Using Kaseya to Audit for ...

Using Kaseya to Audit for MS17-10 to prevent WannaCrypt infection

Our Service Board and email lit up this weekend with partners asking if they are protected against the WannaCrypt ransomware attack that has made national headlines.

First of all, it is important to know that the patch for this (MS17-10) was released back in MARCH, so this is not exactly a NEW vulnerability, but it has become the subject of a media frenzy because of how fast it propagated.

Here are Microsoft’s instructions:

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Here is the link to the MS17-10 Release notes:

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

With Kaseya, normally we can simply create a view showing machines that are “Missing” a specific KB.   Unfortunately with the way that Microsoft now releases updates, the patch can be applied with a variety of KB numbers, and the numbers change for various operating systems.

To help you audit your machines, and allow you to feel confident in telling your clients that they are protected, we wrote a script that uses PowerShell to dump the entire contents of the Windows Update log, and search for specific KBs.

Run this script on all your machines, and then use a Log report (Agent Procedure Log), and filter on “$MS17$” for all the results.   If you just want the machines that do NOT have the patch installed, filter on “$OOD$”

Here is a quick video on how to create a Audit Report:

This script will work on Vista through Windows Server 2016 (NOT including 2003 Server).   Microsoft did decide to release a patch for Windows XP, so if you still have some XP computers, you may wish to scan for that patch (we will of course approve it if we see it)

You can download the script from our ClubMSP site.   We have made it a free download.

Please let us know if you run into any issues, or suggest any improvements.

EDIT:   5-15-17   We edited the referenced script to include all of the roll-ups (both Quality and Security) for April and May.  We are now looking for any of the following KB articles:

‘KB4012212’, ‘KB4012213’, ‘KB4012214’, ‘KB4012215’, ‘KB4012216’, ‘KB4012217’, ‘KB4012598’, ‘KB4012606’, ‘KB4013198’, ‘KB4013429’, ‘KB4015217’, ‘KB4015219’, ‘KB4015221’, ‘KB4015546’, ‘KB4015547’, ‘KB4015548’, ‘KB4015549’, ‘KB4015550’, ‘KB4015551’, ‘KB4015583’, ‘KB4016871’, ‘KB4019213’, ‘KB4019214’, ‘KB4019215’, ‘KB4019216’, ‘KB4019263’, ‘KB4019264’, ‘KB4019472’, ‘KB4019473’, ‘KB4019474’

EDIT: 5-16-17   We continue to refine the PowerShell script.  Some partners experienced problems running it on Windows 7 machines with v2.0 of PowerShell.   We removed some of the formatting that it didn’t like, and it appears to run fine.   We no longer create the “Failed_patches.txt” file.

ALSO:   It does not appear that the patch released by Microsoft for XP computers and 2003 servers will show up in the Patch Catalog, so it can not be approved and pushed out from Kaseya.    The only option is to push it out via script or manually download it.

Here are links to the downloads if you need them:

Windows 2003
32BIT: http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe
64Bit: http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe

XP
32-bit:  http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe
64-bit:  http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe

If you think you will need scripts, let me know and I will create and post.

6 Responses to Using Kaseya to Audit for MS17-10 to prevent WannaCrypt infection

  1. Due to how MS bundles the script into future updates and timing of installations, you may have a CU / Rollup which includes the patch (but the script you linked to will show it as vulnerable). The Kaseya script you link to doesn’t show all possibilities, and might result in spending time on false negatives.

    I’ve gone though and updated the Kaseya script to also search for the Win 7, 8 / 8.1, 10 (Base, 1511, 1607, 1703), 2008 R2 SP1, 2012/2012R2, and 2016 Cumulative Updates released (which will contain earlier CU’s, which contain the patch). This should make it relevant up to May 14th, 2017.

    Trevor Kindree / Shift-IT.

    • Trevor,

      Thanks for your comments and suggestions. We are actually in the process of updating the script ourselves and including some more safeguards as well (checking for successful/failed patch installs).

      I had to remove the link from your comment as we do not allow tracking links, but we do appreciate your efforts and suggestions. We will publish an updated script as well ASAP.

    • Jim, this posting was updated last night to scan for several KBs, including:

      ‘KB4012212’, ‘KB4012213’, ‘KB4012214’, ‘KB4012215’, ‘KB4012216’, ‘KB4012217’, ‘KB4012598’, ‘KB4012606’, ‘KB4013198’, ‘KB4013429’, ‘KB4015217’, ‘KB4015219’, ‘KB4015221’, ‘KB4015546’, ‘KB4015547’, ‘KB4015548’, ‘KB4015549’, ‘KB4015550’, ‘KB4015551’, ‘KB4015583’, ‘KB4016871’, ‘KB4019213’, ‘KB4019214’, ‘KB4019215’, ‘KB4019216’, ‘KB4019263’, ‘KB4019264’, ‘KB4019472’, ‘KB4019473’, ‘KB4019474’

      Thanks for the sharp eye! We are of the same opinion! :D

  2. Additional patches based on other verification scripts –

    KB4012598
    KB4012212
    KB4012215
    KB4012213
    KB4012216
    KB4012214
    KB4012217
    KB4012606
    KB3205409
    KB3210720
    KB3210721
    KB3212646
    KB3213986
    KB4012218
    KB4012220
    KB4013198
    KB4013389
    KB4013429
    KB4015217
    KB4015219
    KB4015438
    KB4015546
    KB4015547
    KB4015548
    KB4015549
    KB4015550
    KB4015551
    KB4015552
    KB4015553
    KB4015554
    KB4016635
    KB4016636
    KB4019213
    KB4019214
    KB4019215
    KB4019216
    KB4019263
    KB4019264
    KB4019472
    KB4019473
    KB4016871

    • Jim, thanks for the list. I went thorough the ones that were missing from our list. Some of those are old and don’t apply to this particular issue (MS17-10). Some are “Preview” releases that wouldn’t have been installed by Kaseya, or by auto-updates. These are updates that can be manually installed for testing, prior to release. I think we got all the important ones. Feedback from our partners has been good. There have been a few “False Negatives”, and we just fixed an issue with the script running on some older versions of PowerShell (V2).

      You did have a few that were other patches that were released in March. It is important to note that this whole testing will FAIL if you put an unrelated KB article in there, and the machine has it. Remember our script, the views, the reports, all only require ONE of the patches to be installed to pass. In this case it is better to suffer a few “False Negatives” and rule them out, than have a machine show as updated, when it hasn’t been. Thanks to you and all our partners and readers for keeping us on our toes, and helping us make the script better for everyone. It is much appreciated!

Leave a reply

Copyright © 2007-2017 Network Depot LLC DBA Virtual Administrator. All Rights Reserved.