Comments

22 comments

  • Chris James

    Hey there Steve,

    Looks like we won't be able to get this up and running with any speed as the License Agreement is pretty clear and the only way around is a written agreement between Intel and us: 

    2. You may not copy, modify, rent, sell, distribute or transfer any part

    of the Software except as provided in this Agreement, and you agree to

    prevent unauthorized copying of the Software.

    In the past, Colby put together some useful tools you can try to to use from the last time Intel did a whoops https://support.pdq.com/hc/en-us/community/posts/115000035311-Intel-Active-Management-Technology

     

    0
    Comment actions Permalink
  • Stephen Valdinger

    I'm working on a package for ya. They won't be able to provide it in the library. But that doesn't mean if you download the binaries that I can put an XML document here for you to Import :).

    I'm testing it now, give me about an hour to polish it up and post.

    0
    Comment actions Permalink
  • Stephen Valdinger

    Ok here's a PDQ Package that seems to do the trick. NOTE: I do tattoo the registry with this, but it's for a cool purpose I'll get to in a secon.

     

    Deploy Pacakge:

    <?xml version="1.0" encoding="utf-8"?>
    <AdminArsenal.Export Code="PDQDeploy" Name="PDQ Deploy" Version="15.2.0.0" MinimumVersion="15.0">
    <Package>
    <CurrentLibraryPackageVersionId value="null" />
    <PackageDefinition name="Definition">
    <Conditions type="list">
    <PackageStepCondition>
    <Architecture>Both</Architecture>
    <Version>All</Version>
    <TypeName>OperatingSystem</TypeName>
    </PackageStepCondition>
    <PackageStepCondition>
    <IsUserLoggedOn>AlwaysRun</IsUserLoggedOn>
    <TypeName>LoggedOnUser</TypeName>
    </PackageStepCondition>
    <PackageStepCondition>
    <ConditionMode>None</ConditionMode>
    <InventoryCollectionId value="null" />
    <InventoryCollectionName></InventoryCollectionName>
    <TypeName>Collection</TypeName>
    </PackageStepCondition>
    </Conditions>
    <CopyMode>Default</CopyMode>
    <DelayedApprovalTimeSpan>7.00:00:00</DelayedApprovalTimeSpan>
    <DownloadApprovalMode>Manual</DownloadApprovalMode>
    <InventoryScanProfileId value="11" />
    <IsDownloadApprovalModeInherited value="true" />
    <ScanAfterDeployment value="true" />
    <Steps type="list">
    <CommandStep>
    <Command>del /q C:\Windows\Temp\SA*</Command>
    <Files></Files>
    <SuccessCodes>0</SuccessCodes>
    <RunAs value="null" />
    <Conditions type="list">
    <PackageStepCondition>
    <Architecture>Both</Architecture>
    <Version>All</Version>
    <TypeName>OperatingSystem</TypeName>
    </PackageStepCondition>
    <PackageStepCondition>
    <IsUserLoggedOn>AlwaysRun</IsUserLoggedOn>
    <TypeName>LoggedOnUser</TypeName>
    </PackageStepCondition>
    <PackageStepCondition>
    <ConditionMode>None</ConditionMode>
    <InventoryCollectionId value="null" />
    <InventoryCollectionName></InventoryCollectionName>
    <TypeName>Collection</TypeName>
    </PackageStepCondition>
    </Conditions>
    <ErrorMode>StopDeploymentFail</ErrorMode>
    <Title>Clear previous logs</Title>
    <TypeName>Command</TypeName>
    <IsEnabled value="true" />
    <IsPostStep value="false" />
    <IsPreStep value="false" />
    </CommandStep>
    <InstallStep>
    <CustomCommandLine></CustomCommandLine>
    <FileName>\\change\me\DiscoveryTool\Intel-SA-00086-console.exe</FileName>
    <Files></Files>
    <IncludeDirectory value="true" />
    <LeaveInstallFile value="true" />
    <MsiOperation>Install</MsiOperation>
    <MsiQuiet value="true" />
    <MsiRestart>Never</MsiRestart>
    <Parameters>-n -c -f -p C:\Windows\Temp</Parameters>
    <SuccessCodes>0,100,1641,3010,2359302</SuccessCodes>
    <RunAs value="null" />
    <Conditions type="list">
    <PackageStepCondition>
    <Architecture>Both</Architecture>
    <Version>All</Version>
    <TypeName>OperatingSystem</TypeName>
    </PackageStepCondition>
    <PackageStepCondition>
    <IsUserLoggedOn>AlwaysRun</IsUserLoggedOn>
    <TypeName>LoggedOnUser</TypeName>
    </PackageStepCondition>
    <PackageStepCondition>
    <ConditionMode>None</ConditionMode>
    <InventoryCollectionId value="null" />
    <InventoryCollectionName></InventoryCollectionName>
    <TypeName>Collection</TypeName>
    </PackageStepCondition>
    </Conditions>
    <ErrorMode>StopDeploymentFail</ErrorMode>
    <Title>Execute the SA Check</Title>
    <TypeName>Install</TypeName>
    <IsEnabled value="true" />
    <IsPostStep value="false" />
    <IsPreStep value="false" />
    </InstallStep>
    <PowerShellStep>
    <CustomCommandLine></CustomCommandLine>
    <Files></Files>
    <Script>$xmlName = Get-ChildItem -Path C:\Windows\Temp -Recurse -Filter SA*.xml | Select-Object -ExpandProperty Name

