Client Management Suite

 View Only

 Need help on custom inventory for file in c:\users\* for new Dell vulnerability

amandaw33's profile image
Trusted Advisor amandaw33 posted May 05, 2021 11:37 AM
I need to use CMS to detect for the new dell vulnerability - looking for a file that exists in c:\windows\temp or C:\Users\<username>\AppData\Local\Temp

I created custom inventory and my detection for the file in c:\windows\temp works, but I can't get the looping script to find the file in the users home directory location.  I'm sure these can be combined into one script, but 2 scripts is fine for my needs.

Edit***
The file is detected if it exists in the logged in user profile, but not if it exists in other user profiles, even though script is running as system.  Shouldn't it be able to grab other user profiles?  My script was adapted from I originally got the looping script from attachment here: How to Inventory a Specific File Using Custom Inventory
'*******************************************************
'This Custom Inventory vbscript loops through user folders to detect a specified file
'*******************************************************
set objFSO = CreateObject("Scripting.FileSystemObject")
'Create the NSE
dim nse
set nse = WScript.CreateObject ("Altiris.AeXNSEvent")
' Set the header data of the NSE. Please don't modify this GUID
nse.To = "{1592B913-72F3-4C36-91D2-D4EDA21D2F96}"
nse.Priority = 1
'Create Inventory data block. The following data class with below guid is already configured on server.
'Brackets are required around the dataclass guid. To get this GUID, click on the custom data class and then the hand (details).
dim objDCInstance
set objDCInstance = nse.AddDataClass ("dbutil_2_3") '***your custom data class name here
' or "{GUID of CUSTOM DATA CLASS include brackets}"
dim objDataClass
set objDataClass = nse.AddDataBlock (objDCInstance)
'Add a new row
dim objDataRow
set objDataRow = objDataClass.AddRow
dim fileName
dim startFolder
startFolder = "C:\Users\"
set objFSO = CreateObject("Scripting.FileSystemObject")
ShowSubFolders objFSO.GetFolder(startFolder)
' Loop through each of the user folders to check for the file
Sub ShowSubFolders(Folder)
For Each SubFolder In Folder.SubFolders
fileName = Subfolder.Path + "\AppData\Local\Temp\dbutil_2_3.sys" '***full path and name of the file to be detected
if(objFSO.FileExists(fileName)) Then
'If the file exist on the computer, get the details
Set objFile = objFSO.GetFile(fileName)
objDataRow.SetField 0, objFile.Name
objDataRow.SetField 1, objFile.Size
Else
objDataRow.SetField 0, "Not Found"
End If
Next
End Sub
' Send the NSE data to the NS server
nse.SendQueued
' msgBox nse.XML '***Uncomment this line for testing


This is my working script that detects if file is in c:\windows\temp
'*******************************************************
'This Custom Inventory vbscript detects a specified file
'*******************************************************
set objFSO = CreateObject("Scripting.FileSystemObject")
'Create the NSE
dim nse
set nse = WScript.CreateObject ("Altiris.AeXNSEvent")
' Set the header data of the NSE. Please don't modify this GUID
nse.To = "{1592B913-72F3-4C36-91D2-D4EDA21D2F96}"
nse.Priority = 1
'Create Inventory data block. The following data class with below guid is already configured on server.
'Brackets are required around the dataclass guid. To get this GUID, click on the custom data class and then the hand (details).
dim objDCInstance
set objDCInstance = nse.AddDataClass ("dbutil_2_3") '***your custom data class name here
' or "{GUID of CUSTOM DATA CLASS include brackets}"
dim objDataClass
set objDataClass = nse.AddDataBlock (objDCInstance)
'Add a new row
dim objDataRow
set objDataRow = objDataClass.AddRow
dim fileName
fileName = "C:\Windows\Temp\dbutil_2_3.sys" '***full path and name of the file to be detected
if(objFSO.FileExists(fileName)) Then
'If the file exist on the computer, get the details
Set objFile = objFSO.GetFile(fileName)
objDataRow.SetField 0, objFile.Name
objDataRow.SetField 1, objFile.Size
Else
objDataRow.SetField 0, "Not Found"
End If
' Send the NSE data to the NS server
nse.SendQueued
' msgBox nse.XML '***Uncomment this line for testing


Link to vuln info for anyone interested: DSA-2021-088: Dell Client Platform Security Update for an Insufficient Access Control Vulnerability in the Dell dbutil Driver .  Planning to use powershell to clean it up vs the dell tool.

thanks for any help
Chris Farrell's profile image
Broadcom Employee Chris Farrell posted May 05, 2021 04:19 PM
We created a KB for this too, "How do I inventory dbutil_2_3.sys to identify a Dell Vulnerability"

'********************************************************************************
' Custom inventory VBS script to scan for files anywhere with by name 
' For additional values see CIM_DataFile info: https://msdn.microsoft.com/en-us/library/aa387236(v=vs.85).aspx
'********************************************************************************
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\root\cimv2")
Set wshShell = WScript.CreateObject( "WScript.Shell" )
ComputerName = wshShell.ExpandEnvironmentStrings( "%COMPUTERNAME%" )
dim nse
set nse = WScript.CreateObject ("Altiris.AeXNSEvent")
nse.To = "{1592B913-72F3-4C36-91D2-D4EDA21D2F96}" ' Don't modify this GUID
nse.Priority = 1

' Custom Dataclass GUID goes here
set objDCInstance = nse.AddDataClass ("{PUT GUID HERE}")
set objDataClass = nse.AddDataBlock (objDCInstance)
Set objCIMObj = objWMIService.ExecQuery("SELECT Name, Version FROM CIM_DataFile where FileName = 'dbutil_2_3'")
count = 0
 For each objInfo in objCIMObj
  count = 1
  set objDataRow = objDataClass.AddRow 'Add a new row
  objDataRow.SetField 0, CStr(ComputerName)
  objDataRow.SetField 1, objInfo.Name
  objDataRow.SetField 2, cstr(now)
 Next
if (count = 0) then
 set objDataRow = objDataClass.AddRow 'Add a new row
 objDataRow.SetField 0, CStr(ComputerName)
 objDataRow.SetField 1, "Not Found"
 objDataRow.SetField 2, cstr(now)
End If
nse.Send ' Send the NSE data to the NS server