Notification

Icon
Error

Checking MS17-010 patch is installed - We can use lansweeper to perform basic Vulnerability Assessment

Posted: Thursday, June 29, 2017 8:51:11 AM(UTC)
ufficioced

ufficioced

Member Original PosterPosts: 39
0
Like
We can use lansweeper to check if MS17-010 was correctly installed on windows system, follow these steps:

-first add a custom File scanning into lansweeper, the file to check is '%windir%\system32\drivers\srv.sys'
following the idea you can find here: How to verify that MS17-010 is installed

-create a report to check if MS17-010 has problem or not, it has to check operating system version and consequently the srv.sys file version

Feel free to correct it or suggest improvements

Code:

Select Top 1000000 tsysOS.Image As icon,
  tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.Domain,
  tblOperatingsystem.Caption As SO,
  tblAssets.Username,
  tblAssets.Userdomain,
  tblAssets.IPAddress,
  tblAssets.Lastseen,
  tblAssets.Lasttried,
  Case
    When (tblOperatingsystem.Caption = 'Microsoft Windows 7 Professional' And
    (Replace(SubQuery1.FileVersion, '.', '') > Replace('6.1.7601.23689', '.',
    ''))) Then 'OK'
    When (tblOperatingsystem.Caption Like 'Microsoft Windows Server 2012 R2%'
    And (Replace(SubQuery1.FileVersion, '.', '') > Replace('6.3.9600.18604',
    '.', ''))) Then 'OK'
    When (tblOperatingsystem.Caption Like 'Microsoft(R) Windows(R) Server 2003%'
    And (Replace(SubQuery1.FileVersion, '.', '') > Replace('5.2.3790.6021', '.',
    ''))) Then 'OK'
    When (tblOperatingsystem.Caption =
    'Microsoft Windows Server 2008 R2 Standard' And
    (Replace(SubQuery1.FileVersion, '.', '') > Replace('6.1.7601.23689', '.',
    ''))) Then 'OK' Else 'ERR' End As [MS17-010],
  TsysLastscan.Lasttime As LastFileScan,
  Case SubQuery1.Found When 1 Then 'Yes' Else 'No' End As FileFound,
  SubQuery1.FileVersion,
  SubQuery1.CompanyName,
  SubQuery1.LastModified,
  SubQuery1.Lastchanged,
  Case
    When TsysLastscan.Lasttime < GetDate() -
    1 Then
    'Last file scan more than 24 hours ago!' End As Comment,
  SubQuery1.PatchSearched
From tblAssets
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
  Inner Join TsysLastscan On tblAssets.AssetID = TsysLastscan.AssetID
  Inner Join TsysWaittime On TsysWaittime.CFGCode = TsysLastscan.CFGcode
  Left Join (Select Top 1000000 tblFileVersions.AssetID,
    tblFileVersions.FilePathfull As PatchSearched,
    tblFileVersions.Found,
    tblFileVersions.FileVersion,
    tblFileVersions.CompanyName,
    tblFileVersions.Filesize,
    tblFileVersions.Lastchanged,
    tblFileVersions.CreationDate,
    tblFileVersions.LastAccessed,
    tblFileVersions.LastModified
  From tblFileVersions
  Where tblFileVersions.FilePathfull Like '%srv.sys') SubQuery1
    On SubQuery1.AssetID = tblAssets.AssetID
  Inner Join tblOperatingsystem
    On tblAssets.AssetID = tblOperatingsystem.AssetID
Where tblAssetCustom.State = 1 And TsysWaittime.CFGname = 'files'
Order By tblAssets.Domain,
  tblAssets.AssetName
David.G
#1David.G Member Administration Posts: 113  
posted: 7/3/2017 1:06:39 PM(UTC)
We would like to thank you for the report you have provided the Lansweeper community with. However, it does not include all possible hotfixes that are available for all Windows operating systems. We would like to link an additional forum topic to this where we have provided our customers with a report that checks if the necessary hotfixes are installed on a Windows asset. If not, the report will give back the asset as vulnerable. The report can be found here.
ufficioced
#2ufficioced Member Original PosterPosts: 39  
posted: 7/3/2017 3:14:33 PM(UTC)
Yes, you are right, the report linked by you is more completed, but I was looking for a solution to check if that specific updated was installed, not by the HotFixID but instead reading file version (we experienced some case with right HotFixID but srv.sys file not updated).

