Report Machines Vulnerable to Wanna Cry
Due to recent events surrounding the recent outbreak of the “WannaCry” ransomware, the WannaCry/Crypt has made international headlines due to the rate of spread for a ransomware attack. The technical community is still assessing the full impact and it is important to understand the vulnerability for the attack was a known vulnerability in Windows. Those with patched OS's should not be affected.
This article is provided to assist customers during their investigation to quickly and easily create a report that identifies machines that may be at risk if they do not have the security monthly rollup or the MS17-010 patches. We have provided two options in which to generate a report, Option 1 being a report based on using log data and Option 2 based on using a custom field.
Special Note: If you have Windows XP/2003/embedded/vista machines, specific patches were released for those, and you can easily manage this through Patch Management without any further intervention. This KB is not to be used as substitute for thorough investigation and patch strategy.
Follow the step-by-step instructions to generate a report based on whichever option you elect.
A copy of these instructions are included in the Zip file as PDF.
UPDATE: The ZIP file has been updated with a new PS1 script from Microsoft based on this article (https://support.microsoft.com/en-us/help/4023262/how-to-verify-that-ms17-010-is-installed)
The Agent procedures have also been updated to work on 32 Bits systems.
The Reports files have also been tweaked to work with the new script.
Identifying and Reporting on Machines That Do Not Have Patches Related To Wanna Cry SMB Vulnerability has no reviews.
This will need some work if you run it. It's not OS architecture aware and the PS script does not accurately check for the installed patch, especially on legacy systems. I will be posting my own testing procedure and scripts for patching your systems shortly
The listing has been updated with a new Powershell script provided by Microsoft, as well as new Agent Procedures to work on 32 Bits systems. The reports have also been updated to reflect the changes in the script.
Has anyone updated this to accommodate newer build versions? I run it on 16299 builds and it still shows vulnerable where I don't think Win 10 Ent. Build 16299 is vulnerable. Tried to add the build in the code but not getting it.
Yea, I've noticed that machines that have 1709 on them show as "Vulnerable". Is there a way to add in the script something like "anything [this version] or above is safe"? So you don't have to keep upgrading the script every time a new major patch is released?