2k12r2 showing wannacry_vulnerable=true - even after all hotfixes applied about detect_wannacry HOT 10 CLOSED

and dism output

https://gist.github.com/tek0011/4cf540daad17cc714a0735f582560fe1#file-gistfile1-txt

from detect_wannacry.

It looks like the script is still returning true because the none of the patches that the script checks for are currently installed. Would you happen to know which one of these were the hotfixes for WannaCry? We could add them into the script to be more comprehensive. Thanks @tek0011

from detect_wannacry.

Perhaps we should be using the script by MSFT at the bottom of the MS17-0101 page instead of checking hotfixes (which seems unreliable across nodes):

https://support.microsoft.com/en-us/help/4023262/how-to-verify-that-ms17-010-is-installed

@SeanTecha - It would appear there are hosts out there that do not install all updates, no matter how many times you check for updates. So, according to the ps1 fact script, it says they are vulnerable. However, part 2 and 4 of the link above (checking srv.sys) says they are Patched and good to go. We also ran the python script against them: https://github.com/apkjet/TrustlookWannaCryToolkit which is also coming back and saying they are patched and no longer vulnerable.

from detect_wannacry.

@tek0011 Thank you for the script, it's awesome! I'll incorporate it into the external fact now.

from detect_wannacry.

@SeanTecha - yes, I think we should trust that script over hotfix checking, as hotfixes can be a dependancy and roll-up nightmare. Being this script to check the srv.sys is provided directly by MSFT, I think (and hope) we can trust it.

from detect_wannacry.

@SeanTecha - Another thing we could add is wannacry_smb1 fact - I created it in our environment to see what hosts still have sambav1 enabled or installed:

$smb1 = Get-SmbServerConfiguration | Select -ExpandProperty EnableSMB1Protocol -ea SilentlyContinue
if ($smb1 -match 'True')
{
    Write-Host "wannacry_smbv1=True"
}
else
{
    Write-Host "wannacry_smbv1=False"
}

from detect_wannacry.

Or perhaps better:

$smb1 = Get-SmbServerConfiguration | Select -ExpandProperty EnableSMB1Protocol -ea SilentlyContinue
if ($smb1 -match 'True')
{
    Write-Host "wannacry_smbv1=$true"
}
else
{
    Write-Host "wannacry_smbv1=$false"
}

from detect_wannacry.

@tek0011 I have switched over to using MSFT's script as a default way to check and to only switch over to checking through applied hotfixes if the srv.sys check fails. The smbv1 fact is a great idea and would be a nice addition to the Forge as a standalone module if you would like to contribute (it would be beneficial to know in general, not just for WannaCry).

from detect_wannacry.

@SeanTecha - Shouldnt the fact be setting the final values to $true and $false, respectively? Or does Puppet still view True and False as an actual boolean and not a string?

from detect_wannacry.

@tek0011 It looks like only string output is available for a PowerShell external fact right now. We could look into wrapping a Ruby custom fact around this script to output actual boolean. Alternatively you can use str2bool from stdlib module as well.

from detect_wannacry.