I m looking for a way to find out if windows defender is up

Question

I m looking for a way to find out if windows defender is up to date and the local firewall is enabled but most of the paths so far lead me to just checking for registry keys which doesn t really reflect if the systems are actually working

sundsta · Answer

`select from windows security products`

sundsta · Answer

See <https osquery io schema 4 2 0 windows security products>

john · Answer

shows no results for advfirewall defender or the older ms endpoint security disappointed

john · Answer

firewall example

john · Answer

but I know it should looking at the PR where that table was added so maybe i m running in to an issue with this specific system

defensivedepth · Answer

< zwass> This table gets the data from a low level api correct

fritz · Answer

< john> I imagine your command prompt is running at the admin level for the osqueryi session is that correct

fritz · Answer

< terracatta> also wrote a windows security center table which should be included in the next release you could try building osquery from master and testing that table

john · Answer

< fritz> yes that is correct also Admin the instance is also connected to fleet and running the query there gets 0 rows back as well

john · Answer

other queries do return data I also opened an issue on gh

john · Answer

sundsta · Answer

I haven t tested it on server OS myself only Win 10 desktop It works fine there

zwass · Answer

Yeah the data is pulled from the windows security center API <https github com osquery osquery blob master osquery tables system windows windows security products cpp>

zwass · Answer

Oh interesting looks like the API just may not be available on server <https docs microsoft com en us windows win32 api wscapi ne wscapi wsc security provider>

zwass · Answer

```Minimum supported client Windows Vista desktop apps only Minimum supported server None supported```

zwass · Answer

Not certain that is the correct way to interpret those docs though

Mike Myers · Answer

FWIW Trail of Bits has an extension with a table for both reading and modifying the firewall rules including on Windows <https github com trailofbits osquery extensions tree master fwctl>

john · Answer

Yeah I ve checked that out as well but I d have to do a whole lot of customisation work to get that in to kolide fleet + launcher as far as I can see and I m not proficient enough at go and c++ do make it happen <https osquery slack com archives C1XCLA5DZ p1586534103141000>

john · Answer

I m testing a company wide rollout of device policy auditing using osquery and open policy agent so far so good but to get things like local firewall has to be turned on as a policy on mac windows and linux is a bit of a beast macOS ALF is easy enough iptables nftables firewall cmd is not super hard but windows is somewhat finnicky especially VMs using windows server images like all the VDI and cloud stuff

john · Answer

I guess the security products API is either part of the desktop experience or explicitly unavailable on server to enforce server compatible protection software

fritz · Answer

< john> If all other roads lead to failure you can dive down the rabbit hole of the `registry` table and also confirm services are running with the `services` table

farfella · Answer

< john> can you do me a favor when you get a chance and check if you have the file `wscapi dll` under `c windows system32` on the 2019 server you are trying this out on

john · Answer

< farfella> doesn t seem to be there

farfella · Answer

Thanks for confirming my suspicions Yes 2019 and other server editions do not have windows security center api as per docs < zwass> linked to and this check that wscapi dll itself is missing I think querying that table should return an error to users indicating that wsc is missing in their edition version of windows

john · Answer

I ve checked if it s part of their desktop exeperience feature but 2019 no longer makes that an installation option they only have server core and server desktop strangely the security status is visible in the new control panel so perhaps they are using an internal API for that

farfella · Answer

Yeah I suspect copying the wscapi dll file over to the system will cause the output to work but it s legally gray

john · Answer

I had to do some stuff in the meantime but I m actually going to test this I ll report back any findings

john · Answer

so far most versions of the dll I have or could find simply crash during load

john · Answer

the rest just doesn t load at all

farfella · Answer

Got it Thanks < john> Guess there are additional libraries wscapi depends on which do not exist in the server versions

john · Answer

as far as I can see it doesn t segfault but crashes for some other reason looking at the libraries it links to they seem to exist

john · Answer

I imagine Microsoft doing market segmentation or licensing stuff and simply administratively not allowing this and making sure it doesn t work

farfella · Answer

Yeah