Code meltdown spectre 2

Meltdown - Spectre Vulnerability Check

Check Endpoint Meltdown Vulnerability

Description

This Agent Procedure will scan for the Meltdown Vulnerability and update custom fields "Meltdown OS" and "Meltdown Hardware" to let you know if the system is safe or needs to be patched.
You need to create a string custom fields "Meltdown OS" and "Meltdown Hardware" prior to running the procedure.
It will also upload a file with the result of the procedure to the endpoint's GetFile folder as well as writing the output to the Agent Procedure log.

This is based on the Powershell module created by Microsoft, you can find more information in this Microsoft Article

Developer
  • Name: Douglas Sanchez
  • Company: Kaseya
  • Website: http://www.kaseya.com
  • Contact Developer
  • Summary
  • Meltdown - Spectre Vulnerability Check
  • 358 Downloads
  • Released on January 4th, 2018
  • Reviews

    Meltdown - Spectre Vulnerability Check has no reviews.

    Discussion
    Gravatar for Steve Sirag
    Steve Sirag 7 months ago

    I've created the "Meltdown" custom field as a string, updated my Powershell to v 5, and run this script on multiple systems. The Meltdown custom field remains empty, despite the anticipated data showing up in the procedure log and getfile.

    Gravatar for Justin
    Justin 7 months ago

    I have the same problem.

    Gravatar for Steve Sirag
    Steve Sirag 7 months ago

    Further feedback: I'm not sure this script, when working, would return a valid result. I've installed KB4056898 on a Windows 2012 R2 server and the vulnerability check shows result as follows:

    KVAShadowRequired : True
    KVAShadowWindowsSupportPresent : True
    KVAShadowWindowsSupportEnabled : False
    KVAShadowPcidEnabled : False

    Gravatar for Justin
    Justin 7 months ago

    My understanding is it should return NEEDS PATCHING in the Meltdown custom field in that case because it's failed at least one of the tests.

    Gravatar for Douglas Sanchez
    Douglas Sanchez 7 months ago

    This is an issue with the logic in the script. I am updating it right now. I will post back here once I upload the new version.

    Gravatar for Marc Friesen
    Marc Friesen 7 months ago

    Thank you Douglas!

    Gravatar for Justin
    Justin 7 months ago

    Thank you Douglas!

    Gravatar for Buster Davis
    Buster Davis 7 months ago

    I got your updated procedure and ran it on my Windows 10 machine.. Meltdown field not populating

    Gravatar for Joshua Montague
    Joshua Montague 7 months ago

    Buster, I don't think the new version is on here yet. Douglas said he would post when he uploaded the fix.

    Gravatar for Buster Davis
    Buster Davis 7 months ago

    ok

    Gravatar for Garry Carroll
    Garry Carroll 7 months ago

    @Steve Sirag, there are registry keys to set to enable the protection for servers, which I believe is why you are still getting False in the last two readings: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

    I modified the script to add a 'PS needs updating' if the txt file doesn't exist after the powershell commands, and am setting the Meltdown field to 'EOF' if the script fails the If/Else at the end.

    Currently doing further research and testing before rolling the mitigations out though, given there are reports of BSODS on Win7/AMD and 2008/2012 support has been 'edited out' on the MS advisories.

    Gravatar for Joel Cosentino
    Joel Cosentino 7 months ago

    @Dougas Sanchez hows the update going?

    Gravatar for Chris
    Chris 7 months ago

    Because the first check (final IF statement in the script) passes but one of the next ones does not, this is why the field Meltdown remains blank. The "Needs Patching" currently only shows up if that first condition is false.

    There might be a way to set a variable at the end of that chain of IFs indicating all passed, and make a condition / update based on that result.

    Gravatar for Buster Davis
    Buster Davis 7 months ago

    so if it is blank then it is ok? I am confused

    Gravatar for Buster Davis
    Buster Davis 7 months ago

    so if it is blank then it is ok? I am confused

    Gravatar for Chris
    Chris 7 months ago

    A simple edit here appears to fix the logic. If OP could fix this / test / re-post.
    For now, my proposed fix, via Edit Procedure:

    Move the updateSystemInfo "Needs Patching" line right above the other If statements (directly below the Update Custom Field "Meltdown" comment).
    Remove the Else at the bottom.
    This will cause the field to say "NEEDS PATCHING" unless, further down, the IF statements process all the way down to where the "System Patched for Meltdown" line is.

    Gravatar for Douglas Sanchez
    Douglas Sanchez 7 months ago

    Let me check the status of the update. I sent the file but am waiting for it to be uploaded. I'll update you guys once it is up.

