Notification

Icon
Error

Wannacry & Adylkuzz: MS17-010 Windows computers that are potentially vulnerable

Posted: Monday, May 15, 2017 10:33:55 AM(UTC)
Nick.VDB

Nick.VDB

Member Administration Posts: 242
73
Like
SUPPORT FOR THIS REPORT WILL END ON THE 31ST OF AUGUST 2017


As has been reported over the news, on the 12th of May a ransomware program ‘WannaCry’ ('WannaCrypt', 'WCRY') targeting Microsoft Windows computers was launched. This cyber-attack has affected over 230 000 computers in more than 150 countries. Microsoft has released a number of updates to mitigate the MS17-010 vulnerability which the ransomware program targets with doing an SMB exploit. The Microsoft Security Bulletin on MS17-010 can be found here.
Lansweeper can be used to find machines that do not have the hotfixes installed to mitigate the SMB vulnerability. Follow the steps below to verify that you currently do not have any vulnerabilities:
  • Hover over the ‘Assets’ tab and select the ‘Windows’ asset type.

    Windows Assets

  • On the page giving back all the Windows computers click on the ‘Rescan Assets’ option. This will scan all the data from the Windows computer without taking into account the interval times that are setup under Scanning\Scanned Item Interval.

    Rescan Assets

  • Once the Windows assets have been rescanned - you can check this under Scanning\Scanning Queue - run the report below. The report will give back the machines that do not have the hotfixes installed. We highlighted the list of hotfixes in yellow. Further hotfixes can be added as they are released by Microsoft. To run the report found in the report center, do the following:

1. Open the report builder in the Lansweeper web console under Reports/Create New Report.
2. Paste the SQL query (report) found in the report center at the bottom of the page, replacing the default SQL query.
3. Left-click somewhere in the upper section of the page so the query applies.
4. Give the report a title.
5. Hit the Save & Run button to save the report.


For your information, we will be updating the report as Microsoft releases new hotfixes. Certain KBs may not yet be in the list of the report.


    EDIT 15-05-2017:
  • For each machine, added a list of possible patches, based on the OS
  • Filtered out Windows Creators update

    EDIT 16-05-2017:
  • Added KB4018466 for Windows Server 2008

    EDIT 17-05-2017:
  • Added asset 'State' column
  • Added 'ScanningErrors' column. This lists any scanning errors the computer may have generated. Machines with scanning errors may not have up-to-date Windows hotfix information and may appear in the report even though they are fully patched.
  • Added 'WindowsUpdateInfoLastScanned' column. This lists the amount of days that have passed since Windows update information has last been scanned for the asset.
  • Added 'Comment' column.
  • Added KB4019217 May 16, 2017 (Preview of Monthly Rollup) for Windows 8.1 and Windows Server 2012 R2
  • Added KB4019265 May 16, 2017 (Preview of Monthly Rollup) for Windows 7 SP1 and Windows Server 2008 R2 SP1

    EDIT 22-05-2017:
  • Added KB4019218 May 16, 2017 (Preview of Monthly Rollup) for Windows Server 2012

    EDIT 14-06-2017:
  • Added KB4022719 June 13, 2017 (Monthly Rollup) for Windows 7 SP1 and Windows Server 2008 R2 SP1
  • Added KB4022724 June 13, 2017 (Monthly Rollup) for Windows Server 2012
  • Added KB4022726 June 13, 2017 (Monthly Rollup) for Windows 8.1 and Windows Server 2012 R2

    EDIT 20-06-2017:
  • Added KB4022714 June cumulative update for Windows 10

    EDIT 29/06/2017:
  • Added KB4022720 June 27, 2017 (Preview of Monthly Rollup) for Windows 8.1 and Windows Server 2012 R2
  • Added KB4032693 June 27, 2017 (OS Build 10586.965) cumulative update for Windows 10 Version 1511
  • Added KB4022723 June 27, 2017 (OS Build 14393.1378) for Windows 10 Version 1607 and Windows Server 2016
  • Added KB4022168 June 27, 2017 (Preview of Monthly Rollup) for Windows 7 SP1 and Windows Server 2008 R2 SP1
  • Added KB4022721 June 27, 2017 (Preview of Monthly Rollup) for Windows Server 2012

    EDIT 14/07/2017:
  • Added KB4025336 July 11, 2017 (Monthly Rollup) for Windows 8.1 and Windows Server 2012 R2
  • Added KB4025344 July 11, 2017 (OS Build 10586.1007) for Windows 10 Version 1511
  • Added KB4025339 July 11, 2017 (OS Build 14393.1480) for Windows 10 Version 1607 and Windows Server 2016
  • Added KB4025341 July 11, 2017 (Monthly Rollup) for Windows 7 SP1 and Windows Server 2008 R2 SP1
  • Added KB4025331 July 11, 2017 (Monthly Rollup) for Windows Server 2012

