Hi,
It would be great to have a script to see if windows machine has been patched against WannaCry (or any other desired list of KB patches).
Heck – having said results in a dashboard-like thing on C1 would be great, but I’d be happy with a script or filter to show which machines need attention for specific KB’s.
Thanks
If you’re running the Comodo security addon (ITSM Premium) you’re protected against WannaCry, it was already demonstrated on a video Melih posted on LinkedIn. It gets “in” to your network by a user opening an attachment.
Now, it would be interesting to see a video to see how Comodo Endpoint protects when Wannacry tries to deploy itself via ETERNALBLUE SMB exploit. I expect the payload would probably get into memory but as soon as it tried to spawn a new process Sandbox would catch it. Unsure if enabling Shellcode injection block in HIDS would block ETERNALBLUE or not, maybe Melih could advise.
would be a boring video…any unknown process trying to execute will be run inside containment/sandboxing…WannaCry is no different.
Virtualization is the only practical way to protect yourself nowadays…explained here https://www.melih.com/2017/05/13/ransomware-prevention-yes-it-is-possible-yes-it-is-affordable/
For clarity, the video showed it being blocked by the Comodo Firewall addon, not vanilla ITSM. And, as yet, MS17-010 (for WannaCry) is not yet listed in ITSM’s Patch Management.
Please refer procedure published in the below-mentioned url to get the list of installed windows updates.
https://forum.mspconsortium.com/forum/script-library/11206-get-installed-updates-list-from-windows
Let us know your feedback.
Thanks,
Kannan
This is true, but in many cases, at least for my networks, I have to disable the containment feature, as it broke so many applications that run on our networks. I spent months trying to run behind and exclude stuff, so my endusers could efficiently work, without credit apps loading in containment and all. I get a little uneasy with this, but my users have to be able to do their job, and the containment and firewall broke just about everything for a long time. I run the ITSM premium, and never could get the containment to work as I needed it, blocked waaayyyy too many legit programs. I hope noone else has had these issues, as they were a real pain, as well as time consuming. I tried to get some stuff working a few months back, after using the software for over a year, and it was still breaking very important LOB apps, and I was having to dig down and try to make exclusions to a million different places, because I could not find a way to approve the application from the endpoint, and if I did, it would revert in 15 minutes. Even when I told it to wait an hour. I have got the containment working on 90% of my endpoints now, but as one knows, the important systems are the ones that have to do use the LOB apps that get broke. Seems counter intuitive to me, but I get paid to make sure everyone can do their job, even if that means opening a security hole to ensure things don’t get broke, as they will not understand why their stuff doesn’t work, in the name of security. I sometimes feel that comodo should make the containment app easier to configure, as I went through months of not getting it to work right, and this was with the help of Comodo help support. Anyway, I think that the question is a great one, and should seriously be considered by the team, as we don’t all have the added protection of the containment software on every computer, mainly the important ones, that also have write access to network shares and the likes, which in turn will help it spread like wildfire.
I watched the video, and it looked to me to be running in containment mode, had the green border, just like mine does when it contains stuff. I was figuring that they were running the containment software.
hmm…we let you suffer unnecessarily…We have a way to
a)baseline network: we go identify all unknowns and turn them into known before we say installation is complete
b)have a service where we have an SLA of 4 hours to turn any new unknown executable into known (95% of the time its done within few minutes automatically…but 5% of the time we have to do manual analysis before we can give a verdict to a file, hence 4 hours SLA)
c)number of unknowns an enterprise sees is so few and far between, you shouldn’t have to worry about it as we have an amazing whitelist…
So…I think we should help you with that…let us do that!
let me know how we can connect to help pls
This was back in 2015 or so, and integration was not complete, ITSM was not yet live, nor were several tools like unknown file hunter. My COmodo rep tried to get me to go with the on-site server, which he said was better capable to handle what I was doing, he did mention that the features were coming to the C1 platform but I was persistent that I had to have the C1 integration, but I guess I got busy and never re-investigated the capabilities of upgrades. I do know that I still have an issue with containment containing certain pdfs, that are generated online, and will not print them, unless they are downloaded. I also have a problem with web-based java LOB apps. I would love to re-investigate the capabilities with the new tool sets. If you have a youtube video, or a wiki of these capabilities, I would love to dig deeper into the system. This is essential stuff that I have not yet circled back to.