    Gravatar for Douglas Sanchez
    Douglas Sanchez 7 months ago

    The updated version of the script has been uploaded. It will now update the custom field with the correct data. Let me know I need to tweak it any more.

    Gravatar for Tim Rhymer
    Tim Rhymer 7 months ago

    Douglas, this does not work on machines that do not have Powershell 5.x, which could be problematic for all machines pre Windows 10/Server 2016. I modifed your script to utilize a set of scripts here https://gallery.technet.microsoft.com/scriptcenter/Speculation-Control-e36f0050. This is virtually the same thing except the module is manually loaded and requires setting the exeuction policy to at least RemoteSigned. I have had success with this script on Windows 7, 8.1, 10 as well as Server 2008, 2008 R2, 2012, 2012 R2, 2016. I also handled the flag for checking whether the machine is patched or not and broke out KVA and BTI. It's my understand that KVA will indicate if the OS is patched and BTI will indicate if your firmware is patched. In our environment, it was useful to know both, so our script requires two separate custom fields. Can I send you my procedure xml for consideration?

    Gravatar for Chris
    Chris 7 months ago

    I too tried this script, but Kaseya failed to import due to invalid text. I'm in the process of rewriting to work with Powershell 4. I'll post an update later today. In my version you do not a custom field.

    Gravatar for Douglas Sanchez
    Douglas Sanchez 7 months ago

    The procedure uses the Install-module command from Powershell 5.0. I will keep you updated once I upload a tweaked version.

    Gravatar for alex smith
    alex smith 7 months ago

    is it supposed to fail after it runs power-shell check

    Gravatar for Buster Davis
    Buster Davis 7 months ago

    so if the machine does not PS 5.0 on it, will it not run?

    Gravatar for Douglas Sanchez
    Douglas Sanchez 7 months ago

    It will fail without Powershell 5.0 as it uses a command that came out with this version. I am in the process of updating the procedure to be compatible with older Powershell. I'll keep you all updated when it is uploaded.

    Gravatar for Buster Davis
    Buster Davis 7 months ago

    @Tim Rhymer, can you email me your script to try please. bdavis@lineagelogistics.com

    Gravatar for alex smith
    alex smith 7 months ago

    i have 5.0

    Gravatar for Jose Rodino
    Jose Rodino 7 months ago

    @Tim Rhymer, seems interesting. Deploying PS5 will add other nightmare to the issue. Care to share?

    Gravatar for Brian Barrus
    Brian Barrus 7 months ago

    Really appreciate the work here. Would be interested if there is a way around the PS5 part if anyone is willing to share. @Tim Rhymer

    Gravatar for Chris
    Chris 7 months ago

    My script gets around the ps5 requirement. I'm in the process of implementing 3 additional Items: 1.the Powershell Package Management installation, 2. Nuget module download/install, 3. Regkey setting/implementation.

    Gravatar for Tim Rhymer
    Tim Rhymer 7 months ago

    @Jose and @Brian and whoever. Here is a link to our blog with my script in it's current form. I believe @Douglas will be incorporating some of it in an updated version soon. https://www.interworks.com/blog/trhymer/2018/01/10/how-use-kaseya-detect-meltdown-and-spectre-vulnerable-machines

    Gravatar for Pedro P. Polakoff III
    Pedro P. Polakoff III 7 months ago

    Some great ideas and coding there Tim but it's apparently not just a PoSh 5.x thing and may also be tied to the .net version because I'm unable to get it working on anything other than windows 10 & server 2016 in our environment where many of our clients freeze the .net versions that are installed also.

    Gravatar for Tim Rhymer
    Tim Rhymer 7 months ago

    Hey Pedro, are you seeing errors in your agent logs when running the procedure? I've tested mine on many machines and versions of Windows without issue.

    Gravatar for Pedro P. Polakoff III
    Pedro P. Polakoff III 7 months ago

    In all cases the failure is in reading the contents if the file created by the Get-SeculationControlSettings | Out-File .... portion of the script. The file is not being created which indicates a failure in the cmdlet to execute.

    Gravatar for Pedro P. Polakoff III
    Pedro P. Polakoff III 7 months ago

    So .. I think we have a BUG. On some systems the scripts work perfectly well regardless of PoSh version. On others the portion of the script that runs the command to get the settings and write the meltdown.txt file consistently fails to write the file. The same command, run manually on the system, will create the file. The failure only happens if the PoSh version is

    Gravatar for Chris
    Chris 7 months ago

    Pedro, are you seeing this error?
    The term 'Get-SpeculationControlSettings' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (Get-SpeculationControlSettings: String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    Gravatar for Douglas Sanchez
    Douglas Sanchez 7 months ago

    This error means the module is not getting imported correctly. This command is only available/working once the module is imported. You might want to check if you placed the files in the correct location in the server so that the procedure can push it out to the endpoint.
    I am about the upload a new procedure, based on Tim's that will download the files directly from the web so as to not depend on uploading the files to the VSA. I will post here once it is up.

