https://github.com/osquery/osquery logo
Title
j

john

04/11/2020, 12:48 AM
I’m looking for a way to find out if windows defender is up to date and the local firewall is enabled; but most of the paths so far lead me to just checking for registry keys which doesn’t really reflect if the systems are actually working
s

sundsta

04/11/2020, 12:56 AM
select * from windows_security_products
j

john

04/11/2020, 12:59 AM
shows no results for advfirewall, defender or the older ms endpoint security 😞
firewall example
but I know it should (looking at the PR where that table was added), so maybe i’m running in to an issue with this specific system
d

defensivedepth

04/11/2020, 2:01 AM
@zwass This table gets the data from a low-level api correct?
f

fritz

04/11/2020, 12:55 PM
@john I imagine your command prompt is running at the admin level for the osqueryi session, is that correct?
@terracatta also wrote a windows security center table which should be included in the next release, you could try building osquery from master and testing that table: https://github.com/osquery/osquery/pull/6256
j

john

04/11/2020, 3:03 PM
@fritz yes, that is correct, also Admin; the instance is also connected to fleet and running the query there gets 0 rows back as well
other queries do return data, I also opened an issue on gh
s

sundsta

04/13/2020, 3:15 PM
I haven’t tested it on server OS myself, only Win 10 desktop. It works fine there
z

zwass

04/13/2020, 4:51 PM
Oh, interesting, looks like the API just may not be available on server: https://docs.microsoft.com/en-us/windows/win32/api/wscapi/ne-wscapi-wsc_security_provider
Minimum supported client 	Windows Vista [desktop apps only]
Minimum supported server 	None supported
Not certain that is the correct way to interpret those docs though
m

Mike Myers

04/14/2020, 5:13 PM
FWIW, Trail of Bits has an extension with a table for both reading and modifying the firewall rules (including on Windows). https://github.com/trailofbits/osquery-extensions/tree/master/fwctl
j

john

04/15/2020, 1:38 AM
Yeah, I’ve checked that out as well, but I’d have to do a whole lot of customisation work to get that in to kolide fleet + launcher as far as I can see, and I’m not proficient enough at go and c++ do make it happen. https://osquery.slack.com/archives/C1XCLA5DZ/p1586534103141000
I’m testing a company-wide rollout of device policy auditing using osquery and open policy agent, so far so good, but to get things like ‘local firewall has to be turned on’ as a policy on mac, windows and linux is a bit of a beast; macOS ALF is easy enough, iptables/nftables/firewall-cmd is not super hard, but windows is somewhat finnicky, especially VMs using windows server images (like all the VDI and cloud stuff)
I guess the security products API is either part of the desktop experience, or explicitly unavailable on server to enforce ‘server-compatible’ protection software
f

fritz

04/15/2020, 3:58 PM
@john If all other roads lead to failure, you can dive down the rabbit-hole of the
registry
table and also confirm services are running with the
services
table.
f

farfella

04/20/2020, 1:41 AM
@john, can you do me a favor when you get a chance and check if you have the file
wscapi.dll
under
c:\windows\system32
on the 2019 server you are trying this out on?
j

john

04/20/2020, 9:30 AM
@farfella doesn’t seem to be there
f

farfella

04/20/2020, 2:22 PM
Thanks for confirming my suspicions. Yes, 2019 (and other server) editions do not have “windows security center” api (as per docs @zwass linked to and this check that wscapi.dll itself is missing). I think querying that table should return an error to users indicating that wsc is missing in their edition/version of windows
j

john

04/20/2020, 3:52 PM
I’ve checked if it’s part of their ‘desktop exeperience’ feature but 2019 no longer makes that an installation option, they only have ‘server core’ and ‘server desktop’; strangely, the security status is visible in the new control panel so perhaps they are using an internal API for that
f

farfella

04/20/2020, 5:58 PM
Yeah, I suspect copying the wscapi.dll file over to the system will cause the output to work, but it’s legally gray. :-/
j

john

04/24/2020, 3:43 PM
I had to do some stuff in the meantime but I’m actually going to test this, I’ll report back any findings
so far, most versions of the dll I have or could find simply crash during load
the rest just doesn’t load at all
f

farfella

04/26/2020, 3:29 PM
Got it. Thanks @john . Guess there are additional libraries wscapi depends on which do not exist in the server versions. :-/
j

john

04/26/2020, 3:39 PM
as far as I can see it doesn’t segfault but crashes for some other reason; looking at the libraries it links to, they seem to exist..
I imagine Microsoft doing market segmentation or licensing stuff and simply administratively not allowing this and making sure it doesn’t work
f

farfella

04/26/2020, 3:40 PM
Yeah...