8 Replies Latest reply on Jun 1, 2017 9:42 AM by seanholdenx

    What patches to deploy regarding ransomeware/wanna_cry

    philcebutv Apprentice

      Just wanted to ask as to how you guys are dealing with the recent ransomeware/wanna_cry. Are the patches comes automatically in LANrev or you will have to download it and manually deploy?

        • 1. Re: What patches to deploy regarding ransomeware/wanna_cry
          swimber@emory.edu Apprentice

          From the standpoint of best practices I too am interested in how we can use LANrev to mitigate zero day vulnerabilities.  I feel that what I did was incorrect in that LANrev did not catch some of my vulnerable machines.

           

          I pulled the LANrev "missing patches" report and searched for each of the KB updates that could leave the machine vulnerable.  I found 6 machines that are vulnerable.

           

          A network scan showed that we actually have 50 vulnerable machines.  We logged into each of the 50 and found that they are indeed missing patches that were included in the list we searched in the missing patches report and are actually vulnerable.  All 50 are indeed reporting to LANrev, updating heartbeats, inventory and missing patches information on a regular basis.  Each of the 50 was set up to use LANrev for both Windows patches, third party patches and to use only LAnrev for OS udpates.

           

          About 90 percent of our Windows machines were updated with the appropriate patches via LANrev as these patches were approved in March and were already installed as detected.  50 machines would represent 10 percent of our Windows systems.

           

          What is the "best way" to use LANrev to keep systems updated, patched and use it to mitigate zero day patches?

          • 2. Re: What patches to deploy regarding ransomeware/wanna_cry
            seanholdenx Rookie

            Phil,

             

            With respect to Wannacry, please see KB 27687.  Automation of the package upload to the server will occur if you have agents configured for Patch Management, but like all Software Packages, they will either need to be assigned to an appropriate Computer Group for deployment or manually pushed using 'Install Software Packages...' or 'Install Selected Software Packages...'

             

            For general monitoring of Microsoft Updates, please see KB 27270

             

            Sean

            • 3. Re: What patches to deploy regarding ransomeware/wanna_cry
              philcebutv Apprentice

              Hi Sean,

               

              Is KB 27687 a MS knowledge base? or this is Heat's KB? if it is heat, how can I retrieve it?

               

              Phil

              • 4. Re: What patches to deploy regarding ransomeware/wanna_cry
                seanholdenx Rookie

                Phil,

                 

                If you log into the support portal, choose knowledge and then search the number: 27687 or 27270

                 

                https://support.heatsoftware.com 

                 

                Sean

                • 5. Re: What patches to deploy regarding ransomeware/wanna_cry
                  philcebutv Apprentice

                  I got it. Thanks.

                   

                  Why is the Heat KB article under the support portal? Can't it be open here in the forums? It used to be on the old absolute software community page that the KB articles are easily accessible. It is a bit of a hassle going here to there

                   

                  I was just checking/reading Stephen's post and true enough my PC has some patches missing. How can I resolved this? The patches are supposed to reinstall if they fail to install for some reason right?

                   

                  I have tried running Run distribution software on the lanrev console targeting my PC and it does not seems to install the patches. I can confirm that my PC is in the computer group and that in that group the missing patches required are there. The patches reported missing were from the Office suite 2016 dated 12/6/2016.

                   

                  If I ran the local software update on my PC it tells me that my PC is up to date to the latest patches.

                   

                  This does not look good if I ran a missing patch report and present it to our directors - I will be easily get fired on this.

                  • 6. Re: What patches to deploy regarding ransomeware/wanna_cry
                    seanholdenx Rookie

                    My understanding is that as we merge more of our backend between HEAT and LANDESK, there will be more public exposure to some features, I don't know which though.