    Gravatar for Chris
    Chris 7 months ago

    @Douglas, I discovered that the module isn't getting imported because the remote endpoint wants me to Press "Y" to continue. This happens despite setting execution to unrestricted. I have a script in my toolbox that pushes the "Y" command, let me see if it will also work in this scenario.

    Gravatar for Douglas Sanchez
    Douglas Sanchez 7 months ago

    @Chris I believe you could also edit the script to add the -Force argument to the Import-module command. This should bypass the prompt asking for confirmation (The prompt to push Y)

    Gravatar for Tim Rhymer
    Tim Rhymer 7 months ago

    @Chris, I've seen that same behavior as well when running these commands manually, but the agent procedure running as a system user appears to bypass that on all the machines I've tested. Could be a difference in ExecutionPolicy but my script sets the ExecutionPolicy to RemoteSigned and that should be what is needed for importing the module and running the cmdlet. I would not recommend setting the policy to unrestricted unless you are collecting the current policy and setting it back after finishing. Even then I would be cautious in case the script fails to complete for some reason and make sure the policy gets set back regardless of any previous steps failing.

    Gravatar for Chris
    Chris 7 months ago

    @Douglas, I've tried the -Force switch, same issue. I was reading an article on github, someone with similar issue. Something to do with non-interactive mode and the prompt failing.

    "PowerShellGet needs to have nuget.exe. Since the machine does not have nuget.exe, PowerShellGet will prompt the user to install it. However, it seems you are running in non-interactive mode so the prompt fails. In the future, we will add an option where Publish-Module -Force will install nuget.exe to you without prompting." this was back in 2016

    Gravatar for Douglas Sanchez
    Douglas Sanchez 7 months ago

    @Chris, for another procedure I worked on, I add a line running "Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force" via powershell prior to installing/importing the module. You might want to add this line at the beginning of the procedure and see if it helps.

    Gravatar for Douglas Sanchez
    Douglas Sanchez 7 months ago

    @Chris, for another procedure I worked on, I add a line running "Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force" via powershell prior to installing/importing the module. You might want to add this line at the beginning of the procedure and see if it helps.

    Gravatar for Buster Davis
    Buster Davis 7 months ago

    douglas is your procedure updated now to work without PS5.0

    Gravatar for Douglas Sanchez
    Douglas Sanchez 7 months ago

    @Buster, not yet, I am waiting to get the Zip file uploaded.

    Gravatar for Pedro P. Polakoff III
    Pedro P. Polakoff III 7 months ago

    @Chris, the problem is not in the execution of the command, the problem is that the output file is not being created with the details of how/why having been provided in a later message in this thread. I have verified that the command, when entered manually on the same systems that they are failing on work exactly as expected and that the problem is 100% a failure of the "| Out-File .." portion of execution of the PoSh command to create meltdown.txt.

    Gravatar for Douglas Sanchez
    Douglas Sanchez 7 months ago

    I finally uploaded the edited version. It is a mix between the old one I uploaded and Tim's (Thanks again Tim.) I changed it to download the module directly from Microsoft, and renamed the custom fields to make it slightly easier. Always welcoming any feedbacks. ;)

    Gravatar for Brian Barrus
    Brian Barrus 7 months ago

    Thanks Douglas. I am pretty sure I am fully patched at the OS level at least. The previous uploaded script showed me as patched but this version shows me as vulnerable. I haven't dug in much at all to see what it is doing but wanted to let you know. Thanks for all the work.

    Gravatar for Rob Shaw
    Rob Shaw 7 months ago

    My OS should be fully patched as well but this and last version showed me as vulnerable. What is this script checking? I would like to verify that I have everything I need to be patched up.

    Gravatar for Douglas Sanchez
    Douglas Sanchez 7 months ago

    So the script is now using the logic from Tim's procedure. It checks for the 4 KVA variables, if all 4 are True, your system is patched at the OS level. (Patched for Meltdown.) It also checks for all 5 BTI variables, if the first 3 are True, and the last 2 are False, the system should be safe at the Hardware level (Spectre.) As far as I know, so far, there is no way to be patched for Spectre as Microsoft hasn't released a patch. From my research, it will need to be a firmware update.

