How to verify if your devices are fully protected against WannaCry Ransomware?

Title

How to verify if your devices are fully protected against WannaCry Ransomware?

Description

  • How to verify if your devices are fully protected against WannaCry/WCry Ransomware?
  • How to verify if MS17-010 has been installed?
  • Patches broken down by Operating System then by KB number:
    • Windows XP SP3 32-bit, Windows XP SP2 64-bit, Windows Server 2003 SP2 32-bit and 64-bit, Windows Vista SP2 32-bit and 64-bit, Server 2008 SP2 32-bit and 64-bit:
      • KB4012598
    • Windows Server 2008
      • KB4018466 
    • Windows 7 SP1 32-bit and 64-bit, Windows Server 2008 R2 SP1 64-bit:
      • KB4012212
      • KB4012215
      • KB4015549
      • KB4019264
    • Windows 8.1 32-bit and 64-bit, Windows Server 2012 R2:
      • KB4012213
      • KB4012216
      • KB4015550
      • KB4019215
    • Windows Server 2012:
      • KB4012214
      • KB4012217
      • KB4015551
      • KB4019216
    • Windows 10 32-bit and 64-bit:
      • KB4012606
      • KB4015221
      • KB4016637
      • KB4019474
    • Windows 10 version 1511 32-bit and 64-bit:
      • KB4013198
      • KB4015219
      • KB4016636
      • KB4019473
      • KB4016871 
    • Windows 10 version 1607 32-bit and 64-bit, Windows Server 2016 64-bit:
      • KB4013429
      • KB4015217
      • KB4015438
      • KB4016635
      • KB4019472

Environment

  • MSP Remote Monitoring & Management
  • Patch Management

Solution

Please note: Due to the nature of this vulnerability, new patches are being released.  Please check the Microsoft Update Catalog for the most up-to-date list of applicable patches.
  • To verify the status of protection on your systems via a single local script:
    • The script will display:
      • A list of all devices on your dashboard
      • Queries Patch Management for each device and identifies if one of the known good KBs are found
        • If patch is found as Installed, indicates the patch name that protects the device
        • If patch is not found but is not in status "Installed", indicates the current status of the patch (Missing, Pending, Reboot Required, Ignored)
        • If patch is not found with any status, checks to verify Patch Management is installed on the device
          • Fail-over to query the installed assets from the asset list to attempt to identify the patch installation from this method
            • NOTE: This is a less reliable method due to Microsoft not always listing patches as Installed Software
    1. Download script from here
    2. Extract MS17-010.ps1 file from zip to any location on your local device
    3. Right click file and select Run with Powershell
    4. Choose the region your dashboard is located in (Usually the region you live)
    5. On the dashboard, select Settings
    6. Select General Settings
    7. Select API
      • If no API Token is listed, select Regenerate
    8. Copy and paste the API Token from here to the Powershell script
      • If you selected Regenerate in Step 7, be sure to select OK before running the Powershell script
    9. Wait until the script has completed running and press any key to view the text output which is saved as MS17-010.txt in the same location as the Powershell script
  • To verify that your systems need protection via Reporting:
    1. Select Reports on top bar
    2. Select Patch Management Reports
    3. Select Overview Report
    4. Select All Clients
    5. Select Group by Patch
    6. Tick Missing and Failed Patch Status
User-added image
  1. Select Generate to generate report
  2. Search KB numbers from Description in report above
  • To verify that your systems need protection via Scripting (this may incur additional charges):
    1. Copy below Powershell script content into local text document:
# Check for hotfixes which patch the ms17-010 vulnerability. 
# # Example output: 
# PS C:\> .\checkfix.ps1 
# Found HotFix: KB4015550 

$hotfixes = "KB4012212", "KB4012213", "KB4012214", "KB4012215", "KB4012216", "KB4012217", "KB4012598", "KB4012606", "KB4013198", "KB4013429", "KB4015217", "KB4015219", "KB4015221", "KB4015438", "KB4015549", "KB4015550", "KB4015551", "KB4016635", "KB4016636", "KB4016637", "KB4019215", "KB4019216", "KB4019264", "KB4019472", "KB4019473", "KB4019474", "KB4012219", "KB4012220", "KB4015553", "KB4015554", "KB4018466", "KB4016871" 

$hotfix = Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID} | Select-Object -property "HotFixID" 

if (Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID}) { 
"Found HotFix: " + $hotfix.HotFixID
exit 0
} 
else { 
"Did not Find HotFix"
exit 1001
}

# If the script returns “Didn’t find hotfix”, this means the partner will want to install the latest windows security updates right away.
# Otherwise, the script will return a specific kB number, indicating the device has a patch already installed.
 
  1. Save content as WannacryPatchCheck.ps1
  2. In Dashboard choose Settings on the top bar
  3. Select Script Manager
  4. Select New
  5. Enter desired Name:, Description:
  6. Select Type: as Script Check
  7. Check Windows box
  8. Upload WannacryPatchCheck.ps1 file and click Save to upload script
  9. Select File on the top bar
  10. Select Add Check
  11. Select Choose Check -> Windows -> 24x7 Checks -> Script Check
  12. Double-click checkboxes next to Servers and Workstations
  13. Select Add New
  14. In Search Script section type name given in step 6
  15. Double-click script to add to devices
  16. Change Script timeout to 150
  17. Click Finish to add check to selected devices
  • To patch affected systems:
    1. Select Settings on top bar
    2. Select Patch Management
    3. Select Management Workflow
    4. Change Date: to All time
    5. Search KB number shown as Missing from report above
User-added image
  1. Select patch and choose Proceed
  2. Select Approve then select Next
  3. Check Servers and Workstations box then select All Clients checkbox to approve patch for all devices
User-added image
  1. Select Schedule for a new time and set desired schedule and reboot settings
User-added image
  1. Select Apply
Rate this article

Did this article help you?

* This field is required

KB: 000044658
  • Product: Remote Management
  • First Published: Wed May 24 14:31:48 GMT 2017
  • Last Modified: Wed May 24 14:31:59 GMT 2017
  • Rating: 4.6
Actions