Validate MS17-010 patch compliance with Host Integrity

book

Article ID: 169492

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Due to the recent outbreak with Ransom.Wannacry many administrators want to ensure that their systems have the patches associated with MS17-010 installed on endpoints. Symantec Endpoint Protection can help in accomplishing this with the Host Integrity feature. 

Resolution

Attached to this document is a Host Integrity policy compatible with the Symantec Endpoint Protection 14 Endpoint Manager that aids as an example of how one could go about checking systems for patch compliance in relation to the MS17-010 vulnerability patches. This policy is provided as an example and it is highly recommended that extensive testing with this or a similar policy be performed prior to deployment to any production environment.

A Host Integrity policy checks for the existence of antivirus software, patches, hot fixes, and other security requirements. For example, the policy may check whether the latest patches have been applied to the operating system.

 

HOW HOST INTEGRITY WORKS

DESCRIPTION

Step 1: The client computer runs a Host Integrity check on the client computer.

The management server downloads the Host Integrity policy to the client computers in the assigned group. The client computers run the Host Integrity check, which compares each computer's configuration with the requirements that you add to the Host Integrity policy.

Our sample Host Integrity script will check: Windows 7, 8.1,2008R2, Windows 2012 & Windows 2012R2. Legacy Windows OSes not supported: XP, Server 2003 and Vista

Step 2: The Host Integrity check passes or fails

  • If the computer meets all of the policy's requirements, the Host Integrity check passes

  • If the computer does not meet all of the policy's requirements, the Host Integrity check fails. You can also set up the policy to ignore a failed requirement so that the check passes

  • You can also set up peer-to-peer authentication in the Firewall policy, which can grant or block inbound access to the remote computers that have the client installed.

Step 3: Noncompliant computers remediate a failed Host Integrity check (optional)

  • If the Host Integrity check fails, you can configure the client to remediate. To remediate, the client downloads and installs the missing software. You can configure either the client to remediate or the end user to remediate in a predefined requirement or a custom requirement. Host Integrity then rechecks that the client computer installed the software.

  • If the Host Integrity check that verifies remediation still fails, the client applies a Quarantine policy. You can use a Quarantine policy to apply stricter restrictions to the failed computers.

  • While the client is in the Quarantine location, the Host Integrity check continues to run and to try to remediate. The frequency of the check and remediation settings are based on how you configure the Host Integrity policy. Once the client is remediated and passes the Host Integrity check, the client moves out of the Quarantine location automatically.

Step 4: The client continues to monitor compliance

The Host Integrity check actively monitors each client's compliance status. If at any time the client's compliance status changes, so do the privileges of the computer.

  • If you change a Host Integrity policy, it is downloaded to the client at the next heartbeat. The client then runs a Host Integrity check.

  • If the client switches to a location with a different Host Integrity policy while a Host Integrity check is in progress, the client stops checking. The stop includes any remediation attempts. The user may see a timeout message

  •  if a remediation server connection is not available in the new location. When the check is complete, the client discards the results. Then the client immediately runs a new Host Integrity check based on the new policy for the location

Attachments

MS17-010 Test v0.7.dat get_app