Patch Management Solution

With all the info coming out about Meltdown what is Symantecs plan of action for it.  It appears that its simply not just a patch from windows but also a registry entry for anti virus compatibility and a possiblity of BSOD's with any application making unspuported calls into the Kernel memory.   Will it be includeded in the PMI import ?

Hi bobafett,

Please take a look at: http://www.symantec.com/docs/INFO4786

and at: http://www.symantec.com/docs/INFO4782

PMImport is also available: http://www.symantec.com/docs/INFO4784

Network23

For those of you using ITMS (Altiris) what are your plans for exluding any machines that do not have ERASER Engine 117... when deploying the Jan 3rd patches? I am just curious how everyone else will tackle this issue.

Hi MarkABC

There are multiple ways to check for the ERASER Engine Version..

https://www.symantec.com/connect/forums/report-eraser-engine-ver-number

and

https://support.symantec.com/en_US/article.TECH95856.html

or you could create a custom inventory and exclude those machines from the "default patch target / filter"

Network23

What I was curious about is once you have the filter exception created are you applying it to the patch policy for the Jan 3rd patches, the DSUP policy, or both?

Hi MarkABC,

According to Symantec there is no need to check the ERASER Engine...

Actions taken by Symantec

To respond to the compatibility issue with the Microsoft update, Symantec published an ERASER Engine update (117.3.0.358) on January 4, 2018. Note that Microsoft implemented a check to verify the ERASER engine version that is currently loaded, and the Microsoft update only becomes available after the ERASER engine update has been applied. For more information about this solution, see this Symantec KB article.

In addition, Symantec and its cloud service providers have patched the SEP Cloud infrastructure to ensure that all cloud servers are safe from these vulnerabilities.

Network23

There seems to be another issue with SEP...

http://www.symantec.com/docs/TECH248552

So best thing is to wait unitl Symantec fixes the issue...

Network23

Thanks Network23!

I was thinking that I would have to create a filter in Altiris to exclude any client that did not have the 117.3... ERASER engine. That was going to be a real hassle, but worth it if the alternative was BsOD. 

Please note that applicability rules for Meltdown updates filter out computers that don't have QualityCompat registry key added by antivirus software (check INFO4782 for details).

I'm happy to see Symantec patch is checking for the AV key.  For the PC remediation, Microsoft recommends installing the required AV update, installing the windows update, and installing applicable firmware updates.  The firmware update is the tricky part for us.

Is anyone using Symantec or Dell Command Update to push bios updates with bitlocker enabled?  Any hints? 

Some helpful links
Microsoft Client Guidance
Spectre-Meltdown Overview
Meltdown-Spectre powershell reporting tool
Dell BIOS update for clients

Anyone have a filter handy for checking if computer models vs bios versions?  

Edit: Justin helped me in the linked thread, so that might be helpful for some looking for something similar.

Which bulletins in Patch Management cover these two vulnerabilities? I don't see anything that seems to cover this.

Scott

Scott I see it as MS18-01 in those options of patches. The article above that @network23 posted has the info you are looking for. I guess what I find funny is why the one is marked Important and the other is marked Crticial regarding this flaw.  Anyone else confirm that this is indeed for windows 7 and 2008 machines?  Anyone have and idea why they mark it as important for one OS and not critical?

My computers are showing remediated if

- AV updates

- AV update makes them applicable for monthly rollup (MS18-01-MR7 - we're win7), that has to be installed

- BIOS is updated

I know that older operating systems are always HOT the topic of convesation with patches like this. Has anyone heard anything if Microsoft is going to put a patch out to older Operatiing systems as they did last year with zero day fixes? Just was curious....

Thanks for all the useful information here.  I wrote up an article if anyone is interested, I tried to summarize how we are planning to remediate

https://www.symantec.com/connect/articles/using-cms-remediate-spectre-meltdown-client-pcs

Sally, I get Access Denied when trying to access the article.

Thanks,

Jeff

Sorry, that's really frustrating as I kind of rushed to get it up there hoping it would help someone.  It seems like the mods need to fix it.  I reached out to them.

