strawgate / c3-protect Goto Github PK
View Code? Open in Web Editor NEWLicense: Other
License: Other
Reported by Jude Lancaster @ IBM.
folder "FileVault" of folder "__Global" of data folder of client
does not exist normally but the fixlet doesn't check for that.
Because this relevance includes the "time generated" then every log entry is a new record returned by the analysis that is unique for every computer and event. This will significantly grow the BFEnterprise database and is problematic for any large deployments.
Using something like this would just give the unique event types:
unique values of ( ( (if (event id of it = 8006) then ("Warned: ") else ("Blocked: ")) of it ) & (preceding text of last " was " of description of it) ) of records ((integers in(item 0 of it + item 1 of it - 1,maximum of (item 0 of it + item 1 of it - 500;item 1 of it))) of (record count of it, oldest record number of it)) whose (event id of it = 8006 or event id of it = 8007) of event log "Microsoft-Windows-AppLocker/MSI and Script"
This would give the count, which would often be unique per endpoint, but less verbose than the current state:
(multiplicity of it as string & it) of unique values of ( ( (if (event id of it = 8006) then ("Warned: ") else ("Blocked: ")) of it ) & (preceding text of last " was " of description of it) ) of records ((integers in(item 0 of it + item 1 of it - 1,maximum of (item 0 of it + item 1 of it - 500;item 1 of it))) of (record count of it, oldest record number of it)) whose (event id of it = 8006 or event id of it = 8007) of event log "Microsoft-Windows-AppLocker/MSI and Script"
Sample results:
Bitlocker - Encryptable Volume # - Windows 1
Bitlocker - Encryptable Volumes - Windows C:
Bitlocker - Encryption Finished - Windows
Bitlocker - Encryption Method - WIndows AES 128
Bitlocker - Encryption Started - Windows
Bitlocker - Protection Status - Windows Protection Off
Bitlocker - Status - Windows Fully Encrypted
Bitlocker - Volume Type - Windows VolumeType=0
Unless I am missing something, it appears that the Firewall - State - Windows property has a copy/paste issue. I believe the Public section should be looking at the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile registry key, however it is looking at StandardProfile instead.
Not an issue with the Fixlet itself, but probably worth a warning. Java.exe command line parameters -Xms and -Xmx configure minimum and maximum memory allocations available to Java. When using 32-bit Java.exe with a -Xmx1024m (or any value larger than ~ 750 MB), java.exe fails to launch with a message
Error occurred during initialization of VM
Could not reserve enough space for 1048576KB object heap
There is a warning on Microsoft's EMET policy page that EMET may not be compatible with the -Xmx parameter, but it's not clear that the only workaround is to completely remove java.exe from the configuration baseline. Disabling every available mitigation on the java.exe definition was not effective in working around the problem, I had to remove java.exe entirely.
I've tested 64-bit Java with allocations up to -Xmx16535m successfully with the EMET policy in place, only reproduced this on 32-bit Java.
EMET - Mitigated Events - Windows doesn't include time/date
Add Check
Any reapply a million times
@mbrownr -- Can you make a task to force an ePO policy refresh?
Command line is: C:\ProgramData\McAfee\Agent\cmdagent.exe /c
This will prevent encrypting virtual machines with thin provisioned storage
ERROR: Invalid Syntax.
"-RebootCount" was not understood.
Use this:
values "DisplayVersion" of keys whose (value "DisplayName" of it as string is "McAfee Agent") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of (x32 registry; (if exists x64 registry then x64 registry else nothing))
Analyses
Credential Guard
Device Guard
Would like to see Policy names and any other info brought into the Analyses.
Policy names in particular are stored in plain text in the registry which is... Perfect!
Let me know if you've got time this next week to work on this @mbrownr
DMA Protection Check should be = 3
@mbrownr -- If you have time next week would you mind putting something together for this?
Not properly reporting for Windows
Reported: https://forum.bigfix.com/t/potential-memory-leak-bf-agent-and-server-2008-r2/24807/15
not exists string values whose(it = "Hyper-V Platform") of selects "Caption from win32_optionalfeature where installstate= 1" of wmis
AND:
exists string values whose(it = "Hyper-V Platform") of selects "Caption from win32_optionalfeature" of wmis
exists string values whose(it = "Hyper-V Platform") of selects "Caption from win32_optionalfeature where installstate= 1" of wmis
As a template for the description, format, etc. Don't necessarily worry about Mac Support right away (nobody else ever does).
The Relevance on "Deploy - EMET - 5.51" at https://bigfix.me/fixlet/details/21265 does not check for the version number of an existing EMET. The presence of EMET 5.5 (or earlier) will cause EMET 5.51 to be non-relevant.
Recommend Relevance change to add a check for "DisplayVersion" registry key
From:
(windows of operating system) and (version of operating system >= "6.1") and (exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.0" of registry) and (if exists property "in proxy agent context" then ( not in proxy agent context ) else true) and (free space of drive of client > 26808320 * 2) and (not exists (key of keys "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" of ( x32 registry; (if exists x64 registry then x64 registry else nothing) )) whose (value "DisplayName" of it as string starts with "EMET"))
To:
(windows of operating system) and (version of operating system >= "6.1") and (exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.0" of registry) and (if exists property "in proxy agent context" then ( not in proxy agent context ) else true) and (free space of drive of client > 26808320 * 2) and (not exists (key of keys "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" of ( x32 registry; (if exists x64 registry then x64 registry else nothing) )) whose (value "DisplayName" of it as string starts with "EMET" and value "DisplayVersion" of it as string as version >= version "5.51"))
EMET 5.51 reports DisplayVersion 5.51 in the Registry.
EMET 5.5 reports DisplayVersion 5.5
I haven't checked with any earlier EMET versions.
if rules are defined by enforcement method is not then it should return ENFORCED
Don't allow rule addition if Audit/Enforce isn't specified.
Have to import module on Windows 7...
JGStew has the following
https://bigfix.me/relevance/details/3018085
https://bigfix.me/relevance/details/3018084
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.