    Edit 25/07/2017:
  • Added KB4025335 July 18, 2017 (Preview of Monthly Rollup) for Windows 8.1 and Windows Server 2012 R2
  • Added KB4025334 July 18, 2017 (OS Build 14393.1532)
    for Windows 10 Version 1607 and Windows Server 2016
  • Added KB4025340 July 18, 2017 (Preview of Monthly Rollup) for Windows 7 SP1 and Windows Server 2008 R2 SP1
  • Added KB4025332 July 18, 2017 (Preview of Monthly Rollup) for Windows Server 2012

    Edit 09/08/2017:
  • Added KB4034681 August 8, 2017 (Monthly Rollup) for Windows 8.1 and Windows Server 2012 R2
  • Added KB4034660 August 8, 2017 (OS Build 10586.1045) for Windows 10 Version 1511
  • Added KB4034658 August 8, 2017 (OS Build 14393.1593) for Windows 10 Version 1607 and Windows Server 2016
  • Added KB4034664 August 8, 2017 (Monthly Rollup) for Windows 7 SP1 and Windows Server 2008 R2 SP1
  • Added KB4034665 August 8, 2017 (Monthly Rollup) for Windows Server 2012

    Edit 16/08/2017
  • Added KB4034663 August 15, 2017 (Preview of Monthly Rollup) for Windows 8.1 and Windows Server 2012 R2
  • Added KB4034670 August 15, 2017 (Preview of Monthly Rollup) for Windows 7 SP1 and Windows Server 2008 R2 SP1
  • Added KB4034659 August 15, 2017 (Preview of Monthly Rollup) for Windows Server 2012