                     

                    You've noticed that if you run Microsoft's Updater locally on the PC that it suggests that it is up to date.  If the local PC doesn't think it requires patches, then LANrev cannot circumvent this with Patch Management.  The LANrev Agent uses Microsoft's API to call Microsoft's update process and as such we are relying on their process to work and either provide the missing patches list or, where set, instal the patches.  Since Microsoft's updater doesn't think patches are required, assigning any patches to a Computer Group that contains this machine will mean these patches are ignored.

                     

                    If you follow KB 27270, this may help guide you to a reason why the computer doesn't think there are updates, e.g. is Microsoft's Updater on that computer out of date (what version of MS Updater is this computer running compared to a similar machine that is working).

                     

                    Here is a very good article on the issues with Microsoft's Updater:

                     

                    http://www.computerworld.com/article/3067268/windows-pcs/the-shame-of-windows-update.html 

                     

                    If the Updater does need updating, then you may wish to download the update for the Updater and make a Software Package and push it like any other standard Software Package.  The following links should assist with this:

                     

                    https://support.microsoft.com/en-us/help/949104/how-to-update-the-windows-update-agent-to-the-latest-version 

                    Microsoft Update Catalog 

                     

                    Typically, there is one or more patches that must be installed first before the rest will instal and in instances where the MS Updater has bugs, this may never resolve itself.

                     

                    LANrev cannot automatically fix Microsoft's Updater, if broken, but it can be used as effective tool to analyse the situation, assist in solving the problem and then automatically push out fixes.  If you require assistance with this, then please open an incident through the support site and we can work with you to help resolve this.

                     

                    Sean

                    • 7. Re: What patches to deploy regarding ransomeware/wanna_cry
                      swimber@emory.edu Apprentice

                      Then my case is different in that the machines that showed missing patches via LANrev actually show missing patches on the local machine via Windows Update.  (I am not trying to hijack this thread, just pointing out my difference in the symptoms.)  Patches are approved on LANrev and the Windows Update agent detects that it needs the patches and yet months go past before they are applied.  In order to get past WannaCry I ran wsus-offline on these and I'll see how next patch Tuesday goes.  Maybe something obscure was missing that needed to be kicked back into place.

                      • 8. Re: What patches to deploy regarding ransomeware/wanna_cry
                        seanholdenx Rookie

                        Stephen,

                         

                        Possibly no difference.  When the MS Updater isn't working as expected, it has been known to take hours (or in some cases days) to complete.

                         

                        If it takes the MS Updater an extensive duration longer than the Software Distribution check interval check time to complete, you can end up in a situation where the agents are overloading the server and updates not completing.  Missing patches is handled by an Inventory.

                         

                        Every time a SD Check occurs, the endpoints will talk not only to the LANrev Sever, but there is also a call to the MS Updater to check appropriate updates with the MS update server (or an internal WSUS if you have one).  Essentially this is a double check between the updates that have been associated with the Computer Group that the endpoint belongs to and a check with MS Update server to confirm that the patches are indeed appropriate for this machine; including indeed if there are any newer updates that the LANrev server does not yet have.

                         

                        So every SD Check, the agents are calling out to the MS Update server.

                         

                        Even if there isn't an issue with the MS Updater, if it takes say 20mins to update and you have say a 60 minute check interval across a large range of devices, the server is not going to be able to supply all the updates and devices will continually get queued.  Add to that, we have seen over the last couple of years, issues with the MS Updater that can cause massive delays, or just be broken, the agents can indeed end up with periods of weeks before they get updated, if indeed they do get updated.

                         

                        All of this stems back to the MS Updater failing to complete in a timely fashion or ever.  You can of course raise the SD Check interval to provide breathing space to aid the server to cope with a slow working updater.  It would be prudent though, to take a look at the version of updater on machines that appear to be working against those that aren't, you may indeed find some correlation.  Alternatively, it may just be that the SD Check time is just too low and as such is too aggressively contacting the server and prevent timely updates.

                         

                        If you feel in some way this doesn't cover your issue, then please create an incident and we can assist you on this.

                         

                        Sean