Identifying and Reporting on Machines That Do Not Have Patches Related To Wanna Cry SMB Vulnerabilit
Product Name: Identifying and Reporting on Machines That Do Not Have Patches Related To Wanna Cry SMB Vulnerability
Description : Due to recent events surrounding the recent outbreak of the “WannaCry” ransomware, the WannaCry/Crypt has made international headlines due to the rate of spread for a ransomware attack. The technical community is still assessing the full impact and it is important to understand the vulnerability for the attack was a known vulnerability in Windows. Those with patched OS's should not be affected.
This article is provided to assist customers during their investigation to quickly and easily create a report that identifies machines that may be at risk if they do not have the security monthly rollup or the MS17-010 patches. We have provided two options in which to generate a report, Option 1 being a report based on using log data and Option 2 based on using a custom field.
Special Note: If you have Windows XP/2003/embedded/vista machines, specific patches were released for those, and you can easily manage this through Patch Management without any further intervention. This KB is not to be used as substitute for thorough investigation and patch strategy.
Follow the step-by-step instructions to generate a report based on whichever option you elect.
A copy of these instructions are included in the Zip file as PDF.
UPDATE: The ZIP file has been updated with a new PS1 script from Microsoft based on this article (https://support.microsoft.com/en-us/help/4023262/how-to-verify-that-ms17-010-is-installed)
The Agent procedures have also been updated to work on 32 Bits systems.
The Reports files have also been tweaked to work with the new script.
Instructions :
OPTION 1 – This generates a report using log
data
Step 1:
Decompress the zip file and find 2
folders containing 3 files each for both options.
Step 2:
Upload MS17-010_Installed.ps1 in the
managed files in the Agent Procedure module.
The file needs to be directly in the
Shared folder, otherwise the procedure needs to be edited to reflect the
correct path.
Import both XML files in the System
Module under Import Center.
Step 3:
Schedule the Agent Procedure to run on
all the required endpoints. (We advise no more than 50 agents at a time for a
big environment, otherwise it will overload the SQL server.)
The procedure may have been imported in
a different folder. The search function might be required to locate it.
Step 4:
Once the procedure has successfully run on
all agents, schedule the report in the Info Center module, under
Reporting/Reports.
The Report can either be Ran Now or
Scheduled at any time you need.
OPTION 2 – This generates a report using a
custom field
Step 1:
Decompress the zip file and find 2
folders containing 3 files each for both options.
Step 2:
Upload MS17-010_Installed.ps1 in the
managed files in the Agent Procedure module:
The file needs to be directly in the
Shared folder.
Import both XML files in the System
Module under Import Center:
Step 3:
Schedule the Agent Procedure to run on
all the required endpoints. (We advise no more than 50 agents at a time for a
big environment, it will overload the SQL server otherwise)
The procedure may have been imported in
a different folder. The search function might be required to locate it.
Step 4:
Create the Custom Field in the Audit
module under View Individual Data/Machine Summary.
The Custom Field needs to be named “Wanna Crypt” for the procedure to store the
data correctly.
Step 5:
Once the procedure has successfully run
on all agents, the report needs to be edited to display data from the correct
Custom Field. In the Report module, edit the “Wanna Crypt Report (Custom
Field)” to reflect the correct Custom Field. For instance, on the previous
screenshot, “Wanna Crypt” is the second Custom Field being used, which in the
report will show as Custom Field 01 (the first custom field starting at 00).
Schedule the report in the Info Center
module, under Reporting/Reports.
The Report can either be Ran Now or
Scheduled at any time you need in the Info Center module, under
Reporting/Reports
Step 6:
In addition to running the report, you
may create a View to include all the Vulnerable machine. In any module using
view, create a new View, Check the “Advanced agent data filter [Define Filter
…]” Checkbox and edit the line of [Define Filter] corresponding to the Wanna
Cry custom field:
The Agent Procedure would need to be ran
a second time after patching the machines in order to update the data in the
custom field and update the View and Report to reflect an up to date
environment.
If you encounter any issues
or need assistance with these steps, please contact our Kaseya Support team by
submitting a support ticket via our helpdesk portal at https://helpdesk.kaseya.com/home
Comments
-
This will need some work if you run it. It's not OS architecture aware and the PS script does not accurately check for the installed patch, especially on legacy systems. I will be posting my own testing procedure and scripts for patching your systems shortly0
-
The listing has been updated with a new Powershell script provided by Microsoft, as well as new Agent Procedures to work on 32 Bits systems. The reports have also been updated to reflect the changes in the script.0
-
Has anyone updated this to accommodate newer build versions? I run it on 16299 builds and it still shows vulnerable where I don't think Win 10 Ent. Build 16299 is vulnerable. Tried to add the build in the code but not getting it.0
-
Yea, I've noticed that machines that have 1709 on them show as "Vulnerable". Is there a way to add in the script something like "anything [this version] or above is safe"? So you don't have to keep upgrading the script every time a new major patch is released?0
-
Does this still work? How about the 1709 issue?
0 -
The reports have also been updated to reflect the changes in the script.
0 -
"anything [this version] or above is safe"? So you don't have to keep upgrading the script every time a new major patch is released mx player
0
