Custom Vulnerabilities
NA Channel SE Team Lead
John.Wyckoff @ landesk.com
802-825-5863
LANDesk Software Confidential
Power &
Infrastructure
Management
LANDesk
®
Solutions
2
Systems
Lifecycle
Management
Endpoint
Security &
Compliance
Asset
Lifecycle
Management
Virtualization
Management
Management
Automation
Platform
IT Service
Management
What is a custom vulnerability?
Custom Vulnerability details
Vulscan command-line parameters
How to create user-defined Vulnerabilities
›
Configure detection
›
Configure remediation with patch commands
›
Export User-defined vulnerabilities in XML format for import
to additional cores
Customer Examples
LANDesk Software Confidential
Custom Vul Community section
›
http://community.landesk.com/support/community/security/customvuls
Mode Cmd
›
http://community.landesk.com/support/message/50390#50390
Docs and references
What is a Custom Vulnerability?
…lets you target specific situations,
run programs/scripts to change an
unwanted situation to one you want or
report wanted information back into
database!
If OS=“this” and App ver=“this” and
xyz=“this”, then do “this”
….inventory ALL software (mode=all for 8.7) looking for
Oracle config files
›
….create a custom vul to detect and report – with option
to update or delete .ora cfg files
….search registry for possible undesirable changes
›
…..create custom vul to detect changes to specific reg
key value and report – with option to change back &
report of change!
›
Example – system restore, runonce keys, wallpaper, etc
….guess WMI values on a client or server
›
…..create a custom vul to run a VB Script to grab WMI
parameters and place into LANDesk database
›
Active Dir GPOs applied, windows share names, etc
LANDesk Software Confidential
Anything you can do, I can do custom….
LANDesk Software Confidential
Anything you can do, I can do custom….pg 2
LANDesk Software Confidential
vulscan.exe
It performs both scan and repair operations on managed node
Vulnerability Scan task launches vulscan.exe with:
›
/AgentBehavior=x
›
/scan=y commandline option
›
Vulscan finds core is by:
“hklm\software\intel\landesk\LDWM”, value “CoreServer”.
Overridden with the /CoreServer=corename commandline
›
Requests the latest vulnerability info, one type at a time
›
Performs the scan
›
Submits the results to the core for that type
›
Moves on to the next type
›
When all types scanned, asks for any patches it should apply.
Web service on core returns list of patches (found vulnerable) with “autofix”
If installs one or more patches:
›
Re-scan and submit new results to core
›
Or it will reboot the machine
runonce key to scan again.
Decides whether to reboot with PendingFileRename key in the
registry
Managed Client Vulscan operation
LANDesk Software Confidential
Vulscan supports other command-line options which are not documented in
the end user documentation. These options are used for testing or internally by
vulscan when it launches itself.
/fix - Same as repair option.
/norepair - runonce key after installing one or more patches which require
a reboot of the system.
/o=OutputFilename
/I=InputFilename - submit a previously saved scan
/logfile= or /log= use a log filename other than vulscan.log.
/deviceid=value - submit a different deviceid
/coreserver= - Overrides the CoreServer value found in the registry
/remove - uninstall itself
/local - only get files from its peer
/noelevate –
/reset - remove delta file
/noupdate - stops vulscan.exe update
/clear or /clearScanStatus - remove all vulnerability scan information
command-line options
LANDesk Software Confidential
VB Scripting as a repair action
Multiple, separate vbscript actions could be created in between
other non-vbscript actions. Custom variables that were available
at scan time are available at repair time
Custom variables are used in scan or repair section
›
Element of the vulnerability, not the individual rules in a
definition
›
CustomVariable (“variable Name”) is to get variable value
›
Result is always treated as a single string integer
Types of custom variables:
›
string, integer, multi-value string, and enumeration
11
What is the difference between a Custom Vul, Vul,
Security Threat, etc in the LANDesk database?
Question?
Content – Definition Types
ID Type
Description
Detected using
0
Vulnerabilities
Security related patches
Files and/or registry keys
1
Spyware
Spyware families
Specialized (lsas.dll)
2
Security threats
Security configuration issues
VBscript
3
LANDesk updates
Patches for LANDesk software
Files and/or registry keys
4
Custom definitions
User-defined vulnerabilities
VBscript, files, or registy
5
Blocked
applications
Prohibited applications
Specialized (softmon)
6
Software updates
Non-security patches
Files / registry keys
7
Driver updates
Non-security driver updates
VBscript
Chg a Reg key from “wrong” to “right”
“Tweak” LANDesk client settings
Grab Reg key data and place into LD DB
Remove software
Update software
Parse WMI fields and post to LD DB inv record
Parse Win OS event log for specific event name and
# of within a time frame
LANDesk Software Confidential
15
Thank You!
The information herein is the confidential information and/or proprietary property of LANDesk Software, Inc. and its affiliates (referred to collectively as “LANDesk”), and may not be disclosed or copied without prior written consent of LANDesk.
To the maximum extent permitted under applicable law, LANDesk assumes no liability whatsoever, and disclaims any express or implied warranty, relating to the sale and/or use of LANDesk products including liability or warranties relating to fitness for a particular purpose, merchantability, or infringement of any patent, copyright or other intellectual property right, without limiting the rights under copyright.
LANDesk retains the right to make changes to the information herein or related product specifications and descriptions, at any time, without notice. LANDesk makes no warranty for the use of the information herein and assumes no responsibility for any errors that can appear nor does it make a commitment to update the information contained herein. For the most current product information, please visit www.landesk.com.
Copyright © 2010, LANDesk Software, Inc. and its affiliates. All rights reserved. LANDesk and its logos are registered trademarks or trademarks of LANDesk Software, Inc. and its affiliates in the United States and/or other countries. Other brands and names may be claimed as the property of others.