    Gravatar for Pedro P. Polakoff III
    Pedro P. Polakoff III 7 months ago

    I'm thinking that there are cases where, at least for the BTI check that one or two may be sufficient (i.e. if it's dsabled then the processor does not have the flaw) so I'm modifying our copy to also add the full details of the output into an MCF "Meldown Details"
    In general, however, this version works around the bug I was seeing and has consistent success rates

    Gravatar for Brian Barrus
    Brian Barrus 7 months ago

    So I will try not to get in to a log debugging conversation but here is my output with KVA:2, which I believe it should be KVA:4.

    BTIHardwarePresent : False
    BTIWindowsSupportPresent : True
    BTIWindowsSupportEnabled : False
    BTIDisabledBySystemPolicy : False
    BTIDisabledByNoHardwareSupport : True
    KVAShadowRequired : True
    KVAShadowWindowsSupportPresent : True
    KVAShadowWindowsSupportEnabled : True
    KVAShadowPcidEnabled : True

    KVA:2
    BTI:0

    Gravatar for Brian Barrus
    Brian Barrus 7 months ago

    I think using double quotes instead of single quotes around the matches fixed it for me.

    Gravatar for Justin
    Justin 7 months ago

    Hi Brian, could you elaborate on which sections need the change?

    Gravatar for Chris
    Chris 7 months ago

    @Douglas, the latest procedure worked like a charm. I was able to augment it to our needs (Our output requirement needed to be more detailed, like Pedro). Once I moved SpeculationControl.psd1 to be local instead of relying on the repository being trusted before installing the module, everything worked.

    Our output is as follows:
    Machines that show patched: _MeltdownPatched.txt
    Machines that Require patch: _RequiresMeltdownPatch.txt
    File contents:
    Speculation Details: 01-11-2018_15:01


    BTIHardwarePresent : False
    BTIWindowsSupportPresent : False
    BTIWindowsSupportEnabled : False
    BTIDisabledBySystemPolicy : False
    BTIDisabledByNoHardwareSupport : False
    KVAShadowRequired : True
    KVAShadowWindowsSupportPresent : False
    KVAShadowWindowsSupportEnabled : False
    KVAShadowPcidEnabled : False

    This allows us to have granular output as well as simple (patched/notpatched) output.

    Gravatar for Tim Rhymer
    Tim Rhymer 7 months ago

    Hey Brian, looking at what you pasted, I think you might have altered the number of spaces between the attribute and the value. It looks like you only have 1 space between the attribute name and the colon. If that is the case, the only two that would match are "KVAShadowWindowsSupportPresent" and "KVAShadowWindowsSupportEnabled". If you copy the below in notepad or another simple text editor, you should see what I mean about the spacing. I checked Douglas' most recent version and confirmed his does contain the spacing.

    BTIHardwarePresent : False
    BTIWindowsSupportPresent : False
    BTIWindowsSupportEnabled : False
    BTIDisabledBySystemPolicy : False
    BTIDisabledByNoHardwareSupport : False
    KVAShadowRequired : True
    KVAShadowWindowsSupportPresent : False
    KVAShadowWindowsSupportEnabled : False
    KVAShadowPcidEnabled : False

    Gravatar for Tim Rhymer
    Tim Rhymer 7 months ago

    Also, the single quotes are necessary. Using double quotes will result in an error and the KVA:# and BTI:# are not written to the end of the file.

    Gravatar for Tim Rhymer
    Tim Rhymer 7 months ago

    @Brian, disregard my comment on pasting the below in notepad. Just noticed new lines and extra spacing gets stripped out of comments on here. I still have a feeling you are getting the incorrect match due to spaces not being exact. Can you put the output of your agent logs to paste bin and link here. The agent log I would be interested to see is the one that outputs the contents of the meltdown.txt file.

    Gravatar for Rob Shaw
    Rob Shaw 7 months ago

    I'm not sure why my machine is showing vulnerable. There isn't anything left for me to update on my OS. Could someone point me towards a website that can give me more detailed instructions on what to do and what to check?

    Gravatar for Pedro P. Polakoff III
    Pedro P. Polakoff III 7 months ago

    I found the problem .. when the script is written via the echo commands it's condensing the white space between the item being tested the colon (:) and the tested value.

