WannaCry ransomware – are you protected?

PDQ Deploy, PDQ Inventory

WannaCry? More like wanna pull your hair out from all the confusing information out there? Yeah. We hear you. With the recent news about the WannaCry/WannaCrypt ransomware, people are scrambling to find out if their machines are patched and protected.

Worry not, this blog will show you how to find out if you’re protected or not. Additionally, if you use PDQ Deploy and PDQ Inventory, we have pre-built packages and collections to keep all your machines safe and protected.

TL;DR

  • PDQ Inventory – We now have a collection in our Collection Library for determining which machines are vulnerable to WannaCry.
    • We even detail how to create your own collection if you don’t use the Collection Library (Link here).
  • PDQ Deploy – We have packages in our Package Library for the cumulative/rollup updates for Windows 7, 8.1, and Windows 10.
  • PDQ Deploy – As a bonus, we’ve recently released a package with the out-of-band patches for Windows XP, Windows 8, and Server 2003. (Microsoft link about those).

WannaCry – am I protected?

As Professor Farnsworth would say, “good news, everybody!”

The good news is the exploit WannaCry takes advantage of was actually fixed back in March of this year. There was a patch released to fix some Windows Server SMB security issues (info link here).

Plus, Microsoft has recently been doing cumulative updates to push out patches to Windows machines. Because they are cumulative, it doesn’t require the previous cumulative updates to be installed in order to be up to date.

In other words, if you regularly patch your machines with the latest Windows patches, you are protected against the current ransomware known as WannaCry/WannaCrypt. Thank goodness!

Finding installed updates

How can you be sure your machines are patched? How do you look for installed updates?

Most of the time, it’s easiest just to open the Programs and Features window and look for installed updates.

Additionally, you can look at some other locations to verify whether or not a patch has been installed.

  • Get-Hotfix (a PowerShell cmdlet)
  • Win32_QuickFixEngineering (a WMI class being shown via PowerShell)
  • PDQ Inventory (which scans for hot fixes for Windows as well as other Microsoft products)

Using these methods, you should be able to search for any installed and active hot fix.

Windows Update Gotcha – Cumulative Updates

Do you remember that time (2 seconds ago) when I mentioned you could search for any installed hot fix using the aforementioned methods?

Yeah, so there’s actually a little (big) gotcha that people can encounter when dealing with cumulative updates. Cumulative updates get superseded by other updates, and that means they won’t show up in the normal spots that we check.

For example, on my machine, I am running Windows 10 1703 (Creators Update).

You can see that I have installed two cumulative updates:

  • KB4016871 (the most recent)
  • KB4016240 (the older)

Yet, if I use one of those previous methods to look for hot fixes, I will not see both of the cumulative updates. I will only see the most recent cumulative update since that update supersedes the previous cumulative update.

So, to summarize, if you’re using PDQ Inventory (for example), the older cumulative update will not show up since it’s been superseded by the newest one.

You can even verify this on the Microsoft Windows Update Catalog. It shows that the older cumulative update was replaced by the newer cumulative update.

Finding superseded cumulative updates

Now that we know we may or may not have older cumulative updates installed, how do we find out if they’ve ever been installed? We use the Windows Update Agent COM Object, that’s how! (If you’re interested in more information, look here)

We’re going to use the Windows Update Agent API to query the update history to see if it’s ever been installed. Searching through the Windows Update history, do the following:

  1. Create the Windows Update Agent COM Object.
  2. Use the Windows Update Agent to create an Update Searcher.
  3. Query the update history.
  4. Use the Update Searcher to search for the updates.

