Since the outbreak of the WannaCry ransomware, Microsoft has indicated that MS17-010 is the security patches that fixes this vulnerability. However, due to Microsoft’s patch supersedence rule and the nature of their new servicing model aka. Monthly Rollup and Security Only patches, it has been difficult for users to decide whether their devices have been patched.
I created the following custom Analysis aiming to detect whether the vulnerability has been patched, by querying the file version of the ‘srv.sys’ file, which was updated in MS17-010 patches.
If you are wondering whether your computers have been patched, or is trying to patch for MS17-010 but is not able to find relevant Fixlets from BigFix, give these a try.
Do share feedbacks here, whether this helps with your situation or if you are seeing any false results.
I also see a handful of computers running a lower version of srv.sys. To put in in perspective its less than 0.1% of my estate so I’m happy. Question is, is it the srv.sys file that can be compromised ?
I need to dig a little further to understand how a machine that has been patched and rebooted could still have an older srv.sys
These analysis serve as a reference, as they have not been extensively tested to cover all cases. Would appreciate your further feedback if you can confirm whether these 0.1% is false report, and (if possible) what exactly is causing this so I can probably enhance the analysis.
I chose srv.sys because it’s the file updated in all MS17-010 fixes.
I think you need to update the relevance because according to MS we should be good with this version 6.0.6002.19743 of the file. Please correct me if am wrong.
alright understood, I did make changes to your applicability relevance maybe I should update the property relevance as well with the right version. Sorry for the confusion!
