 2003, which can only negotiate SMBv1. For more information please review The Derecation of SMBv1.
***************************************************************
Title: 2696547: Disable SMBv1 in Windows and Windows Server - Enable Workaround (Remove SMB v1 completely) - Windows 8.1 / Windows 10 / Windows Server 2012 R2 / Windows Server 2016 - KB2696547
Severity: Unspecified
Fixlet ID: 269654705
Fixlet Link: https://support.microsoft.com/kb/2696547
Fixlet Description: This fixlet will remove SMBv1 on Windows and Windows Servers, providing the alternative method for customers who can not apply MS17-010 patch. This security update MS17-010 resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.Note: Affected computers may report back as 'Pending Restart' once the update has run successfully, but will not report back their final status until the computer has been restarted.
Important Note: There are known issues associated with the installation of this update. Machine with SMBv1 removed will not be able to access files and folders on Windows Server 2003, which can only negotiate SMBv1. For more information please review The Derecation of SMBv1.
***************************************************************
Title: 2696547: Disable SMBv1 in Windows and Windows Server - Disable Workaround (Remove SMB v1 completely) - Windows 8.1 / Windows 10 / Windows Server 2012 R2 / Windows Server 2016 - KB2696547
Severity: Unspecified
Fixlet ID: 269654707
Fixlet Link: https://support.microsoft.com/kb/2696547
Fixlet Description: This fixlet will install SMBv1 on Windows and Windows Servers, providing the method for customers who have removed SMBv1 to restore the SMBv1 service. Removing SMBv1 on SMB servers provides the alternative method for customers who can not apply MS17-010 patch. This security update MS17-010 resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.Note: Affected computers may report back as 'Pending Restart' once the update has run successfully, but will not report back their final status until the computer has been restarted.
Important Note: There are known issues associated with the removing of SMB v1. Machine with SMBv1 removed will not be able to access files and folders on Windows Server 2003, which can only negotiate SMBv1. For more information please review The Derecation of SMBv1.
_______________________________________________
BigFix-Announcements mailing list
BigFix-Announcements@bigmail.bigfix.com
https://bigmail.bigfix.com/mailman/listinfo/bigfix-announcements
Unsubscribe (Confirmation email will be sent):
<https://bigmail.bigfix.com/mailman/options/bigfix-announcements/langridg%40us.ibm.com?login-unsub=1>
So it sounds like there are a few ways to handle this. One analysis mentioned at WannaCry Vulnerability: Custom Analysis created to detect for Vulnerability referenced in MS17-010 and then this thread uses the following code if not exists keys whose( exists ( (name of it), ("KB4012212";"KB4012215";"KB4015549";"KB4019264";"KB4012213";"KB4012216";"KB4015550";"KB4019215";"KB4012606";"KB4015221";"KB4019474";"KB4013198";"KB4015219";"KB4019473";"KB4015438";"KB4015217";"KB4019472") ) whose(item 0 of it contains item 1 of it) ) of keys ("Windows\CurrentVersion\Uninstall";"Windows\CurrentVersion\Component Based Servicing\Packages";"WindowsNT\CurrentVersion\Hotfix") of keys "HKLM\SOFTWARE\Microsoft" of (x32 registries;x64 registries) then "Not Patched" else "Patched" (Modified a bit for our environment). Lastly there’s this method WannaCry Relevancy (duplicate) Do all of these methods work, and if so is there a preferred way of doing this?