Comments (10)
and dism output
https://gist.github.com/tek0011/4cf540daad17cc714a0735f582560fe1#file-gistfile1-txt
from detect_wannacry.
It looks like the script is still returning true because the none of the patches that the script checks for are currently installed. Would you happen to know which one of these were the hotfixes for WannaCry? We could add them into the script to be more comprehensive. Thanks @tek0011
from detect_wannacry.
Perhaps we should be using the script by MSFT at the bottom of the MS17-0101 page instead of checking hotfixes (which seems unreliable across nodes):
https://support.microsoft.com/en-us/help/4023262/how-to-verify-that-ms17-010-is-installed
@SeanTecha - It would appear there are hosts out there that do not install all updates, no matter how many times you check for updates. So, according to the ps1 fact script, it says they are vulnerable. However, part 2 and 4 of the link above (checking srv.sys) says they are Patched and good to go. We also ran the python script against them: https://github.com/apkjet/TrustlookWannaCryToolkit which is also coming back and saying they are patched and no longer vulnerable.
from detect_wannacry.
@tek0011 Thank you for the script, it's awesome! I'll incorporate it into the external fact now.
from detect_wannacry.
@SeanTecha - yes, I think we should trust that script over hotfix checking, as hotfixes can be a dependancy and roll-up nightmare. Being this script to check the srv.sys is provided directly by MSFT, I think (and hope) we can trust it.
from detect_wannacry.
@SeanTecha - Another thing we could add is wannacry_smb1 fact - I created it in our environment to see what hosts still have sambav1 enabled or installed:
$smb1 = Get-SmbServerConfiguration | Select -ExpandProperty EnableSMB1Protocol -ea SilentlyContinue
if ($smb1 -match 'True')
{
Write-Host "wannacry_smbv1=True"
}
else
{
Write-Host "wannacry_smbv1=False"
}
from detect_wannacry.
Or perhaps better:
$smb1 = Get-SmbServerConfiguration | Select -ExpandProperty EnableSMB1Protocol -ea SilentlyContinue
if ($smb1 -match 'True')
{
Write-Host "wannacry_smbv1=$true"
}
else
{
Write-Host "wannacry_smbv1=$false"
}
from detect_wannacry.
@tek0011 I have switched over to using MSFT's script as a default way to check and to only switch over to checking through applied hotfixes if the srv.sys check fails. The smbv1 fact is a great idea and would be a nice addition to the Forge as a standalone module if you would like to contribute (it would be beneficial to know in general, not just for WannaCry).
from detect_wannacry.
@SeanTecha - Shouldnt the fact be setting the final values to $true and $false, respectively? Or does Puppet still view True and False as an actual boolean and not a string?
from detect_wannacry.
@tek0011 It looks like only string output is available for a PowerShell external fact right now. We could look into wrapping a Ruby custom fact around this script to output actual boolean. Alternatively you can use str2bool from stdlib module as well.
from detect_wannacry.
Related Issues (7)
- patches still applicable for detecting wannacry HOT 2
- Windows 2008 (R2) support is spotty
- Due to how MS is releasing new security-only rollups, this fact will incorrectly report systems as being vulnerable HOT 2
- Additional KB's needed for Server 2008 HOT 1
- 0.3.0 failing to detect hotfixes on windows 7 & 10 HOT 9
- updated KBs HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from detect_wannacry.