WannaCry Relevancy (duplicate)

dan_obiedzinski · May 15, 2017, 2:36pm

Anyone have a working relevancy to use in a report to see what computers are vulnerable (don’t have the patch) to WannaCry?

dan_obiedzinski · May 15, 2017, 3:37pm

Actually, I think I have it if anyone wants to test in their environment. We don’t have Win 8 or 2016 so I didn’t include the KBs for those OS’s:

if exists (property “HotFixID” of select objects “* from Win32_QuickFixEngineering where HotFixID = ‘KB4012216’” of WMI) OR exists (property “HotFixID” of select objects “* from Win32_QuickFixEngineering where HotFixID = ‘KB4012598’” of WMI) OR exists (property “HotFixID” of select objects “* from Win32_QuickFixEngineering where HotFixID = ‘KB4012212’” of WMI) OR exists (property “HotFixID” of select objects “* from Win32_QuickFixEngineering where HotFixID = ‘KB4012215’” of WMI) OR exists (property “HotFixID” of select objects “* from Win32_QuickFixEngineering where HotFixID = ‘KB4012214’” of WMI) OR exists (property “HotFixID” of select objects “* from Win32_QuickFixEngineering where HotFixID = ‘KB402217’” of WMI) OR exists (property “HotFixID” of select objects “* from Win32_QuickFixEngineering where HotFixID = ‘KB4012213’” of WMI) OR exists (property “HotFixID” of select objects “* from Win32_QuickFixEngineering where HotFixID = ‘KB4012606’” of WMI) OR exists (property “HotFixID” of select objects “* from Win32_QuickFixEngineering where HotFixID = ‘KB4013198’” of WMI) OR exists (property “HotFixID” of select objects “* from Win32_QuickFixEngineering where HotFixID = ‘KB4013429’” of WMI) then “Not Vulnerable to WannaCry” else “May Be Vulnerable to WannaCry”

UnknownSample · May 15, 2017, 3:50pm

Hello,

We are also writing our relevancy, its a good thing too because if you lookup those IDs in Fixlets and Tasks we are running into a large hand full that don’t show any of that KB # are relevant at all. However the WMI relvancey are showing many applicable… So we are trying to use other methods to confirm its really installed.

UnknownSample · May 15, 2017, 3:58pm

Hello again,

One more thing to note down with patching that we ran into. IF! patches fail and revert on any server BigFix will show those patches not being relevant anymore. So this WMI relevancy is good to verify.

dan_obiedzinski · May 15, 2017, 4:05pm

So this is working for you right? Works great from what I see in my environment

UnknownSample · May 15, 2017, 4:07pm

Yes, I have a similar relevancy checking as well.
Kinda irritated about the fixlets thinking they are installed when they are not.

Aram · May 15, 2017, 4:08pm

Please see the following post:

UnknownSample · May 15, 2017, 5:58pm

Both work and the reg relevance is faster and more accurate, however the patches/fitlets in BF are still not showing relevant on a handful of endpoints for both reports.

skelley · May 15, 2017, 6:19pm

So you have systems that are being flagged by the relevance as not having any of the KB’s installed, but when you look at the system’s relevant fixlets, you are not seeing any related fixlets as relevant?

UnknownSample · May 15, 2017, 6:46pm

Correct,

At this point the number of systems is so low that need it we are just installing it manually and its not a big deal.
So to confirm both WMI and Registry check both come back as its needed. However the actual fixlets 2212/2215 ect… ect… depending on OS version do not show as relevant when viewing the applicable fixlet.

Like I said not too worried about it because its a handful at this point and we had most of our patching up to date anyway. This was just a make me more comfortable that it is deployed sanity check…

skelley · May 15, 2017, 6:49pm

2215 makes sense because it has been superseded twice, first by the April rollup 4015549, then May 4019264. So the 2215 fixlet has a “false” relevance clause.

schmmich · May 25, 2017, 6:31pm

Ok so I used the relevance above from dan_obiedzinski. I’m finding some inaccurate results with this analysis with clients saying they may be vulnerable, when upon remoting into the client they do have one of the KB’s successfully installed. Included is the code I’m using (slightly modified to include all Windows 7 related patches, as well as 8.1 and all versions of 10 up to 1607). if exists (property "HotFixID" of select objects "* from Win32_QuickFixEngineering where HotFixID = 'KB4012212'" of WMI) OR exists (property "HotFixID" of select objects "* from Win32_QuickFixEngineering where HotFixID = 'KB4012215'" of WMI) OR exists (property "HotFixID" of select objects "* from Win32_QuickFixEngineering where HotFixID = 'KB4015549'" of WMI) OR exists (property "HotFixID" of select objects "* from Win32_QuickFixEngineering where HotFixID = 'KB4019264'" of WMI) OR exists (property "HotFixID" of select objects "* from Win32_QuickFixEngineering where HotFixID = 'KB4012213'" of WMI) OR exists (property "HotFixID" of select objects "* from Win32_QuickFixEngineering where HotFixID = 'KB4012216'" of WMI) OR exists (property "HotFixID" of select objects "* from Win32_QuickFixEngineering where HotFixID = 'KB4015550'" of WMI) OR exists (property "HotFixID" of select objects "* from Win32_QuickFixEngineering where HotFixID = 'KB4019215'" of WMI) OR exists (property "HotFixID" of select objects "* from Win32_QuickFixEngineering where HotFixID = 'KB4012606'" of WMI) OR exists (property "HotFixID" of select objects "* from Win32_QuickFixEngineering where HotFixID = 'KB4015221'" of WMI) OR exists (property "HotFixID" of select objects "* from Win32_QuickFixEngineering where HotFixID = 'KB4019474'" of WMI) OR exists (property "HotFixID" of select objects "* from Win32_QuickFixEngineering where HotFixID = 'KB4013198'" of WMI) OR exists (property "HotFixID" of select objects "* from Win32_QuickFixEngineering where HotFixID = 'KB4015219'" of WMI) OR exists (property "HotFixID" of select objects "* from Win32_QuickFixEngineering where HotFixID = 'KB4019473'" of WMI) OR exists (property "HotFixID" of select objects "* from Win32_QuickFixEngineering where HotFixID = 'KB4015438'" of WMI) OR exists (property "HotFixID" of select objects "* from Win32_QuickFixEngineering where HotFixID = 'KB4015217'" of WMI) OR exists (property "HotFixID" of select objects "* from Win32_QuickFixEngineering where HotFixID = 'KB4019472'" of WMI) then "Not Vulnerable to WannaCry" else "May Be Vulnerable to WannaCry" The attached relevance seems to be more accurate from my findings within our environment. if not exists keys whose( exists ( (name of it), ("KB4012212";"KB4012215";"KB4015549";"KB4019264";"KB4012213";"KB4012216";"KB4015550";"KB4019215";"KB4012606";"KB4015221";"KB4019474";"KB4013198";"KB4015219";"KB4019473";"KB4015438";"KB4015217";"KB4019472") ) whose(item 0 of it contains item 1 of it) ) of keys ("Windows\CurrentVersion\Uninstall";"Windows\CurrentVersion\Component Based Servicing\Packages";"WindowsNT\CurrentVersion\Hotfix") of keys "HKLM\SOFTWARE\Microsoft" of (x32 registries;x64 registries) then "Not Patched" else "Patched"Hope this helps others!