    Gravatar for Brian Barrus
    Brian Barrus 7 months ago

    @Tim, I can duplicate my findings. I have counted all the spaces and they seem correct. With single quotes I get KVA:2 BTI:0 (see my original output above). With double quotes (see below), I get KVA:4 BTI:2 (which is expected). Just relaying my findings.

    echo ('KVA:' + (Get-Content #vAgentConfiguration.agentTempDir#\meltdown.txt ^| Select-String -Pattern ("KVAShadowRequired : True","KVAShadowWindowsSupportPresent : True","KVAShadowWindowsSupportEnabled : True","KVAShadowPcidEnabled : True")).Matches.Count) ^| Out-File #vAgentConfiguration.agentTempDir#\meltdown.txt -Append >>>> #vAgentConfiguration.agentTempDir#\MeltdownCHeck.ps1

    Gravatar for Chris
    Chris 7 months ago

    @Rob can you run the commands locally on your machine, and post your output? ie:
    __1. Set-ExecutionPolicy RemoteSigned -Scope Currentuser;
    __2. Import-Module
    __3. Get-SpeculationControlSettings

    Gravatar for Chris
    Chris 7 months ago

    Here is the compliance code I am using, [Executing as system, and not system x64]
    the output is simple: Compliance Status=False or Compliance Status=True

    PowerShell -Command "& {Set-ExecutionPolicy RemoteSigned -Scope Currentuser; Import-Module #vAgentConfiguration.agentTempDir#\SpeculationControl\SpeculationControl.psd1 -Force; Function CheckCompliance() {$compliance = $false; $SpeculationControlSettings = Get-SpeculationControlSettings; if ($SpeculationControlSettings.KVAShadowRequired -eq $False) {$compliance = $True} elseif ($SpeculationControlSettings.KVAShadowRequired -eq $True -and $SpeculationControlSettings.KVAShadowWindowsSupportPresent -eq $True -and $SpeculationControlSettings.KVAShadowWindowsSupportEnabled -eq $True -and $SpeculationControlSettings.KVAShadowPcidEnabled -eq $True) {$compliance = $True} return $compliance;} $a='Compliance Status='; $b=CheckCompliance; Write $a$b | set-content c:\temp\_Meltdown-out.txt}"

    Gravatar for Brian Barrus
    Brian Barrus 7 months ago

    Are there pre-req's to this one as well? Single or double quotes, I don't get any output in the Meltdown.txt files on the few Windows 7 machines I tried it on.

    Gravatar for Tim Rhymer
    Tim Rhymer 7 months ago

    @Chris, very nice. I was trying to make whole pattern matching thing work, but this is much easier logic to follow. Thanks for sharing!

    Gravatar for Chris
    Chris 7 months ago

    @Tim, Thanks.

    The next procedure I have is load the file, check for True or False. If false write a file & append the details, if True do the same:

    PowerShell -Command "& {Import-Module #vAgentConfiguration.agentTempDir#\SpeculationControl\SpeculationControl.psd1 -Force; Function GetDetails(){$a='Speculation Details: '; $DT=$(get-date).ToString('MM-dd-yyy_HH:mm'); $SpeculationControlSettings = Get-SpeculationControlSettings; Write-output $a$DT $SpeculationControlSettings} GetDetails | out-file 'c:\temp\_Meltdown-UNPatched.txt'}" >> c:\temp\_Meltdown-UNPatched-output.txt

    Gravatar for Buster Davis
    Buster Davis 7 months ago

    Not to jump the subject But I see that MS has released a patch for a certain version number of Windows 10. What if you don't have that certain version? Are there patches available on all of versions of Windows 10?

    Gravatar for Justin
    Justin 7 months ago

    Hi Buster,

    There is a different patch per Windows 10 Version Build(1709, 1703, 1607, 1511 etc) You need to install the patch that applies to your Windows 10 Build.

    Gravatar for Pedro P. Polakoff III
    Pedro P. Polakoff III 7 months ago

    The new script logic, while an improvement is still failing on PoSh versions push-location #vAgentConfiguration.agentTempDir#; .\meltdowncheck-working.ps1; pop-location
    I also separate out the score checks from the meltdown.txt into meltdown-score.txt so that I can fill-in mt variables "Meltdown KVA", "Meltdown BTI", & "Meltdown Details" with separate information for debugging & reporting purposes

    Gravatar for Tim Rhymer
    Tim Rhymer 7 months ago

    Out-File is supported back to PS 3.x - What version of PS do the machines have that are failing?

    Gravatar for Pedro P. Polakoff III
    Pedro P. Polakoff III 7 months ago

    Nailed it!! Out-File leaves the stream open so when exiting the PoSh script the file may not exist which causes the scripts as they exist to not find an actual file to read. I modified the meltdown-working.ps1 script to guarantee the file exists and to use append-content instead (also makes testing for the counts easier). The end result is that the MCFs are filled with values that truly reflect the status of the script run, including noting that Linux & MacOS are not supported. More than happy to share the script and the underlying .ps1 file

    Gravatar for Robin Mascall
    Robin Mascall 7 months ago

    Pedro, I'd be keen to see the final code if you don't mind sharing?