    $xml = New-Object -TypeName xml
    $xml.Load("C:\windows\Temp\$xmlName")

    $risk = $xml.System.System_Status.System_Risk

    Write-output "$risk Flag set in HKLM:\Software\Intel."

    If($risk -match 'This system is vulnerable.'){

    New-Item -Path HKLM:\Software\Intel -Name SA-00086
    New-ItemProperty -Path HKLM:\Software\Intel\SA-00086 -Name Vulnerable -Value 1

    }

    Else {

    New-Item -Path HKLM:\Software\Intel -Name SA-00086
    New-ItemProperty -Path HKLM:\Software\Intel\SA-00086 -Name Vulnerable -Value 0

    }</Script>
    <SuccessCodes>0</SuccessCodes>
    <RunAs value="null" />
    <Conditions type="list">
    <PackageStepCondition>
    <Architecture>Both</Architecture>
    <Version>All</Version>
    <TypeName>OperatingSystem</TypeName>
    </PackageStepCondition>
    <PackageStepCondition>
    <IsUserLoggedOn>AlwaysRun</IsUserLoggedOn>
    <TypeName>LoggedOnUser</TypeName>
    </PackageStepCondition>
    <PackageStepCondition>
    <ConditionMode>None</ConditionMode>
    <InventoryCollectionId value="null" />
    <InventoryCollectionName></InventoryCollectionName>
    <TypeName>Collection</TypeName>
    </PackageStepCondition>
    </Conditions>
    <ErrorMode>StopDeploymentFail</ErrorMode>
    <Title>Log Vulnerability</Title>
    <TypeName>PowerShell</TypeName>
    <IsEnabled value="true" />
    <IsPostStep value="false" />
    <IsPreStep value="false" />
    </PowerShellStep>
    </Steps>
    <Timeout value="60" />
    <UseCustomTimeout value="false" />
    <RunAs value="null" />
    </PackageDefinition>
    <Description></Description>
    <NewLibraryPackageVersionId value="null" />
    <Version></Version>
    <IsAutoDownload value="false" />
    <FolderId value="1" />
    <LibraryPackageVersionId value="null" />
    <Name>Intel SA-0086 Check</Name>
    <Path>Packages\Intel SA-0086 Check</Path>
    <PackageDisplaySettings name="DisplaySettings">
    <DisplayType>Normal</DisplayType>
    <IconKey>Icon-Package</IconKey>
    <SortOrder value="8" />
    </PackageDisplaySettings>
    </Package>
    </AdminArsenal.Export>

     

    Now, onto the Inventory Side of things.

    First you'll need a Registry Scanner:

     

    <?xml version="1.0" encoding="utf-8"?>
    <AdminArsenal.Export Code="PDQInventory" Name="PDQ Inventory" Version="14.1.0.0" MinimumVersion="14.0">
    <ScanProfile>
    <Scanners type="list">
    <Scanner>
    <ExcludePattern></ExcludePattern>
    <Hive>HKEY_LOCAL_MACHINE</Hive>
    <IncludePattern>SOFTWARE\Intel\SA-00086\*</IncludePattern>
    <RowLimit value="2500" />
    <TypeName>Registry</TypeName>
    <SourceScannerId value="36" />
    </Scanner>
    </Scanners>
    <Collections type="list" />
    <ScheduleTriggerSet name="ScheduleTriggers">
    <Triggers type="list" />
    </ScheduleTriggerSet>
    <Description></Description>
    <ScanProfileId value="11" />
    <Name>Intel SA-00086</Name>
    </ScanProfile>
    </AdminArsenal.Export>

