I’m looking for a way to find out if windows defen...
# windows
I’m looking for a way to find out if windows defender is up to date and the local firewall is enabled; but most of the paths so far lead me to just checking for registry keys which doesn’t really reflect if the systems are actually working
select * from windows_security_products
shows no results for advfirewall, defender or the older ms endpoint security 😞
firewall example
but I know it should (looking at the PR where that table was added), so maybe i’m running in to an issue with this specific system
@zwass This table gets the data from a low-level api correct?
@john I imagine your command prompt is running at the admin level for the osqueryi session, is that correct?
@terracatta also wrote a windows security center table which should be included in the next release, you could try building osquery from master and testing that table: https://github.com/osquery/osquery/pull/6256
@fritz yes, that is correct, also Admin; the instance is also connected to fleet and running the query there gets 0 rows back as well
other queries do return data, I also opened an issue on gh
I haven’t tested it on server OS myself, only Win 10 desktop. It works fine there
Oh, interesting, looks like the API just may not be available on server: https://docs.microsoft.com/en-us/windows/win32/api/wscapi/ne-wscapi-wsc_security_provider
Copy code
Minimum supported client 	Windows Vista [desktop apps only]
Minimum supported server 	None supported
Not certain that is the correct way to interpret those docs though
FWIW, Trail of Bits has an extension with a table for both reading and modifying the firewall rules (including on Windows). https://github.com/trailofbits/osquery-extensions/tree/master/fwctl
Yeah, I’ve checked that out as well, but I’d have to do a whole lot of customisation work to get that in to kolide fleet + launcher as far as I can see, and I’m not proficient enough at go and c++ do make it happen. https://osquery.slack.com/archives/C1XCLA5DZ/p1586534103141000
I’m testing a company-wide rollout of device policy auditing using osquery and open policy agent, so far so good, but to get things like ‘local firewall has to be turned on’ as a policy on mac, windows and linux is a bit of a beast; macOS ALF is easy enough, iptables/nftables/firewall-cmd is not super hard, but windows is somewhat finnicky, especially VMs using windows server images (like all the VDI and cloud stuff)
I guess the security products API is either part of the desktop experience, or explicitly unavailable on server to enforce ‘server-compatible’ protection software
@john If all other roads lead to failure, you can dive down the rabbit-hole of the
table and also confirm services are running with the
@john, can you do me a favor when you get a chance and check if you have the file
on the 2019 server you are trying this out on?
@farfella doesn’t seem to be there
Thanks for confirming my suspicions. Yes, 2019 (and other server) editions do not have “windows security center” api (as per docs @zwass linked to and this check that wscapi.dll itself is missing). I think querying that table should return an error to users indicating that wsc is missing in their edition/version of windows
I’ve checked if it’s part of their ‘desktop exeperience’ feature but 2019 no longer makes that an installation option, they only have ‘server core’ and ‘server desktop’; strangely, the security status is visible in the new control panel so perhaps they are using an internal API for that
Yeah, I suspect copying the wscapi.dll file over to the system will cause the output to work, but it’s legally gray. :-/
I had to do some stuff in the meantime but I’m actually going to test this, I’ll report back any findings
so far, most versions of the dll I have or could find simply crash during load
the rest just doesn’t load at all
Got it. Thanks @john . Guess there are additional libraries wscapi depends on which do not exist in the server versions. :-/
as far as I can see it doesn’t segfault but crashes for some other reason; looking at the libraries it links to, they seem to exist..
I imagine Microsoft doing market segmentation or licensing stuff and simply administratively not allowing this and making sure it doesn’t work