    Gravatar for Pedro P. Polakoff III
    Pedro P. Polakoff III 7 months ago

    Just need approval from my boss since I did the work on their time and I'll post it to my OneDrive for Business

    Gravatar for Buster Davis
    Buster Davis 7 months ago

    Well I went out and found the patch for my laptop and installed it on my machine, let it reboot and re ran the script douglas and it said my machine was still vunerable

    Gravatar for Buster Davis
    Buster Davis 7 months ago

    Tim R, I ran your script and it detected that my machine was patched on the OS side. YES

    Gravatar for Douglas Sanchez
    Douglas Sanchez 7 months ago

    I just did some more testing, finally getting my own machine patched up. I got the 4 True but the procedure shows up as Vulnerable. I am looking into it right now and will update when I can.

    Gravatar for Nicholas Tobin
    Nicholas Tobin 7 months ago

    @buster, where is the updated script from Tim R ??

    Gravatar for Chris
    Chris 7 months ago

    @Douglas, in order for compliance to equal TRUE, the following also has to be true. Either [KVAShadowRequired:False] OR
    [KVAShadowRequired:True, AND KVAShadowWindowsSupportPresent:True AND KVAShadowWindowsSupportEnabled:True AND KVAShadowPcidEnabled:True]

    Gravatar for Buster Davis
    Buster Davis 7 months ago

    Tim emailed it to me. If he is ok I can email it to you.

    Gravatar for Douglas Sanchez
    Douglas Sanchez 7 months ago

    I just uploaded an edited version of the script. As mentioned by Pedro, the script was condensing the spaces, thus showing a Patched machine as Vulnerable because it could not find the correct string. It tested well on my end.

    Gravatar for Brian Barrus
    Brian Barrus 7 months ago

    @Douglas, worked now for me on my Windows 10 machine. Thanks! Are there any pre-req's to this such as PoSh 5?. I am running it on a Windows 7 x64 machines and while I get the meltdown.txt file created, it only contains two lines: KVA: (next line) BTI:. There is no speculation output. Just wanted to check before I dug in. Thanks again.

    Gravatar for Pedro P. Polakoff III
    Pedro P. Polakoff III 7 months ago

    @Brian, THAT is the issue that I've been seeing and working to resolve. We have 13K+ systems that I'm checking against and currently, even with the modifications that I've made to work around the failure to either create or fill-in meltdown.txt there is less than a 58% success rate.

    Gravatar for Brian Barrus
    Brian Barrus 7 months ago

    Are you seeing the same issue even on machines with updated Powershell?

    Gravatar for Pedro P. Polakoff III
    Pedro P. Polakoff III 7 months ago

    Some systems, with PoSh 5.x, have failed but those are failing in different areas. All of the failures are in PoSh versions

    Gravatar for Brian Barrus
    Brian Barrus 7 months ago

    Yah. I just updated one of the machines to PoSh 5 and when I run the script I still get a blank meltdown.txt. Good luck!

    Gravatar for Buster Davis
    Buster Davis 7 months ago

    Douglas, I just downloaded your updated version and it worked and showed the correct information

    Gravatar for Buster Davis
    Buster Davis 7 months ago

    Douglas, I just downloaded your updated version and it worked and showed the correct information

    Gravatar for Chris
    Chris 7 months ago

    Is anyone else having issues with the download?
    I new day dawns new issues, the download link, is no longer valid: https://gallery.technet.microsoft.com/scriptcenter/Speculation-Control-e36f0050/file/185258/1/SpeculationControl.zip,
    Script Center > Repository > The page does not exist

    Gravatar for Douglas Sanchez
    Douglas Sanchez 7 months ago

    I just tested it and it is correct, the link is down. This seems to be the new URL: https://gallery.technet.microsoft.com/scriptcenter/Speculation-Control-e36f0050/file/185444/1/SpeculationControl.zip

    I will need to update the procedure, in the mean time, feel free to replace the link of the GetURL function with this new one.