     

    And then Some collections:

     

    <?xml version="1.0" encoding="utf-8"?>
    <AdminArsenal.Export Code="PDQInventory" Name="PDQ Inventory" Version="14.1.0.0" MinimumVersion="4.0">
    <Collection>
    <ReportDefinition name="Definition">
    <RootFilter name="Filter">
    <Comparison>All</Comparison>
    <Filters type="list">
    <ValueFilter>
    <Table>Registry</Table>
    <Column>PathName</Column>
    <Comparison>Equals</Comparison>
    <Value>SOFTWARE\Intel\SA-00086</Value>
    </ValueFilter>
    <ValueFilter>
    <Table>Registry</Table>
    <Column>Hive</Column>
    <Comparison>Equals</Comparison>
    <Value>HKEY_LOCAL_MACHINE</Value>
    </ValueFilter>
    </Filters>
    </RootFilter>
    <ReportDefinitionTypeName>BasicReportDefinition</ReportDefinitionTypeName>
    <Columns type="list">
    <Column>
    <Column>ComputerId</Column>
    <Summary></Summary>
    <Table>Computer</Table>
    <Title></Title>
    </Column>
    </Columns>
    </ReportDefinition>
    <IsDrilldown value="false" />
    <Created>2017-11-21T14:39:57.0000000-05:00</Created>
    <Description></Description>
    <Error></Error>
    <Id value="926" />
    <ImportedPath>Intel SA-00086</ImportedPath>
    <Modified>2017-11-21T14:40:34.0000000-05:00</Modified>
    <Name>Intel SA-00086</Name>
    <ParentId value="null" />
    <Path>Intel SA-00086</Path>
    <TypeName>DynamicCollection</TypeName>
    <Type>DynamicCollection</Type>
    <Children type="list">
    <Collection>
    <ReportDefinition name="Definition">
    <RootFilter name="Filter">
    <Comparison>All</Comparison>
    <Filters type="list">
    <ValueFilter>
    <Table>Registry</Table>
    <Column>Name</Column>
    <Comparison>Equals</Comparison>
    <Value>Vulnerable</Value>
    </ValueFilter>
    <ValueFilter>
    <Table>Registry</Table>
    <Column>Value</Column>
    <Comparison>Equals</Comparison>
    <Value>1</Value>
    </ValueFilter>
    </Filters>
    </RootFilter>
    <ReportDefinitionTypeName>BasicReportDefinition</ReportDefinitionTypeName>
    <Columns type="list">
    <Column>
    <Column>ComputerId</Column>
    <Summary></Summary>
    <Table>Computer</Table>
    <Title></Title>
    </Column>
    </Columns>
    </ReportDefinition>
    <IsDrilldown value="true" />
    <Created>2017-11-21T14:04:01.0000000-05:00</Created>
    <Description></Description>
    <Error></Error>
    <Id value="924" />
    <ImportedPath>Intel SA-00086\Intel SA-00086 (Affected)</ImportedPath>
    <Modified>2017-11-21T14:41:48.0000000-05:00</Modified>
    <Name>Intel SA-00086 (Affected)</Name>
    <ParentId value="926" />
    <Path>Intel SA-00086\Intel SA-00086 (Affected)</Path>
    <TypeName>DynamicCollection</TypeName>
    <Type>DynamicCollection</Type>
    <Children type="list" />
    </Collection>
    <Collection>
    <ReportDefinition name="Definition">
    <RootFilter name="Filter">
    <Comparison>Any</Comparison>
    <Filters type="list">
    <ValueFilter>
    <Table>Registry</Table>
    <Column>Value</Column>
    <Comparison>Equals</Comparison>
    <Value>0</Value>
    </ValueFilter>
    </Filters>
    </RootFilter>
    <ReportDefinitionTypeName>BasicReportDefinition</ReportDefinitionTypeName>
    <Columns type="list">
    <Column>
    <Column>ComputerId</Column>
    <Summary></Summary>
    <Table>Computer</Table>
    <Title></Title>
    </Column>
    </Columns>
    </ReportDefinition>
    <IsDrilldown value="true" />
    <Created>2017-11-21T14:04:01.0000000-05:00</Created>
    <Description></Description>
    <Error></Error>
    <Id value="925" />
    <ImportedPath>Intel SA-00086\Intel SA-00086 (Unaffected)</ImportedPath>
    <Modified>2017-11-21T14:41:36.0000000-05:00</Modified>
    <Name>Intel SA-00086 (Unaffected)</Name>
    <ParentId value="926" />
    <Path>Intel SA-00086\Intel SA-00086 (Unaffected)</Path>
    <TypeName>DynamicCollection</TypeName>
    <Type>DynamicCollection</Type>
    <Children type="list" />
    </Collection>
    </Children>
    </Collection>
    </AdminArsenal.Export>