Ilker will be reaching out to you…we addressed all these issues…you just need to know which buttons to press 
we’ll get you up and running in no time…
Great, I am in a position to look at that stuff again, especially since the updates are working great again, I will be looking forward to hearing from him!!
I’ve seen the issue where you tell it to not disable sandboxing for an hour and it kicks back in in a few minutes. It’s probably the ITSM profile overriding the local setting when it updates, but I didn’t take the time to double check if that was the cause. As Melih already mentioned, you should be able to do the baseline settings and then flip over. I’ve had no issues with the sandboxing except when installing things like OpenVPN custom-generated installers, or CloudBerry customer generated installers, due to the lack of recognition of the SHA file signature.
I’ve whipped up something. It would be great, if the output could be funneled into a dashboard, though – like the devices page where you see a list of devices, and a checkmark or something like that, so you can easily see who isn’t patched (or who doesn’t have AV, or who doesn’t have a particular third-party-whatever, who has an SNMP x.x.x.x.x result greater than YYY, etc.).
Enjoy:
#mschechter.20170516
#Computer Experts Group, Ltd.
import subprocess;
import os
import re
sHotFixes = [‘KB4012212’, ‘KB4012217’, ‘KB4015551’, ‘KB4019216’, ‘KB4012216’, ‘KB4015550’, ‘KB4019215’, ‘KB4013429’, ‘KB4019472’, ‘KB4015217’, ‘KB4015438’, ‘KB4016635’]
iFoundOne = 0
sName = ‘WannaCry’
tempFileName = os.getenv(‘TEMP’)+’\CheckWannaCry.txt’
process=subprocess.Popen(('wmic qfe get hotfixid > ’ + tempFileName),shell=True,stdout=subprocess.PIPE);
stdout=process.communicate()[0]
print stdout
for i in sHotFixes:
#print i
process=subprocess.Popen(('find /i ’ + i + " " + tempFileName + " > nul"),shell=True,stdout=subprocess.PIPE);
stdout=process.communicate()[0]
#print stdout
if os.getenv(‘ERRORLEVEL’) != 0:
iFoundOne += 1
if iFoundOne == 0:
print “BAD! " + os.environ[‘COMPUTERNAME’] + " has NO " + sName + " PATCHES FOUND!!”
else:
print “GOOD! " + os.environ[‘COMPUTERNAME’] + " has " + sName + " PATCHES FOUND.”
process=subprocess.Popen(('erase /F /Q ’ + tempFileName),shell=True,stdout=subprocess.PIPE);
stdout=process.communicate()[0]
print stdout
Great input.
Regarding visibility, please check the Comodo ONE Portal, Security and Patch Widgets for overall view (there shouldn’t be any device with critical patches missing as a best practice) https://help.comodo.com/topic-289-1-716-11178-Dashboard-Overview.html
Also, you can check the ITSM device view, Patch status icons to see individual device status with regards to patching. https://help.comodo.com/topic-399-1-786-10095-Managing-Devices.html
Ilker
Had a call with a comodo rep today, the problem was my interpretation of a setting, I now have a better grasp, and plan to try again, thanks guys!!
Hi, Ilker.
Yes, of course we use the portal, security and patch widget view and device view, but we are also used to other RMMs where we could put custom things (like SNMP OID’s) or filters (select * where antivirus == ANY, not just C1’s) in the main screen, so we could quickly see who was covered, who was not, who had a server room with a temperature above threshold, who has our specific antimalware on it, etc.
Just a suggestion/wish.
Sure, thank you for the suggestion.
We are going to release custom script monitors on this weekend details are coming soon. I think you are going to find it useful in many ways like the one you described above…
Ilker