Thanks for your reply.
poweld1
#3poweld1 Member Posts: 102  
posted: 7/4/2017 2:55:13 PM(UTC)
It's a good report but with one flaw, if you uninstall SMB from a computer it also removes srv.sys from the computer. If you scan a computer and run the report it displays ERR in the MS17-010 column.
ufficioced
#4ufficioced Member Original PosterPosts: 39  
posted: 7/5/2017 2:35:34 PM(UTC)
You are right! I added a new option in "case/when" condition to check if file "SRV.SYS" exists or not

Code:

Select Top 1000000 tsysOS.Image As icon,
  tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.Domain,
  tblOperatingsystem.Caption As SO,
  tblAssets.Username,
  tblAssets.Userdomain,
  tblAssets.IPAddress,
  tblAssets.Lastseen,
  tblAssets.Lasttried,
  Case
    When (SubQuery1.Found!=1) Then 'NO SRV.SYS'
    When (tblOperatingsystem.Caption = 'Microsoft Windows 7 Professional' And (Replace(SubQuery1.FileVersion, '.', '') > Replace('6.1.7601.23689', '.',''))) Then 'OK'
    When (tblOperatingsystem.Caption Like 'Microsoft Windows Server 2012 R2%' And (Replace(SubQuery1.FileVersion, '.', '') > Replace('6.3.9600.18604','.', ''))) Then 'OK'
    When (tblOperatingsystem.Caption Like 'Microsoft(R) Windows(R) Server 2003%' And (Replace(SubQuery1.FileVersion, '.', '') > Replace('5.2.3790.6021', '.',''))) Then 'OK'
    When (tblOperatingsystem.Caption = 'Microsoft Windows Server 2008 R2 Standard' And (Replace(SubQuery1.FileVersion, '.', '') > Replace('6.1.7601.23689', '.',''))) Then 'OK' Else 'ERR' End As [MS17-010],
  TsysLastscan.Lasttime As LastFileScan,
  Case SubQuery1.Found When 1 Then 'Yes' Else 'No' End As FileFound,
  SubQuery1.FileVersion,
  SubQuery1.CompanyName,
  SubQuery1.LastModified,
  SubQuery1.Lastchanged,
  Case
    When TsysLastscan.Lasttime < GetDate() -
    1 Then
    'Last file scan more than 24 hours ago! Scanned file information may not be up-to-date. Try rescanning this machine.' End As Comment,
  SubQuery1.PatchSearched
From tblAssets
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
  Inner Join TsysLastscan On tblAssets.AssetID = TsysLastscan.AssetID
  Inner Join TsysWaittime On TsysWaittime.CFGCode = TsysLastscan.CFGcode
  Left Join (Select Top 1000000 tblFileVersions.AssetID,
    tblFileVersions.FilePathfull As PatchSearched,
    tblFileVersions.Found,
    tblFileVersions.FileVersion,
    tblFileVersions.CompanyName,
    tblFileVersions.Filesize,
    tblFileVersions.Lastchanged,
    tblFileVersions.CreationDate,
    tblFileVersions.LastAccessed,
    tblFileVersions.LastModified
  From tblFileVersions
  Where tblFileVersions.FilePathfull Like '%srv.sys') SubQuery1
    On SubQuery1.AssetID = tblAssets.AssetID
  Inner Join tblOperatingsystem
    On tblAssets.AssetID = tblOperatingsystem.AssetID
Where tblAssetCustom.State = 1 And TsysWaittime.CFGname = 'files'
Order By tblAssets.Domain,
  tblAssets.AssetName

Active Discussions

Lansweeper TPM scanning
by  gene@sca   Go to last post Go to first unread
Last post: Yesterday at 10:40:24 PM(UTC)
Lansweeper Bulk AssetLock set
by  tcooper  
Go to last post Go to first unread
Last post: Yesterday at 6:24:15 PM(UTC)
Lansweeper Set AssetType based on Model?
by  tcooper   Go to last post Go to first unread
Last post: Yesterday at 6:16:57 PM(UTC)
Lansweeper Public IP Address
by  David Goodwin  
Go to last post Go to first unread
Last post: Yesterday at 4:57:14 PM(UTC)
Lansweeper Exchange Scan in v7 and DAG
by  Peter.Riederer   Go to last post Go to first unread
Last post: Yesterday at 8:42:48 AM(UTC)
Lansweeper Asset Scanning - Change Types
by  DNuhija  
Go to last post Go to first unread
Last post: 12/12/2019 5:40:47 PM(UTC)
Lansweeper Plundervolt
by  NWSF   Go to last post Go to first unread
Last post: 12/12/2019 5:10:14 PM(UTC)
Lansweeper MSI Package
by  Stefano Magri  
Go to last post Go to first unread
Last post: 12/12/2019 3:34:16 PM(UTC)