    This is useful cause once you deploy a patch you can create a package and set a condition like this:

     

    Or, you know, just Select that Collection when picking your targets. This is a good excuse to use that new feature though. 

     

     

     

     

     

    0
    Comment actions Permalink
  • Steve Cain

    Awesome, thanks! It's worked on most machines I've tested it on so far. A few are getting an error from the detection tool, I believe it's because the hardware isn't found. We have some older machines out there. But a few have also got this PowerShell error.

    Invoke-Expression : Exception calling "Load" with "1" argument(s): "The specified path, file name, or both are too long. The fully qualified file name must be less than 260 characters, and the directory name must be less than 248 characters."
    At C:\WINDOWS\AdminArsenal\PDQDeployRunner\service-1\exec\Error Handling Wrapper.ps1:39 char:1
    + Invoke-Expression "& '.\$($Parameters[0])' $($Parameters[1])"
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Invoke-Expression], MethodInvocationException
        + FullyQualifiedErrorId : DotNetMethodException,Microsoft.PowerShell.Commands.InvokeExpressionCommand

    0
    Comment actions Permalink
  • Colby Bouma

    Thank you Stephen, I was working on something similar yesterday. I'm curious, why did you choose to disable the detection tool's registry logging? It logs a bunch of useful stuff like System Risk and ME Version.

    I'm trying to write a blog about this today, so I want to figure out the best way to go about it.

    0
    Comment actions Permalink
  • Colby Bouma

    @Steve Cain: My guess is that those systems have a matching file buried deep in the Temp folder. You can add a line below Line 1 to see what it's trying to load.

    Write-Output $xmlName
    0
    Comment actions Permalink
  • Stephen Valdinger

    I initially wrote the script as something not to be used with PDQ products, and dump the XML data to a central location on a network share. 

    I just pieced that apart to come up with what I did to work with PDQ without going back to the drawing board. 

    Really, it's probably a better idea to use the -r switch and dump details to the registry. 

    0
    Comment actions Permalink
  • Colby Bouma

    Ah, Ok.

    0
    Comment actions Permalink
  • Millar, Gary

    I had a few issues with false negatives one of my systems didnt report "is" it reported "may be" vulnerable so i have made a change to the powershell and added a switch statement with a regex switch to do the search. I also added a few steps to to remove the registry keys to allow the script to be run multiple times as when trying this before the powershell was failing because the regkey was already in place. You will need to tweak the collections to catch the different statuses.

    0 for not vulnerable
    1 for is vulnerable
    2 for may be vulnerable
    3 for could not be determined

    I also had to expand the filter in the search for the xml file from "SA*.xml" to "SA-00086*.xml" as my first test uncovered several

    xmls with similar names which caused the powershell search to fail.



    clear
    $xmlName = Get-ChildItem -Path C:\Windows\Temp -Recurse -Filter SA-00086*.xml | Select-Object -ExpandProperty Name

    $xml = New-Object -TypeName xml
    $xml.Load("C:\windows\Temp\$xmlName")

    $risk = $xml.System.System_Status.System_Risk

    Write-output "$risk Flag set in HKLM:\Software\Intel."

    if ((Test-Path -Path 'HKLM:\Software\Intel\SA-00086'))
        {
        Write-Host 'SA-00086 Exits at HKLM:\Software\Intel\SA-00086'
        Remove-Item -Path 'HKLM:\Software\Intel\SA-00086'
        }

    if ((Test-Path -Path 'HKLM:\Software\Wow6432Node\Intel\SA-00086'))
        {
        Write-Host 'SA-00086 Exits at HKLM:\SOFTWARE\Wow6432Node\Intel'   
        Remove-Item -Path 'HKLM:\SOFTWARE\Wow6432Node\Intel\SA-00086'
        }


    switch -regex ($risk)

