cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ARTP
Engaged Sweeper II
Hi,

Currently having issues with assets missing Quickfix data. I've built a report to ensure we have no machines in our estate missing KB4012212 due to the recent WCrypt craziness however it is full of false positives due to some assets having no Quickfix data.

Has anyone came across this before? I've had a look through the community and couldn't see anything similar. Any advice is greatly appreciated.

Examples:

Quickfix data missing:
Quickfix Data Missing

Quickfix data:
Quickfix data
1 ACCEPTED SOLUTION
Susan_A
Lansweeper Alumni
If you require further assistance with the WannaCry report or Windows updates not being scanned, please contact us via email at support@lansweeper.com and provide a description of the problem. It will be a lot easier to troubleshoot if everyone submits their own support ticket, so we can look at each individual case. The cause of the issue may not be the same for everyone.

I'm going to lock this topic for now, just because it's become too long and confusing to comment on. If you contact us via email, we would be happy to troubleshoot from there. If you mention this forum topic in your email, we'll also be happy to post the conclusion of our support conversation in this forum topic, once your ticket is resolved.

View solution in original post

23 REPLIES 23
Nick_VDB
Champion Sweeper III
The report below will give back the machines that do not have the hotfixes installed. We added some further KB's that have the fix for MS17-010. These hotfixes are scanned from the Win32_QuickFixEngineering WMI class. There is an interval of 7 days for scanning the Win32_QuickFixEngineering WMI class, this can be modified by going to Scanning\Scanned Item Interval and setting it to 0. You can then do a full rescan of your machines so that the quickfixengineering table is updated with any new updates. Once the rescans have been done you can then run this report. In the report it is also required that the assets be set to the 'Active' state. If

Recap:
  • Go to Scanning\Scanned Item Interval
  • Change the interval time for the 'QUICKIX' item to 0
  • Rescan all your assets to update the quickfixengineering tables with the new updates
  • Run the report

The hotfix must be found in Win32_QuickFixEngineering for Lansweeper to be able to scan it. The following command lists all the Hotfixes that are found in the Win32_QuickFixEngineering table.

wmic path Win32_QuickFixEngineering

Select Top 1000000 Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As
icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname As OS,
tblAssets.SP,
Case When tblAssets.Lastseen Is Null Then 'Unknown' Else 'Vulnerable'
End As IsVulnerable,
tblAssets.Lastseen,
tblAssets.Lasttried
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Where
tblAssets.AssetID Not In (Select Top 1000000 tblQuickFixEngineering.AssetID
From tblQuickFixEngineering Inner Join tblQuickFixEngineeringUni
On tblQuickFixEngineeringUni.QFEID = tblQuickFixEngineering.QFEID
Where tblQuickFixEngineeringUni.HotFixID In ('KB4012216', 'KB4012215',
'KB4012217', 'KB4012212', 'KB4012213', 'KB4012598',
'KB4012214', 'KB4012606', 'KB4013198', 'KB4012212', 'KB4012217', 'KB4015551', 'KB4019216', 'KB4012216',
'KB4015550', 'KB4019215', 'KB4013429', 'KB4019472', 'KB4015217', 'KB4015438', 'KB4016635', 'KB4019264', 'KB4015549', 'KB4015221', 'KB4019474', 'KB4015219', 'KB4019473')) And tsysAssetTypes.AssetTypename
Like 'Windows%'
Order By tblAssets.Domain,
tblAssets.AssetName
heybobby1
Engaged Sweeper III
Nick.VDB wrote:
The report below will give back the machines that do not have the hotfixes installed.


Thanks for the report. You're missing some KBs BTW. Here's the complete list:

('KB4012598', 'KB4012212', 'KB4012215', 'KB4015549', 'KB4019264', 'KB4012214', 'KB4012217', 'KB4015551', 'KB4019216', 'KB4012213', 'KB4012216', 'KB4015550', 'KB4019215', 'KB4012606', 'KB4015221', 'KB4019474', 'KB4013198', 'KB4015219', 'KB4019473', 'KB4015438', 'KB4015217', 'KB4019472'))

From Microsoft's "WannaCrypt Ransomware Customer Guidance" webcast earlier today: https://1drv.ms/b/s!AsSKRAC3eQiE16glLQ2KTGNFnpSNAA
ARTP
Engaged Sweeper II
Nick.VDB wrote:
The report below will give back the machines that do not have the hotfixes installed. We added some further KB's that have the fix for MS17-010. These hotfixes are scanned from the Win32_QuickFixEngineering WMI class. There is an interval of 7 days for scanning the Win32_QuickFixEngineering WMI class, this can be modified by going to Scanning\Scanned Item Interval and setting it to 0. You can then do a full rescan of your machines so that the quickfixengineering table is updated with any new updates. Once the rescans have been done you can then run this report. In the report it is also required that the assets be set to the 'Active' state. If

Recap:
  • Go to Scanning\Scanned Item Interval
  • Change the interval time for the 'QUICKIX' item to 0
  • Rescan all your assets to update the quickfixengineering tables with the new updates
  • Run the report

The hotfix must be found in Win32_QuickFixEngineering for Lansweeper to be able to scan it. The following command lists all the Hotfixes that are found in the Win32_QuickFixEngineering table.

wmic path Win32_QuickFixEngineering

Select Top 1000000 Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As
icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname As OS,
tblAssets.SP,
Case When tblAssets.Lastseen Is Null Then 'Unknown' Else 'Vulnerable'
End As IsVulnerable,
tblAssets.Lastseen,
tblAssets.Lasttried
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Where
tblAssets.AssetID Not In (Select Top 1000000 tblQuickFixEngineering.AssetID
From tblQuickFixEngineering Inner Join tblQuickFixEngineeringUni
On tblQuickFixEngineeringUni.QFEID = tblQuickFixEngineering.QFEID
Where tblQuickFixEngineeringUni.HotFixID In ('KB4012216', 'KB4012215',
'KB4012217', 'KB4012212', 'KB4012213', 'KB4012598',
'KB4012214', 'KB4012606', 'KB4013198', 'KB4012212', 'KB4012217', 'KB4015551', 'KB4019216', 'KB4012216',
'KB4015550', 'KB4019215', 'KB4013429', 'KB4019472', 'KB4015217', 'KB4015438', 'KB4016635', 'KB4019264', 'KB4015549', 'KB4015221', 'KB4019474', 'KB4015219', 'KB4019473')) And tsysAssetTypes.AssetTypename
Like 'Windows%'
Order By tblAssets.Domain,
tblAssets.AssetName


No joy i'm afraid, changing it to 0 days does not add the data to any machines that were missing it;
maupaiva
Engaged Sweeper
I am looking for something similar too 😛