SUPPORT FOR THIS REPORT WILL END ON THE 31ST OF AUGUST 2017


Select Top 1000000 Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As
icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblState.Statename As State,
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname As OS,
tblAssets.SP,
tblAssets.Lastseen,
tblAssets.Lasttried,
Case When tblErrors.ErrorText Is Not Null Or
tblErrors.ErrorText != '' Then 'Scanning Error: ' +
tsysasseterrortypes.ErrorMsg Else '' End As ScanningErrors,
Case When tblAssets.Lastseen Is Null Then 'Unknown' Else 'Vulnerable'
End As IsVulnerable,
Case When tsysOS.OSname = 'Win XP' Or tsysOS.OSname = 'Win 2003' Or
tsysOS.OSname = 'Win 2003 R2' Or tsysOS.OSname = 'Win 8' Then 'KB4012598'
When tsysOS.OSname = 'Win Vista' Or
tsysOS.OSname = 'Win 2008' Then 'KB4012598 / KB4018466'
When tsysOS.OSname = 'Win 7' Or tsysOS.OSname = 'Win 7 RC' Or
tsysOS.OSname =
'Win 2008 R2' Then
'KB4012212 / KB4012215 / KB4015549 / KB4019264 / KB4019265 / KB4022719 / KB4022168 / KB4025341 / KB4025340 / KB4034664 / KB4034670'
When tsysOS.OSname =
'Win 2012' Then
'KB4012214 / KB4012217 / KB4015551 / KB4019216 / KB4019218 / KB4022724 / KB4022721 / KB4025331 / KB4025332 / KB4034665 / KB4034659'
When tsysOS.OSname = 'Win 8.1' Or
tsysOS.OSname =
'Win 2012 R2' Then
'KB4012213 / KB4012216 / KB4015550 / KB4019215 / KB4019217 / KB4022726 / KB4022720 / KB4025336 / KB4025335 / KB4034681 / KB4034663'
When tblOperatingsystem.Version Like '%10240%' Then
'KB4012606 / KB4015221 / KB4019474'
When tblOperatingsystem.Version Like '%10586%' Then
'KB4013198 / KB4015219 / KB4019473 / KB4022714 / KB4032693 / KB4025344 / KB4034660'
When tblOperatingsystem.Version Like '%14393%' Or
tsysOS.OSname =
'Win 2016' Then 'KB4015438 / KB4015217 / KB4019472 / KB4023680 / KB4022715 / KB4022723 / KB4025339 / KB4025334 / KB4034658'
When tsysOS.OScode Like '10.0%' And tsysOS.OScode Not In (Select Top 1000000
tsysOS.OScode From tsysOS
Where
tsysOS.OScode Like '10.0%') Then
'KB4012606 / KB4015221 / KB4019474 / KB4015438 / KB4015217 / KB4019472 / KB4023680 / KB4022715 / KB4022723 / KB4025339 / KB4025334 / KB4034658' Else Null End As [Install one of these updates],
Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
GetDate())) + ' days ago' As WindowsUpdateInfoLastScanned,
Case
When Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
GetDate())) >
3 Then
'Windows update information may not be up to date. We recommend rescanning this machine.' Else '' End As Comment
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tblOperatingsystem On tblOperatingsystem.AssetID =
tblAssets.AssetID
Left Join tsysIPLocations On tblAssets.IPNumeric >= tsysIPLocations.StartIP
And tblAssets.IPNumeric <= tsysIPLocations.EndIP
Inner Join tblState On tblState.State = tblAssetCustom.State
Left Join (Select Distinct Top 1000000 tblAssets.AssetID As ID,
TsysLastscan.Lasttime As QuickFixLastScanned
From TsysWaittime
Inner Join TsysLastscan On TsysWaittime.CFGCode = TsysLastscan.CFGcode
Inner Join tblAssets On tblAssets.AssetID = TsysLastscan.AssetID
Where TsysWaittime.CFGname = 'QUICKFIX') As QuickFixLastScanned
On tblAssets.AssetID = QuickFixLastScanned.ID
Left Join (Select Distinct Top 1000000 tblAssets.AssetID As ID,
Max(tblErrors.Teller) As ErrorID
From tblErrors
Inner Join tblAssets On tblAssets.AssetID = tblErrors.AssetID
Group By tblAssets.AssetID) As ScanningError On tblAssets.AssetID =
ScanningError.ID
Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
tblErrors.ErrorType
Where
tblAssets.AssetID Not In (Select Top 1000000 tblQuickFixEngineering.AssetID
From tblQuickFixEngineering Inner Join tblQuickFixEngineeringUni
On tblQuickFixEngineeringUni.QFEID = tblQuickFixEngineering.QFEID
Where tblQuickFixEngineeringUni.HotFixID In ('KB4012216', 'KB4012215',
'KB4012217', 'KB4012212', 'KB4012213', 'KB4012598', 'KB4012214',
'KB4012606', 'KB4013198', 'KB4015551', 'KB4019216', 'KB4015550',
'KB4019215', 'KB4013429', 'KB4019472', 'KB4015217', 'KB4015438',
'KB4016635', 'KB4019264', 'KB4015549', 'KB4015221', 'KB4019474',
'KB4015219', 'KB4019473', 'KB4018466', 'KB4019217', 'KB4019265',
'KB4019218', 'KB4022719', 'KB4022724', 'KB4022726', 'KB4023680',
'KB4022715', 'KB4022714', 'KB4022720', 'KB4032693', 'KB4022723',
'KB4022168', 'KB4022721', 'KB4025336', 'KB4025344', 'KB4025339',
'KB4025341', 'KB4025331', 'KB4025335', 'KB4025334', 'KB4025340',
'KB4025332', 'KB4034681', 'KB4034660', 'KB4034658', 'KB4034664',
'KB4034665', 'KB4034663', 'KB4034670', 'KB4034659'
)) And tsysOS.OSname != 'Win 2000 S' And
tsysAssetTypes.AssetTypename Like 'Windows%' And
tsysOS.OScode Not Like '10.0.15%' And tsysOS.OScode Not Like '10.0.16%'
Order By tblAssets.Domain,
tblAssets.AssetName
Bruce.B
#1Bruce.B Member Administration  
posted: 5/15/2017 2:14:50 PM(UTC)
If you require further assistance with using this report or the 'WannaCry' vulnerability issue in the context of Lansweeper, please contact us via email at support@lansweeper.com.

Active Discussions

Lansweeper Report for inventory
by  leblanc.daniel.4@hydro.qc.ca   Go to last post Go to first unread
Last post: Yesterday at 8:16:00 PM(UTC)
Lansweeper Project Management
by  jcait  
Go to last post Go to first unread
Last post: Yesterday at 6:34:20 PM(UTC)
Lansweeper lansweeper service not listening on port 9524
by  JDav007  
Go to last post Go to first unread
Last post: Yesterday at 2:35:01 PM(UTC)
Lansweeper WSUS Reports
by  Nick.VDB   Go to last post Go to first unread
Last post: Yesterday at 2:17:52 PM(UTC)
Lansweeper Help creating deployment package
by  MasterDoddy  
Go to last post Go to first unread
Last post: Yesterday at 11:22:24 AM(UTC)
Lansweeper Reminder email on Unasigned tickets
by  chris.anderson   Go to last post Go to first unread
Last post: 8/16/2017 5:47:37 PM(UTC)
Lansweeper AD tags
by  jkrelic  
Go to last post Go to first unread
Last post: 8/16/2017 5:26:37 PM(UTC)