        {
            'This system may be vulnerable'
            {
                Write-Host "This system may be vulnerable"
                New-Item -Path 'HKLM:\Software\Intel' -Name 'SA-00086'
                New-ItemProperty -Path HKLM:\Software\Intel\SA-00086 -Name Vulnerable -Value 2
                $KeepLooping = $false
            }
            'This system is vulnerable'
            {
                Write-Host "This system is vulnerable"
                New-Item -Path HKLM:\Software\Intel -Name SA-00086
                New-ItemProperty -Path HKLM:\Software\Intel\SA-00086 -Name Vulnerable -Value 1
                $KeepLooping = $false
            }
            'This system is not vulnerable'
            {
                Write-Host "This system is not vulnerable"
                New-Item -Path HKLM:\Software\Intel -Name SA-00086
                New-ItemProperty -Path HKLM:\Software\Intel\SA-00086 -Name Vulnerable -Value 0
                $KeepLooping = $false
            }        
            default
            {
                Write-Host 'State could not be determined...'
                New-Item -Path HKLM:\Software\Intel -Name SA-00086
                New-ItemProperty -Path HKLM:\Software\Intel\SA-00086 -Name Vulnerable -Value 3
            }
        }

    0
    Comment actions Permalink
  • John Gallant

    Are there any step on how to get this code into PDQ deploy?  Create a new package but which of these would I paste this code into? 

    0
    Comment actions Permalink
  • Stephen Valdinger

    You can just copy the above and save it as an XML file and then go to File > Import and select the XML and it will put the package together for you.

    1
    Comment actions Permalink
  • Katie Sorenson

    @John,

    You'll want to save each one as an XML file and then import (File > Import) those files into Deploy or Inventory. Some of those are packages and some are collections. You'll want to look at each to see what it is before trying to trying to import a collection into Deploy or a package into Inventory. Nothing terrible will happen, but Deploy or Inventory will squawk a little bit at you.

    1
    Comment actions Permalink
  • John Gallant

    Thank you both!  I imported the PDQ Deploy one, needed to upgrade to version 15 first.  Then imported the other two into PDQ inventory. 

    PDQ Deploy is running the script and I see some showing up under successful now.  How long before I should see some stats under PDQ Inventory?  I see it try to update occasionally but still show 0

     

    0
    Comment actions Permalink
  • John Gallant

    Sorry I found it under "Scan Collection" in PDQ Inventory.  Thanks again for this great script!

     

    0
    Comment actions Permalink
  • Joe Stern

    @colby, I'm trying to follow the recipe you posted on the blog today, but in step 8 I can't see the new scan profile in PDQ Deploy. It does appear in PDQ Inventory. I tried restarting both services on the central server to no avail. 

    Is there anything I need to do to make PDQ Inventory scan profiles visible to PDQ Deploy?

    Thanks, 

    - Joe

    PS I also was unable to post a comment directly on the blog. It wants an e-mail address to submit, but no such field is shown. 

     

    0
    Comment actions Permalink
  • Colby Bouma

    @Joe Stern

    Which version and license mode are you using for each product?

    I submitted a ticket about the blog comment issue. Thank you for letting us know.

    0
    Comment actions Permalink
  • Joe Stern

    @Colby Bouma -- Deploy is 15.3.0.0 Enterprise, Inventory is 14.3.0.0 Enterprise

    0
    Comment actions Permalink
  • Katie Sorenson

    @Joe - Did you create a collection after creating your scan profile? Scan profiles gather information in order to  build collections, and Deploy will see the collections but not the scan profiles themselves. Clear as mud? :)

    0
    Comment actions Permalink
  • Colby Bouma

    @Katie Sorenson

    Joe is talking about this blog: https://www.pdq.com/blog/intel-sa-00086/

    @Joe Stern

    Did you import those files on a Client console?

    0
    Comment actions Permalink
  • Joe Stern

    @Colby Bouma,

    Yes, I imported everything on my admin workstation, which is running as a client console. 

    0
    Comment actions Permalink
  • Steve Cain

    I followed the blog instructions and everything worked fine for me. Except Intel's test tool choking on some of our older HP machines. :D

    0
    Comment actions Permalink
  • Colby Bouma

    The blog comment issue has been fixed.

    I am unable to replicate your issue Joe. The "Intel SA-00086" scan profile is always available for me in the package dropdown.

    0
    Comment actions Permalink

Please sign in to leave a comment.