It returns True on a Windows 10 Creator with all updates installed. I haven’t tried it on other systems.
2 Likes
Windows 10 was already not-vulnerable to WannaCry. I’m not sure how that’s reflected in the KB numbers.
Sounds like the relevance needs to simply exclude Win10 systems, since they will never show any of the KB Articles being installed.
1 Like
This relevance is a little cleaner. Credit @jgstew
not exists keys whose( exists ( (name of it), (“KB4012216”;“KB4013429”;“KB4012598”;“KB4012606”;“KB4012214”;“KB4012217”;“KB4012213”;“KB4012212”;“KB4012215”;“KB4015217”;“KB4019472”;“KB4015221”;“KB4019474”;“KB4015551”;“KB4019216”;“KB4015549”;“KB4019264”;“KB4018466”;“KB4015550”;“KB4019215”) ) whose(item 0 of it contains item 1 of it) ) of keys (“Windows\CurrentVersion\Uninstall”;“Windows\CurrentVersion\Component Based Servicing\Packages”;“WindowsNT\CurrentVersion\Hotfix”) of keys “HKLM\SOFTWARE\Microsoft” of (x32 registries;x64 registries)
2 Likes
Hmm Microsoft was all over the press over the weekend saying “Windows 10 is not affected”. But looking back at the original bulletin, https://technet.microsoft.com/en-us/library/security/ms17-010.aspx?f=255&MSPPError=-2147217396 , they do list the SMB issue as Critical on Win10, listing KB4012606, KB4013198, or KB4013429 depending on the Win10 build number.
I don’t see the checks for 4013198 or 4013429 in the list above…
4013429 is the second one in the list. But you are right about 4013198. I also noticed 4013198 doesn’t return any content in the patches for windows site.
Yes, I’m also running into this. I still don’t have a definitive answer from MS about whether or not Win 10 is vulnerable.
I spent some time today creating Fixlets for the workarounds for disabling SMBv1 for those who cannot install the MS17-010 patch.
Source: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
Disable Fixlets for various OS and methods:
https://www.bigfix.me/fixlet/details/24313
https://www.bigfix.me/fixlet/details/24316
https://www.bigfix.me/fixlet/details/24318
https://www.bigfix.me/fixlet/details/24320
https://www.bigfix.me/fixlet/details/24322
Created companion “enable” Fixlets for reversal
https://www.bigfix.me/fixlet/details/24315
https://www.bigfix.me/fixlet/details/24317
https://www.bigfix.me/fixlet/details/24319
https://www.bigfix.me/fixlet/details/24321
https://www.bigfix.me/fixlet/details/24323
Note that some people with Windows 2003 are getting an error when trying to log in with remote desktop into a Windows 2003 server after applying KB4013429 patch.
8 Likes
Thanks for the great work and the warnings! Anyone else seeing side-effects?
One of five domain controllers in my environment failed to start the DNS Server service automatically post-reboot, but the service started up fine manually. I imagine it was a timing issue while some of the post-reboot activities were running to complete the patch. This did not occur on my other 5 DCs, nor did I see any other issues (yet).
2 Likes
I have some related stuff from Feb:
1 Like
our security scanning tool is looking for the lsasrv.dll file version, I’m trying to build fixlet matching the same detection logic so we will not have conflicts in the reports. Since these are OS protected file, any alternate ways to read the file version on BigFix?
Win10
Q: version of file "C:\Windows\System32\lsasrv.dll"
E: Singular expression refers to nonexistent object.
Win7
Q: version of file "C:\Windows\System32\drivers\srv.sys"
E: Singular expression refers to nonexistent object.I suppose your Windows is 64-bit. BigFix agent is 32-bit app and reference to C:\Windows\System32 is redirected to C:\Windows\Syswow64.
Try native file or x64 file instead of file.
1 Like
thanks, the native file command worked.
1 Like
patch is installed on servers but servers are not rebooted. i would like to know where this patch installed and pending for reboot
If patch installed and server is pending reboot state.Can we get those servers list please ?
So I’m new to using BigFix and just so happened to inherit it not long before WannaCry. It seems that Windows 10 Creator are all set, but builds 1607 and 1511 (1511 more precisely) still show up as being “vulnerable” based on the relevancy towards the top. When I try to run the most recent auto baseline that’s created, apply it to those machines, almost all of them come back “not relevant” (for 1511 with 10.0.10586 and 10.0.10586.916). I’m thinking the patches that are need above, are not being grabbed by the baseline.
How can I go about this? Should I make a new baseline, apply it to those machines, and pick out all the components or “patches” above?
I know we’ve been hearing that ALL windows 10 are fine, but my agency still wants them patched.
Hi Charlie,
Many of previous fixlets for Windows 10 v1511 and v1607 are superseded. Please make sure your baseline has included the latest fixlets:
401947303 MS17-MAY: Cumulative Update for Windows 10 Version 1511 - Windows 10 Version 1511 - KB4019473 KB4019473 Security Update
401947301 MS17-MAY: Cumulative Update for Windows 10 Version 1511 - Windows 10 Version 1511 - KB4019473 (x64) KB4019473 Security Update
401947211 MS17-MAY: Cumulative Update for Windows 10 Version 1607 - Windows 10 Version 1607 - KB4019472 KB4019472 Security Update
401947209 MS17-MAY: Cumulative Update for Windows 10 Version 1607 - Windows 10 Version 1607 - KB4019472 (x64) KB4019472 Security Update
Since Windows 10 patches are cumulative, applying the latest patches should server the purpose.
Regards,
Sylvia
2 Likes
That isn’t easy because you’d have to use relevance that looks for a pending restart from one of those patches specifically, or you’d have to find the installdate of every one of those patches and if any of them are more recent than the last reboot, then it need to reboot for it to take effect.
There isn’t a simple answer to what you are asking, but this is close: You would be better off looking at the version of the affected file, because it should be the case that if that file is older than the minimum needed to not be vulnerable, but the patch has been applied, then that should mean a reboot is required.
Update: Like this: WannaCry Vulnerability: Custom Analysis created to detect for Vulnerability referenced in MS17-010
@Sreehari Everyone who responds in this forum is volunteering their time. If you have an immediate need, you should pay for Professional Services, otherwise we will do our best to help you figure out a solution to your problem, but on our own time.
Related:
1 Like
This post above looks like an AD to me.
As far as I know, there is currently no way to restore encrypted files, even if you paid.
1 Like
Great post from @BaiYunfei with a quick analysis to check version of srv.sys for MS17-010:
1 Like