I’m looking for a way to find out if windows defen...
# windowsj
john
04/11/2020, 12:48 AMI’m looking for a way to find out if windows defender is up to date and the local firewall is enabled; but most of the paths so far lead me to just checking for registry keys which doesn’t really reflect if the systems are actually working
s
sundsta
04/11/2020, 12:56 AMselect * from windows_security_productssundsta
04/11/2020, 12:56 AMj
john
04/11/2020, 12:59 AMshows no results for advfirewall, defender or the older ms endpoint security 😞
john
04/11/2020, 1:04 AMfirewall example
john
04/11/2020, 1:07 AMbut I know it should (looking at the PR where that table was added), so maybe i’m running in to an issue with this specific system
d
defensivedepth
04/11/2020, 2:01 AM@zwass This table gets the data from a low-level api correct?
f
fritz
04/11/2020, 12:55 PM@john I imagine your command prompt is running at the admin level for the osqueryi session, is that correct?
fritz
04/11/2020, 12:57 PM@terracatta also wrote a windows security center table which should be included in the next release, you could try building osquery from master and testing that table:
https://github.com/osquery/osquery/pull/6256
j
john
04/11/2020, 3:03 PM@fritz yes, that is correct, also Admin; the instance is also connected to fleet and running the query there gets 0 rows back as well
john
04/11/2020, 3:05 PMother queries do return data, I also opened an issue on gh
john
04/11/2020, 3:06 PMs
sundsta
04/13/2020, 3:15 PMI haven’t tested it on server OS myself, only Win 10 desktop. It works fine there
z
zwass
04/13/2020, 4:51 PM
Yeah the data is pulled from the windows security center API (https://github.com/osquery/osquery/blob/master/osquery/tables/system/windows/windows_security_products.cpp)
zwass
04/13/2020, 4:52 PM
Oh, interesting, looks like the API just may not be available on server: https://docs.microsoft.com/en-us/windows/win32/api/wscapi/ne-wscapi-wsc_security_provider
zwass
04/13/2020, 4:52 PM
Copy code
Minimum supported client Windows Vista [desktop apps only]
Minimum supported server None supportedzwass
04/13/2020, 4:52 PM
Not certain that is the correct way to interpret those docs though
m
Mike Myers
04/14/2020, 5:13 PMFWIW, Trail of Bits has an extension with a table for both reading and modifying the firewall rules (including on Windows). https://github.com/trailofbits/osquery-extensions/tree/master/fwctl
j
john
04/15/2020, 1:38 AMYeah, I’ve checked that out as well, but I’d have to do a whole lot of customisation work to get that in to kolide fleet + launcher as far as I can see, and I’m not proficient enough at go and c++ do make it happen. https://osquery.slack.com/archives/C1XCLA5DZ/p1586534103141000
john
04/15/2020, 1:40 AMI’m testing a company-wide rollout of device policy auditing using osquery and open policy agent, so far so good, but to get things like ‘local firewall has to be turned on’ as a policy on mac, windows and linux is a bit of a beast; macOS ALF is easy enough, iptables/nftables/firewall-cmd is not super hard, but windows is somewhat finnicky, especially VMs using windows server images (like all the VDI and cloud stuff)
john
04/15/2020, 1:40 AMI guess the security products API is either part of the desktop experience, or explicitly unavailable on server to enforce ‘server-compatible’ protection software
f
fritz
04/15/2020, 3:58 PM@john If all other roads lead to failure, you can dive down the rabbit-hole of the
registryservicesf
farfella
04/20/2020, 1:41 AM@john, can you do me a favor when you get a chance and check if you have the file
wscapi.dllc:\windows\system32j
john
04/20/2020, 9:30 AM@farfella doesn’t seem to be there
f
farfella
04/20/2020, 2:22 PMThanks for confirming my suspicions. Yes, 2019 (and other server) editions do not have “windows security center” api (as per docs @zwass linked to and this check that wscapi.dll itself is missing). I think querying that table should return an error to users indicating that wsc is missing in their edition/version of windows
j
john
04/20/2020, 3:52 PMI’ve checked if it’s part of their ‘desktop exeperience’ feature but 2019 no longer makes that an installation option, they only have ‘server core’ and ‘server desktop’; strangely, the security status is visible in the new control panel so perhaps they are using an internal API for that
f
farfella
04/20/2020, 5:58 PMYeah, I suspect copying the wscapi.dll file over to the system will cause the output to work, but it’s legally gray. :-/
j
john
04/24/2020, 3:43 PMI had to do some stuff in the meantime but I’m actually going to test this, I’ll report back any findings
john
04/26/2020, 2:19 PMso far, most versions of the dll I have or could find simply crash during load
john
04/26/2020, 2:19 PMthe rest just doesn’t load at all
f
farfella
04/26/2020, 3:29 PMGot it. Thanks @john . Guess there are additional libraries wscapi depends on which do not exist in the server versions. :-/
j
john
04/26/2020, 3:39 PMas far as I can see it doesn’t segfault but crashes for some other reason; looking at the libraries it links to, they seem to exist..
john
04/26/2020, 3:40 PMI imagine Microsoft doing market segmentation or licensing stuff and simply administratively not allowing this and making sure it doesn’t work
f
farfella
04/26/2020, 3:40 PMYeah...
3 Views