Custom Vulnerabilities. NA Channel SE Team Lead landesk.com

(1)

Custom Vulnerabilities

NA Channel SE Team Lead

John.Wyckoff @ landesk.com

802-825-5863

(2)

LANDesk Software Confidential

Power &

Infrastructure

Management

LANDesk

®

Solutions

2 Systems

Lifecycle

Management

Endpoint

Security &

Compliance

Asset

Lifecycle

Management

Virtualization

Management

Automation

Platform

IT Service

Management

(3)



What is a custom vulnerability?



Custom Vulnerability details



Vulscan command-line parameters



How to create user-defined Vulnerabilities

›

Configure detection

›

Configure remediation with patch commands

›

Export User-defined vulnerabilities in XML format for import

to additional cores



Customer Examples

(4)



Custom Vul Community section

›

http://community.landesk.com/support/community/security/customvuls



Mode Cmd

›

http://community.landesk.com/support/message/50390#50390

Docs and references

(5)

What is a Custom Vulnerability?

…lets you target specific situations,

run programs/scripts to change an

unwanted situation to one you want or

report wanted information back into

database!

If OS=“this” and App ver=“this” and

xyz=“this”, then do “this”

(6)



….inventory ALL software (mode=all for 8.7) looking for

Oracle config files

›

….create a custom vul to detect and report – with option

to update or delete .ora cfg files



….search registry for possible undesirable changes

›

…..create custom vul to detect changes to specific reg

key value and report – with option to change back &

report of change!

›

Example – system restore, runonce keys, wallpaper, etc



….guess WMI values on a client or server

›

…..create a custom vul to run a VB Script to grab WMI

parameters and place into LANDesk database

›

Active Dir GPOs applied, windows share names, etc

(7)

Anything you can do, I can do custom….

(8)

Anything you can do, I can do custom….pg 2

(9)

vulscan.exe



It performs both scan and repair operations on managed node



Vulnerability Scan task launches vulscan.exe with:

›

/AgentBehavior=x

›

/scan=y commandline option

›

Vulscan finds core is by:



“hklm\software\intel\landesk\LDWM”, value “CoreServer”.



Overridden with the /CoreServer=corename commandline

›

Requests the latest vulnerability info, one type at a time

›

Performs the scan

›

Submits the results to the core for that type

›

Moves on to the next type

›

When all types scanned, asks for any patches it should apply.



Web service on core returns list of patches (found vulnerable) with “autofix”



If installs one or more patches:

›

Re-scan and submit new results to core

›

Or it will reboot the machine



runonce key to scan again.



Decides whether to reboot with PendingFileRename key in the

registry

Managed Client Vulscan operation

(10)

Vulscan supports other command-line options which are not documented in

the end user documentation. These options are used for testing or internally by

vulscan when it launches itself.



/fix - Same as repair option.



/norepair - runonce key after installing one or more patches which require

a reboot of the system.



/o=OutputFilename



/I=InputFilename - submit a previously saved scan



/logfile= or /log= use a log filename other than vulscan.log.



/deviceid=value - submit a different deviceid



/coreserver= - Overrides the CoreServer value found in the registry



/remove - uninstall itself



/local - only get files from its peer



/noelevate –



/reset - remove delta file



/noupdate - stops vulscan.exe update



/clear or /clearScanStatus - remove all vulnerability scan information

command-line options

(11)

VB Scripting as a repair action



Multiple, separate vbscript actions could be created in between

other non-vbscript actions. Custom variables that were available

at scan time are available at repair time



Custom variables are used in scan or repair section

›

Element of the vulnerability, not the individual rules in a

definition

›

CustomVariable (“variable Name”) is to get variable value

›

Result is always treated as a single string integer



Types of custom variables:

›

string, integer, multi-value string, and enumeration

11

(12)



What is the difference between a Custom Vul, Vul,

Security Threat, etc in the LANDesk database?

Question?

(13)

Content – Definition Types

ID Type

Description

Detected using

0 Vulnerabilities

Security related patches

Files and/or registry keys

1 Spyware

Spyware families

Specialized (lsas.dll)

2 Security threats

Security configuration issues

VBscript

3 LANDesk updates

Patches for LANDesk software

Files and/or registry keys

4 Custom definitions

User-defined vulnerabilities

VBscript, files, or registy

5 Blocked

applications

Prohibited applications

Specialized (softmon)

6 Software updates

Non-security patches

Files / registry keys

7 Driver updates

Non-security driver updates

VBscript

(14)



Chg a Reg key from “wrong” to “right”



“Tweak” LANDesk client settings



Grab Reg key data and place into LD DB



Remove software



Update software



Parse WMI fields and post to LD DB inv record



Parse Win OS event log for specific event name and

# of within a time frame

(15)

15

Thank You!

The information herein is the confidential information and/or proprietary property of LANDesk Software, Inc. and its affiliates (referred to collectively as “LANDesk”), and may not be disclosed or copied without prior written consent of LANDesk.

To the maximum extent permitted under applicable law, LANDesk assumes no liability whatsoever, and disclaims any express or implied warranty, relating to the sale and/or use of LANDesk products including liability or warranties relating to fitness for a particular purpose, merchantability, or infringement of any patent, copyright or other intellectual property right, without limiting the rights under copyright.

LANDesk retains the right to make changes to the information herein or related product specifications and descriptions, at any time, without notice. LANDesk makes no warranty for the use of the information herein and assumes no responsibility for any errors that can appear nor does it make a commitment to update the information contained herein. For the most current product information, please visit www.landesk.com.

Copyright © 2010, LANDesk Software, Inc. and its affiliates. All rights reserved. LANDesk and its logos are registered trademarks or trademarks of LANDesk Software, Inc. and its affiliates in the United States and/or other countries. Other brands and names may be claimed as the property of others.