Our Service Board and email lit up this weekend with partners asking if they are protected against the WannaCrypt ransomware attack that has made national headlines.
First of all, it is important to know that the patch for this (MS17-10) was released back in MARCH, so this is not exactly a NEW vulnerability, but it has become the subject of a media frenzy because of how fast it propagated.
Here are Microsoft’s instructions:
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Here is the link to the MS17-10 Release notes:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
With Kaseya, normally we can simply create a view showing machines that are “Missing” a specific KB. Unfortunately with the way that Microsoft now releases updates, the patch can be applied with a variety of KB numbers, and the numbers change for various operating systems.
To help you audit your machines, and allow you to feel confident in telling your clients that they are protected, we wrote a script that uses PowerShell to dump the entire contents of the Windows Update log, and search for specific KBs.
Run this script on all your machines, and then use a Log report (Agent Procedure Log), and filter on “$MS17$” for all the results. If you just want the machines that do NOT have the patch installed, filter on “$OOD$”
Here is a quick video on how to create a Audit Report:
This script will work on Vista through Windows Server 2016 (NOT including 2003 Server). Microsoft did decide to release a patch for Windows XP, so if you still have some XP computers, you may wish to scan for that patch (we will of course approve it if we see it)
You can download the script from our ClubMSP site. We have made it a free download.
Please let us know if you run into any issues, or suggest any improvements.
EDIT: 5-15-17 We edited the referenced script to include all of the roll-ups (both Quality and Security) for April and May. We are now looking for any of the following KB articles:
‘KB4012212’, ‘KB4012213’, ‘KB4012214’, ‘KB4012215’, ‘KB4012216’, ‘KB4012217’, ‘KB4012598’, ‘KB4012606’, ‘KB4013198’, ‘KB4013429’, ‘KB4015217’, ‘KB4015219’, ‘KB4015221’, ‘KB4015546’, ‘KB4015547’, ‘KB4015548’, ‘KB4015549’, ‘KB4015550’, ‘KB4015551’, ‘KB4015583’, ‘KB4016871’, ‘KB4019213’, ‘KB4019214’, ‘KB4019215’, ‘KB4019216’, ‘KB4019263’, ‘KB4019264’, ‘KB4019472’, ‘KB4019473’, ‘KB4019474’
EDIT: 5-16-17 We continue to refine the PowerShell script. Some partners experienced problems running it on Windows 7 machines with v2.0 of PowerShell. We removed some of the formatting that it didn’t like, and it appears to run fine. We no longer create the “Failed_patches.txt” file.
ALSO: It does not appear that the patch released by Microsoft for XP computers and 2003 servers will show up in the Patch Catalog, so it can not be approved and pushed out from Kaseya. The only option is to push it out via script or manually download it.
Here are links to the downloads if you need them:
Windows 2003
32BIT: http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe
64Bit: http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe
XP
32-bit: http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe
64-bit: http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe
If you think you will need scripts, let me know and I will create and post.