For Windows 10, it will look something like this:

$UpdateAgent = New-Object -ComObject Microsoft.Update.Session
$UpdateSearcher = $UpdateAgent.CreateUpdateSearcher()
$TotalHistoryCount = $UpdateSearcher.GetTotalHistoryCount()
$UpdateHistory = $UpdateSearcher.QueryHistory(0, $TotalHistoryCount) | Where-Object {$_.Title -like "*Cumulative Update for Windows 10*"} 
$UpdateHistory | Select Date, Title, @{Name="Result"; Expression={
    Switch ($_.ResultCode) {
        0 {"Not Started"}
        1 {"In Progress"}
        2 {"Succeeded"}
        3 {"Succeeded With Errors"}
        4 {"Failed"}
        5 {"Aborted"}
    }}}

 

For Windows 7 and Windows 8.1, you could use something like this.

$UpdateAgent = New-Object -ComObject Microsoft.Update.Session
$UpdateSearcher = $UpdateAgent.CreateUpdateSearcher()
$TotalHistoryCount = $UpdateSearcher.GetTotalHistoryCount()
$UpdateHistory = $UpdateSearcher.QueryHistory(0, $TotalHistoryCount) | Where-Object {$_.Title -like "*Rollup*"} 
$UpdateHistory | Select Date, Title, @{Name="Result"; Expression={
    Switch ($_.ResultCode) {
        0 {"Not Started"}
        1 {"In Progress"}
        2 {"Succeeded"}
        3 {"Succeeded With Errors"}
        4 {"Failed"}
        5 {"Aborted"}
    }}}

Since my machine is a Windows 10 machine, I’ll run the Windows 10 code.

This will show you which cumulative updates have been installed, when they were installed, and if there were any failed installation attempts.

PDQ to the rescue!

By using PDQ Deploy and PDQ Inventory, you can easily identify any vulnerable computers and get them patched with the latest updates (including the cumulative updates). To sum up what we’ve done:

PDQ Inventory

  • We made multiple collections in the Collection Library for determining machines with the recent WannaCrypt vulnerability.
  • If you don’t use the Collection Library, here are instructions on how to create your own collection (Link here).

PDQ Deploy

  • We have packages in the Package Library for the cumulative/rollup updates for Windows 7, 8.1, and Windows 10.
  • We also have the March security-only updates Windows 7 and 8.1 (we personally recommend the cumulative updates, though).
  • As a bonus, we’ve recently released a package with the out-of-band patches for Windows XP, Windows 8, and Server 2003. (Microsoft link about those).

Wrapping up

This was a brief look at how all the update information is connected and how to find it. You can (and should) protect your machines by keeping them up to date.

Most important of all, WannaCry/WannaCrypt is not something to dismiss.

2 Comments

  • I think there might be a slight mistake in your collection.
    This is specifically in Windows 10 for version 1703 (Creators Update).
    Windows 10 version 1703 is protected from the SMB vulnerability at birth, so even if it doesn’t have those patches specified in the collection, it will be protected. It is reported as (Not Patched) in inventory though.

    TIP: Instead of checking for KB numbers in Windows 10, you can also check for Build numbers. If a Windows 10 version has a build above a certain number, it is safe from the SMB vulnerability.
    These build numbers are found under “Version” in PDQ Inventory and the following are protected:
    RTM(1507): build 10240.17319 and above.
    Fall Update(1511): build 10586.839 and above
    Anniversary Update(1607): build 14393.953 and above.
    Creators Update(1703): All builds

    • Thanks for reading and thanks for the great comment!

      We actually had debated internally on whether or not to do solely KB’s for the filters or to include the build numbers, especially with the case of Windows 10 1703.

      Since the majority of information that most people encounter is specific to KBs, we decided to focus our collection filters on KBs.

      Ultimately, we decided to include a matching child collection for Win 10 1703 in both the Patched and Not Patched collection trees. We did this in order to stem the tide of support tickets for customers who may see 1703 in one tree but not in the other but were unaware that 1703 already had the patch from its initial release.

      The collection itself should never show any members. But, we did want to maintain the same style of filters, so rather than specify that all builds of 1703 will never be in the patch, we decided to include the specific KB’s for the cumulative patches in the filter itself.

      Perhaps we’ll consider modifying that specific collection in the near future based off customer input.

      Thanks again for the great comment!

Leave a Reply

Your email address will not be published. Required fields are marked *