Thanks Sally for the article.

Because of our diverse environment, we converted this MS powershell script https://gallery.technet.microsoft.com/scriptcenter/Meltdown-Spectre-Script-3cd11f26 to a custom inventory.

It's helping us better narrow down who are vulnerable to Specter and Meltdown.

can you please share your powershell to custom inventory conversion?  I was able to do the first 6 fields, but stuck converting the rest.  Any help is appreciated.

I am also trying to figure out how to detect if the patches are installed.

Anyone know how or if the.. view installed updates... is inventoried within Altiris? Cant locate if it is and also need to figure out a more solid way to tell what machines are patched.

Our AWESOME support group (Connect Community and Symantec Support) have created some articles with sample scripts, reports, etc.

Please review: 
https://www.symantec.com/connect/articles/using-cms-remediate-spectre-meltdown-client-pcs

http://www.symantec.com/docs/INFO4782

Russ

Russ - would be even better if we could get sql query for the resource page? In CMS 6 it was easy..

https://support.symantec.com/en_US/article.HOWTO1150.html

 

Method: GetFullPageMicrosoftHotfixesSection

select isnull( a.[Description], N'')

        from vResource r

        LEFT OUTER JOIN Inv_AeX_OS+Quick_Fix_Engineering a ON a._ResourceGuid = r.Guid 

        LEFT OUTER JOIN Inv_AeX_AC_Identification i on r.Guid = i._ResourceGuid

        where r.Guid = @ResourceGuid

        and a.[Description] <> ' '

This would help so much more as this page

https://support.threattracksecurity.com/support/solutions/articles/1000258859-how-to-tell-if-the-meltdown-spectre-patch-has-been-applied

​says ...

3. Look for one of the following KB numbers to confirm he patch has been installed:

    KB 4056894 | KB 4056897

​​any way to get an updated - how to get info from resource page in CMS7.x, 8.x?

 

as i see it in this dataclass but when i query it, i dont get the information.. i get the guids and dont know what tables to tie it too.

help greatly appreciated.

While this may be a little cumbersome, you could make a custom inventory for QFE and then report on it.

https://www.symantec.com/connect/forums/invaexosquickfixengineering

^^^ ok ill look into that. I know we can do a custom inventory; however, this information is available on the resource page and would be nice to just take from that information, vs. doing redundant work...

well im all set to do the custom inventory and this works for win7; however, windows 10 is cumulative and this method will not work. When i run it on win10, i do not get patches going back that far...

​Name 		Client Date 		OS Name 			Microsoft KB 	InstalledOn
HPW-10LTSB1507 2018-05-16 07:56:41.000 Windows 10 Enterprise 2015 LTSB 	KB4093110	 4/24/2018
HPW-10LTSB1507 2018-05-16 07:56:41.000 Windows 10 Enterprise 2015 LTSB 	KB4093111 	5/14/2018
HPW-10LTSB1607 2018-05-16 07:54:06.000 Windows 10 Enterprise 2016 LTSB 	KB4093110 	4/24/2018
HPW-10LTSB1607 2018-05-16 07:54:06.000 Windows 10 Enterprise 2016 LTSB 	KB4093119 	5/11/2018

so while i was able to get the custom inventory working, it would still be nice to have sql code for the main resource page. Always handy...

Hi TeleFragger,

There is a KB which lists the Stored Procedures used to generate the Resource Manager Home Page : http://www.symantec.com/docs/INFO4218

This is what I´ve found

Hope this helps

Network23

Great find!!! I have searched and searched.. not sure why i never found it...

Anyway, that does work for 1 off machines where you can provide the GUID of the machine; however, using the guid of a filter wont wont... so not sure how to do a global sql to hit say all computers.

thoughts?

so were 98% complete on patching - gotta find machines powered off and get them turned on... but..

​Still... anyone with a vastly diverse environment have any sql they would share for bios level, etc?
​We are mostly Lenovo and they are a nightmare for this piece but we do have a few HP, Dell, etc..
​I do know that Lenovo are inventorying in Bios Level, but not sure of the easiest way to determine if that Bios Rev is new enough...