cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

UPDATED - Computer Update Status - WanaCrypt (MS17-010) - v2

Import under "Windows Server Update Services Analytics."

Based on the KBs and Security Bulletin listed in this article from Microsoft:

https://support.microsoft.com/en-us/help/4013389/title

Hoping this helps someone out there make sure their environment doesn't get hit by the latest in exciting ransomware.

A sample LEM rule for identifying suspicious activity from WanaCrypt can be found here: WanaCrypt v1 Detection Rule

UPDATE: I worked with one of the Support guys, and he pointed out I had a couple problems with the query that resulted in some environments getting many, many bytes in their TempDB.  This has now been fixed, so download version 2 and see if it works better!

Labels (1)
Attachments
Comments

Thank you for this.

thank you.

Does this report take a long time to run? When I run it, it just spins at "processing" indefinitely.

On my test system, it was less than a minute, but depending on the number of nodes and speed of your database it could take longer.

I got the same issue as ahthomas​  we have 1600+ servers/workstations and when I ran the report, it filled the c:\ drive on, on the sql server, with gigs of data in the tempdb, never finished.

Mine just finished with nothing and my C: drive filled up, as the user below mentioned. How do we get this to run successfully? I have a guy working on a powershell script to do this, but it seems that this might be quicker, if we can get it to actually work.

I only have a lab system with about 15 machines to test against, but the report is looking for any one of about 10 KBs and the MS17-010 classification, it may be that my attempt to be more thorough is leading to a really large data set.  If you look at the list I based the report on, if you don't have Windows XP or Server 2003, you could modify the criteria to remove data sets that don't apply to you.

We only have around 200 machines and our drive filled up.  It returned about 100,000 rows.  Looks like the same update for a computer would show up a bunch of times listed as the various KB articles...  How can we safely truncate the tempdb database?

Anyone able to write a report that works?  I have a Powershell script that checks, but it only returns hits if the machine is on.

I think I know what was causing the issue, and this has been updated to remedy the problem.  Please give the new version a try and let me know if it's still borked.

I think I know what was causing the issue, and this has been updated to remedy the problem.  Please give the new version a try and let me know if it's still borked.

I think I know what was causing the issue, and this has been updated to remedy the problem.  Please give the new version a try and let me know if it's still borked.

Much better!  For whatever reason, I have 8 computers that have an unknown installation state for 26 patches (many of which are server-based patches) and these are Windows 10 computers...  So this adds about 200 extra entries, but it gets me pretty close to what I need to see.  Thanks!

Glad to hear it!

Version history
Revision #:
1 of 1
Last update:
‎05-15-2017 11:49 AM
Updated by: