These new health checks have been created for our Client Health customers to automatically detect and identify endpoints that are either vulnerable or have already been infected by the WannaCry ransomware outbreak.
The WannaCry Health Check Package contains the following components:
- WannaCry Infection Health Check – This check detects systems that have already been infected by WannaCry by conducting a comprehensive evaluation of Indicators of Compromise (IOC) for this exploit. Machines that fail this health check are already compromised and must be immediately quarantined. The business must then evaluate whether to reimage the affected systems or pay the ransom to retrieve data.
- WannaCry Vulnerability Assessment Health Check – This health check detects systems that are vulnerable to the WannaCry attack by evaluating whether the correct patches and system updates have been applied to the system. If a machine contains none of the specified patches, it is vulnerable to attack by WannaCry. System Administrators can easily update the patch list via a simple user interface to add additional patches to the health check as they become available. The health check will also add any systems identified as vulnerable to the appropriate ConfigMgr collection, so they can be quickly patched.
- WannaCry Vulnerability Remediation Action – This remediation action comes packaged with the Vulnerability Assessment Health Check. It will automatically disable the SMBv1 protocol on any machine identified as potentially vulnerable during the health check process and reboot it.
Installation Instructions
- Download the WannaCry workflow package .zip file from the link at the bottom of this page, and extract the .obex file.
- Open the Adaptiva Workbench, and open the Object Export-Import Perspective
- Select the Import Objects task, and in the File Selection window locate and select the downloaded .obex file
- In the opened editor tab, check the objects are listed correctly as below.
- Resolve the errors by selecting a folder for each object to import into
I imported the Health Check and Workflow objects into Health Checks\Security Health Checks folder, and the forms into UI Forms\Health Check Forms, but you can choose or add your own folder. - Once all errors are resolved, click on the Import button. You will see the message "All checked objects have been successfully imported from the …obex file" in the Import Status section once complete.
- Open the Workflow Designer perspective, and navigate to the location you imported the workflows.
- Right click on each of the WannaCry workflows and click the Deploy option, and click OK.
Now the health checks and supporting objects are imported, and workflows ready you can now create a scheduled or Instant Client Health policy to run these on your clients.
To do in instant Client Health check to a number of machines;
- Open the Instant Client Health Collection Policy Perspective.
- In the Explorer view, click the Add button to create a new policy object.
- Give the policy a name, and add the collection / list of machines you want to target;
- Click on the Health Checks tab, and drag and drop the WannaCry health checks from the health checks explorer into the Health Checks pane in the editor;
- Once added choose if you want to Automatically Perform Remediation... for the Assessment Health Check
PLEASE NOTE: The remediation will disable SMBv1, for a number of organisations this may impact older systems which use this protocol (factory machines, legacy applications etc.) so care and an assessment of SMBv1 requirements is advised. Also the remediation will automatically reboot clients after 2 minutes when first setting the registry key. - If required, edit the comma-separated list of Hotfixes which protect against this vulnerability. This has been added so you can edit the hotfixes to look for additional patches as they become available.
- Once done click on the Run button
After a few moments, results of the workflows will be shown in the Execution Results tab.
PLEASE NOTE: Within the Vulnerability Remediation workflow we check SMBv1 is disabled via the registry, and if not we set it and restart the PC. This will show as Remediation Success if SMBv1 is successfully/already disabled, but the post Health Check will fail - this is because the Vulnerability health check is looking for the KB fixes provided and will fail until one of these is installed. The failed devices will be placed into an SCCM collection so you can then target the required hotfixes to that collection and monitor success in Configuration Manager.
Comments
0 comments
Please sign in to leave a comment.