    Gravatar for Chris
    Chris 7 months ago

    Is anyone else having issues with the download?
    I new day dawns new issues, the download link, is no longer valid: https://gallery.technet.microsoft.com/scriptcenter/Speculation-Control-e36f0050/file/185258/1/SpeculationControl.zip,
    Script Center > Repository > The page does not exist

    Gravatar for Buster Davis
    Buster Davis 7 months ago

    It may be a good thing to add a step to check to make sure the downloaded file exist? just a thought

    Gravatar for Buster Davis
    Buster Davis 7 months ago

    It may be a good thing to add a step to check to make sure the downloaded file exist? just a thought

    Gravatar for Pedro P. Polakoff III
    Pedro P. Polakoff III 7 months ago

    Have fun! 100% working & highly detailed:
    https://polakoff-my.sharepoint.com/personal/pedro_polakoff_us/_layouts/15/guestaccess.aspx?docid=0e060f0c37eac4a20b313cb56a3f9b90f&authkey=Ab2GOyDNMM4lu5yCsjMlytk&expiration=2018-04-12T21%3A39%3A03.000Z&e=EjoJot

    Documentation on use & results is included

    Gravatar for Pedro P. Polakoff III
    Pedro P. Polakoff III 7 months ago

    Have fun! 100% working & highly detailed:
    https://polakoff-my.sharepoint.com/personal/pedro_polakoff_us/_layouts/15/guestaccess.aspx?docid=0e060f0c37eac4a20b313cb56a3f9b90f&authkey=Ab2GOyDNMM4lu5yCsjMlytk&expiration=2018-04-12T21%3A39%3A03.000Z&e=EjoJot

    Documentation on use & results is included

    Gravatar for Pedro P. Polakoff III
    Pedro P. Polakoff III 7 months ago

    I have a 100% working, with extensive details captured, set of scripts that I'm willing to share but I can't post a link to the file in my OneDrive here. If there is a place I can upload it here to share it, wonderful, otherwise let me know how I can get the .zip file available to everyone and you can 'ave at it!

    Gravatar for Pedro P. Polakoff III
    Pedro P. Polakoff III 7 months ago

    Guess it did post.. Have fun!

    Gravatar for Pedro P. Polakoff III
    Pedro P. Polakoff III 7 months ago

    I caught a small mistake in the working script and I fixed it. In case you grabbed it before 6:20pm ET here's the link to the changed .ps1 file only: https://polakoff-my.sharepoint.com/personal/pedro_polakoff_us/_layouts/15/guestaccess.aspx?docid=0fa17424a5fae40d5ba19ba9fddbd55b1&authkey=AXsAAtsG03r8N1_COQRR5q0&expiration=2018-04-12T22%3A21%3A53.000Z&e=90Zjqe

    Gravatar for Pedro P. Polakoff III
    Pedro P. Polakoff III 7 months ago

    I have relocated the files and shared the entire folder so you can pick & choose what you want of it. There have been some changes since yesterday:
    https://polakoff-my.sharepoint.com/personal/pedro_polakoff_us/_layouts/15/guestaccess.aspx?folderid=043ad71ed22de472788fa8e7ef8f09511&authkey=Ad0eM5WILMuoaLDYTJV8ndk&expiration=2018-04-13T18%3A48%3A43.000Z&e=1CQJ1b

    Gravatar for Pedro P. Polakoff III
    Pedro P. Polakoff III 7 months ago

    The manifest for the module, as provided in the version 1.0.4 current download is invalid on Server 2008 & Windows 7.
    I have corrected it in the version I'm using and I have placed an updated SpeculationControl.zip in the shared files on my OneDrive for Business along with having updated the original files for those who prefer to have everything in one .zip file to download.
    --
    I have now completed testing this on all 13K+ systems with 100% success rate

    Gravatar for TVarvais
    TVarvais 7 months ago

    Excellent Job Everyone! Thanks for the time and commitment to get a well-developed procedure out to our community!

    Gravatar for Ryan
    Ryan 7 months ago

    Pedro: I'm giving your setup a test. When I run the script, this is what I get in our logs: https://imgur.com/a/C6wrN

    My procedure just basically writes the files you provided to the agent temp directory then executes the .ps1 file. Is there something that needs done differently? Thanks for the assist!

    Gravatar for Ryan
    Ryan 7 months ago

    Pedro: I'm giving your setup a test. When I run the script, this is what I get in our logs: https://imgur.com/a/C6wrN Also, no text files are created that I can find. My procedure just basically writes the files you provided to the agent temp directory then executes the .ps1 file. Is there something that needs done differently? Thanks for the assist!

    Gravatar for Ryan
    Ryan 7 months ago

    Sorry for the repeat post, it kept telling me the posting had failed. thanks again.

    Gravatar for Ryan
    Ryan 7 months ago

    I'm an idiot. I missed the XML file in your post. I should be good. Thanks!

    Gravatar for Pedro P. Polakoff III
    Pedro P. Polakoff III 7 months ago

    I do suggest grabbing the complete meltdown-spectre-working.zip file initially unless you previously grabbed it and only need the fixes. As noted, it's now been run against 13K+ systems in our environment with a .02% failure rate and the results have been exported to .csv files, reformatted and provided to our "C Level" execs for review since the information was so complete..

