strawgate / c3-protect Goto Github PK

Reported by Jude Lancaster @ IBM.

folder "FileVault" of folder "__Global" of data folder of client does not exist normally but the fixlet doesn't check for that.

Location: https://github.com/strawgate/C3-Protect/blob/master/Analyses/Whitelisting%20-%20Applocker%20-%20Logs%20-%20Windows.bes

Because this relevance includes the "time generated" then every log entry is a new record returned by the analysis that is unique for every computer and event. This will significantly grow the BFEnterprise database and is problematic for any large deployments.

Using something like this would just give the unique event types:

 unique values of ( ( (if (event id of it = 8006) then ("Warned: ") else ("Blocked: ")) of it ) & (preceding text of last " was " of description of it) ) of records ((integers in(item 0 of it + item 1 of it - 1,maximum of (item 0 of it + item 1 of it - 500;item 1 of it))) of (record count of it, oldest record number of it)) whose (event id of it = 8006 or event id of it = 8007) of event log "Microsoft-Windows-AppLocker/MSI and Script"

This would give the count, which would often be unique per endpoint, but less verbose than the current state:

(multiplicity of it as string & it) of unique values of ( ( (if (event id of it = 8006) then ("Warned: ") else ("Blocked: ")) of it ) & (preceding text of last " was " of description of it) ) of records ((integers in(item 0 of it + item 1 of it - 1,maximum of (item 0 of it + item 1 of it - 500;item 1 of it))) of (record count of it, oldest record number of it)) whose (event id of it = 8006 or event id of it = 8007) of event log "Microsoft-Windows-AppLocker/MSI and Script"

Related:

• https://bigfix.me/analysis/details/2998311
• https://bigfix.me/relevance/details/3018048
• https://bigfix.me/relevance/details/3018047

Sample results:
Bitlocker - Encryptable Volume # - Windows 1
Bitlocker - Encryptable Volumes - Windows C:
Bitlocker - Encryption Finished - Windows
Bitlocker - Encryption Method - WIndows AES 128
Bitlocker - Encryption Started - Windows
Bitlocker - Protection Status - Windows Protection Off
Bitlocker - Status - Windows Fully Encrypted
Bitlocker - Volume Type - Windows VolumeType=0

Unless I am missing something, it appears that the Firewall - State - Windows property has a copy/paste issue. I believe the Public section should be looking at the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile registry key, however it is looking at StandardProfile instead.

Not an issue with the Fixlet itself, but probably worth a warning. Java.exe command line parameters -Xms and -Xmx configure minimum and maximum memory allocations available to Java. When using 32-bit Java.exe with a -Xmx1024m (or any value larger than ~ 750 MB), java.exe fails to launch with a message
Error occurred during initialization of VM
Could not reserve enough space for 1048576KB object heap

There is a warning on Microsoft's EMET policy page that EMET may not be compatible with the -Xmx parameter, but it's not clear that the only workaround is to completely remove java.exe from the configuration baseline. Disabling every available mitigation on the java.exe definition was not effective in working around the problem, I had to remove java.exe entirely.

I've tested 64-bit Java with allocations up to -Xmx16535m successfully with the EMET policy in place, only reproduced this on 32-bit Java.

EMET - Mitigated Events - Windows doesn't include time/date

Add Check

https://bigfix.me/fixlet/details/20588?force=true#comments

Any reapply a million times

@mbrownr -- Can you make a task to force an ePO policy refresh?

Command line is: C:\ProgramData\McAfee\Agent\cmdagent.exe /c

This will prevent encrypting virtual machines with thin provisioned storage

ERROR: Invalid Syntax.
"-RebootCount" was not understood.

Use this:
values "DisplayVersion" of keys whose (value "DisplayName" of it as string is "McAfee Agent") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of (x32 registry; (if exists x64 registry then x64 registry else nothing))

Analyses
Credential Guard
Device Guard

Would like to see Policy names and any other info brought into the Analyses.

Policy names in particular are stored in plain text in the registry which is... Perfect!

Let me know if you've got time this next week to work on this @mbrownr

DMA Protection Check should be = 3

https://bigfix.me/fixlet/details/20660

https://bigfix.me/analysis/details/2998308

@mbrownr -- If you have time next week would you mind putting something together for this?

Not properly reporting for Windows

Reported: https://forum.bigfix.com/t/potential-memory-leak-bf-agent-and-server-2008-r2/24807/15

• Config - Hyper-V Platform - Enable - Windows
• Config - Hyper-V Platform - Disable - Windows

This is how I would try rewriting the relevance to be more efficient:

Enable:

not exists string values whose(it = "Hyper-V Platform") of selects "Caption from win32_optionalfeature where installstate= 1" of wmis

AND:

exists string values whose(it = "Hyper-V Platform") of selects "Caption from win32_optionalfeature" of wmis

Disable:

exists string values whose(it = "Hyper-V Platform") of selects "Caption from win32_optionalfeature where installstate= 1" of wmis

Use https://github.com/strawgate/C3-Protect/blob/master/Analyses/Applications%20-%20McAfee%20Endpoint%20Security%20-%20WinMac.bes

As a template for the description, format, etc. Don't necessarily worry about Mac Support right away (nobody else ever does).

@ajdavis8

The Relevance on "Deploy - EMET - 5.51" at https://bigfix.me/fixlet/details/21265 does not check for the version number of an existing EMET. The presence of EMET 5.5 (or earlier) will cause EMET 5.51 to be non-relevant.

Recommend Relevance change to add a check for "DisplayVersion" registry key

From:

(windows of operating system) and (version of operating system >= "6.1") and (exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.0" of registry) and (if exists property "in proxy agent context" then ( not in proxy agent context ) else true) and (free space of drive of client > 26808320 * 2) and (not exists (key of keys "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" of ( x32 registry; (if exists x64 registry then x64 registry else nothing) )) whose (value "DisplayName" of it as string starts with "EMET"))

To:

(windows of operating system) and (version of operating system >= "6.1") and (exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.0" of registry) and (if exists property "in proxy agent context" then ( not in proxy agent context ) else true) and (free space of drive of client > 26808320 * 2) and (not exists (key of keys "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" of ( x32 registry; (if exists x64 registry then x64 registry else nothing) )) whose (value "DisplayName" of it as string starts with "EMET" and value "DisplayVersion" of it as string as version >= version "5.51"))

EMET 5.51 reports DisplayVersion 5.51 in the Registry.
EMET 5.5 reports DisplayVersion 5.5
I haven't checked with any earlier EMET versions.

if rules are defined by enforcement method is not then it should return ENFORCED

Don't allow rule addition if Audit/Enforce isn't specified.

Have to import module on Windows 7...

JGStew has the following
https://bigfix.me/relevance/details/3018085
https://bigfix.me/relevance/details/3018084