Custom Vulnerabilities NA Channel SE Team Lead John.Wyckoff @ landesk.com 802-825-5863
LANDesk Solutions Systems Lifecycle Management Power & Infrastructure Management Endpoint Security & Compliance Virtualization Management Management Automation Platform IT Service Management Asset Lifecycle Management 2
Agenda What is a custom vulnerability? Custom Vulnerability details Vulscan command-line parameters How to create user-defined Vulnerabilities Configure detection Configure remediation with patch commands Export User-defined vulnerabilities in XML format for import to additional cores Customer Examples
Docs and references Custom Vul Community section http://community.landesk.com/support/community/security/customvuls Mode Cmd http://community.landesk.com/support/message/50390#50390 4
What is a Custom Vulnerability? lets you target specific situations, run programs/scripts to change an unwanted situation to one you want or report wanted information back into database! If OS= this and App ver= this and xyz= this, then do this
Instead of..try this...inventory ALL software (mode=all for 8.7) looking for Oracle config files.create a custom vul to detect and report with option to update or delete.ora cfg files.search registry for possible undesirable changes..create custom vul to detect changes to specific reg key value and report with option to change back & report of change! Example system restore, runonce keys, wallpaper, etc.guess WMI values on a client or server..create a custom vul to run a VB Script to grab WMI parameters and place into LANDesk database Active Dir GPOs applied, windows share names, etc
Anything you can do, I can do custom. 7
Anything you can do, I can do custom.pg 2 8
Managed Client Vulscan operation vulscan.exe It performs both scan and repair operations on managed node Vulnerability Scan task launches vulscan.exe with: 9 /AgentBehavior=x /scan=y commandline option Vulscan finds core is by: hklm\software\intel\landesk\ldwm, value CoreServer. Overridden with the /CoreServer=corename commandline Requests the latest vulnerability info, one type at a time Performs the scan Submits the results to the core for that type Moves on to the next type When all types scanned, asks for any patches it should apply. Web service on core returns list of patches (found vulnerable) with autofix If installs one or more patches: Re-scan and submit new results to core Or it will reboot the machine runonce key to scan again. Decides whether to reboot with PendingFileRename key in the registry
command-line options Vulscan supports other command-line options which are not documented in the end user documentation. These options are used for testing or internally by vulscan when it launches itself. /fix - Same as repair option. /norepair - runonce key after installing one or more patches which require a reboot of the system. /o=outputfilename /I=InputFilename - submit a previously saved scan /logfile= or /log= use a log filename other than vulscan.log. /deviceid=value - submit a different deviceid /coreserver= - Overrides the CoreServer value found in the registry /remove - uninstall itself /local - only get files from its peer /noelevate /reset - remove delta file /noupdate - stops vulscan.exe update /clear or /clearscanstatus - remove all vulnerability scan information 10
Vulscan action VB Scripting as a repair action Multiple, separate vbscript actions could be created in between other non-vbscript actions. Custom variables that were available at scan time are available at repair time Custom variables are used in scan or repair section Element of the vulnerability, not the individual rules in a definition CustomVariable ( variable Name ) is to get variable value Result is always treated as a single string integer Types of custom variables: string, integer, multi-value string, and enumeration 11
Question? What is the difference between a Custom Vul, Vul, Security Threat, etc in the LANDesk database? Mode type
Content Definition Types ID Type Description Detected using 0 Vulnerabilities Security related patches Files and/or registry keys 1 Spyware Spyware families Specialized (lsas.dll) 2 Security threats Security configuration issues VBscript 3 LANDesk updates Patches for LANDesk software Files and/or registry keys 4 Custom definitions User-defined vulnerabilities VBscript, files, or registy 5 Blocked applications Prohibited applications Specialized (softmon) 6 Software updates Non-security patches Files / registry keys 7 Driver updates Non-security driver updates VBscript 8 Antivirus Antivirus configuration issues VBscript
So What can a Cust Vul do? Chg a Reg key from wrong to right Tweak LANDesk client settings Grab Reg key data and place into LD DB Remove software Update software Parse WMI fields and post to LD DB inv record Parse Win OS event log for specific event name and # of within a time frame
Thank You! The information herein is the confidential information and/or proprietary property of LANDesk Software, Inc. and its affiliates (referred to collectively as LANDesk ), and may not be disclosed or copied without prior written consent of LANDesk. To the maximum extent permitted under applicable law, LANDesk assumes no liability whatsoever, and disclaims any express or implied warranty, relating to the sale and/or use of LANDesk products including liability or warranties relating to fitness for a particular purpose, merchantability, or infringement of any patent, copyright or other intellectual property right, without limiting the rights under copyright. LANDesk retains the right to make changes to the information herein or related product specifications and descriptions, at any time, without notice. LANDesk makes no warranty for the use of the information herein and assumes no responsibility for any errors that can appear nor does it make a commitment to update the information contained herein. For the most current product information, please visit www.landesk.com. Copyright 2010, LANDesk Software, Inc. and its affiliates. All rights reserved. LANDesk and its logos are registered trademarks or trademarks of LANDesk Software, Inc. and its affiliates in the United States and/or other countries. Other brands and names may be claimed as the property of others. 15