    Gravatar for Brian Barrus
    Brian Barrus 7 months ago

    @Pedro, what is the 'fix' for the Windows 7 and 2008 issue you started above?

    Gravatar for Nicholas Tobin
    Nicholas Tobin 7 months ago

    Is the download up to date with the latest script that works properly?

    Gravatar for Douglas Sanchez
    Douglas Sanchez 7 months ago

    The download link is down again in the procedure. For info I used the direct link from the zip file at: https://gallery.technet.microsoft.com/scriptcenter/Speculation-Control-e36f0050/
    You can either replace it in the script until I get it updated, or download it, upload it to the VSA and use a WriteFile function instead of GetUrl in the procedure.

    Gravatar for Pedro P. Polakoff III
    Pedro P. Polakoff III 7 months ago

    @Brian, you need to edit the .ps1 file and change the exposed module from RootModule to ModuleToProcess

    Gravatar for Martin James
    Martin James 7 months ago

    Thanks for the script everyone. @Brian, how did you export the list / results to CSV?

    Gravatar for Marc Friesen
    Marc Friesen 7 months ago

    I created a variant of this script for when you need details on which parts of speculation-control pass or fail. Insert a getfile command at line 28, which gets file from:
    #vAgentConfiguration.agentTempDir#\meltdown.txt
    and writes to:
    ..\Docs\meltdown-#vAgentconfiguration.machname#.txt
    and you can then see the full source file from each agent's "documents" section before the parsing that converts it to custom fields. Useful for troubleshooting.

    Gravatar for Pedro P. Polakoff III
    Pedro P. Polakoff III 7 months ago

    In case anyone wants to review the modifications that I made prior to downloading here is the contents of the "How to use this" file:
    Create a folder on your Kaseya Server's VSAShared Files called "PoSh" and copy the meltdown-working.ps1 script
    and SpeculationControl.zip to that folder so it can be downloaded.

    Create Three MCF's:
    "Meltdown KVA"
    "Meltdown BTI"
    "Meltdown Details"

    Import the script and launch it.

    Results you will see:

    Meltdown KVA "Audit Required"
    "Protected"
    "OS Patched & Protected"
    "OS Patched & Vulnerable: Support Disabled"
    "OS Patched & Protected: No Optimization"
    "OS Patched & Vulnerable: Support Disabled & No Optimization"
    "Vulnerable"

    Meltdown BTI "Audit Required"
    "No Hardware Support"
    "Disabled by System Policy"
    "Protected"
    "Vulnerable"

    Meltdown Details will contain the full details of what was found
    example: "KVA:OS Patched & Protected BTI:Disabled by System Policy"
    or "ERROR: ...." indicating an error occurred and the details of that error.

    Gravatar for Martin James
    Martin James 7 months ago

    Great, thanks Pedro. How did you export the results to .csv as you mentioned earlier?

    Gravatar for Jeff Shields
    Jeff Shields 7 months ago

    @martin james - I created a legacy report (Aggregate Table) including the machine name and the custom fields the meltdown information is stored in. The output can be written to csv or html by default.

    Gravatar for Martin James
    Martin James 7 months ago

    Thanks @Jeff

    Gravatar for Pedro P. Polakoff III
    Pedro P. Polakoff III 7 months ago

    @Martin, I setup a column set containing the information that was wanted with a couple of associated views and then I export to CSV. I use the views to quickly locate systems with failures so that our engineers can quickly start looking into the reasons for the failures, make corrections, and re-run the script against them.

    Gravatar for Jeremy Hinkle
    Jeremy Hinkle 4 months ago

    @Pedro, can you create your own listing of your script? That way, you can always edit how to install it on the main page without someone having to read all these comments in order to use it.

    Right now, I implemented this script and it says "Vulnerable" for every machine for "Meltdown hardware" AND "Meltdown OS".

    Gravatar for Jayson Roesel
    Jayson Roesel 2 months ago

    i've looked through all of this and i'm still having issues getting anything other than vulnerable on both reported.  when i run inspectre release 8, i show meltdown protected: yes. but this says i'm still vulnerable.  


    please advise 

    Gravatar for Douglas Sanchez
    Douglas Sanchez 2 months ago

    Hi Jayson, you may need to take a look at the output of the script to get more details than the custom field. 
    I believe I set it so if anything is vulnerable, it shows as Vulnerable, since then they might have figured out better tests than this script for it. We released this script early on when Meltdown and Specter just came out.