Introduction
..........................................................................................................................
3
Scope
....................................................................................................................................
3
Scanning the Managed Device
.............................................................................................
9
Create a Custom Definition to Use a Batch File
..................................................................
9
Create a Custom Definition to Change a Registry Setting
................................................. 10
Create a Custom Definition to Use a VBScript or Custom Script
...................................... 12
Conclusion
.......................................................................................................................
113
Contents
This document contains confidential and proprietary information of
LANDesk Software, Inc. and its affiliates (collectively “LANDesk”)
and is provided in connection with the identified LANDesk ®
product(s). No part of this document may be
disclosed or copied without the prior written consent of LANDesk.
No license, express or implied, by estoppel or otherwise, to any
intellectual property rights is granted by this document. Except as
provided in LANDesk’s terms and conditions
for the license of such products, LANDesk assumes no liability
whatsoever. LANDesk products are not intended for use in medical,
life saving, or life sustaining applications. LANDesk does not
warrant that this material is error-free, and
LANDesk reserves the right to update, correct, or modify this
material, including any specifications and product descriptions, at
any time, without notice.
Copyright © 2007, LANDesk Software Ltd. All rights reserved.
LANDesk and Targeted Multicast are trademarks or registered
trademarks of LANDesk Software, Ltd. and its affiliated companies
in the United States and other countries. Other brands and names
may be claimed as the property of others. LSI-
0614 04/07 JBB/NH
Introduction
LANDesk Management Suite 9.0 introduces several changes in Security
and Patch Manager. It has now
been broken up into a Security component and a Patch and Compliance
component. We will now refer to
Security and Patch Manager as Security and Compliance. Within
Security and Compliance, we have
Patch and Compliance. This document will refer to the Security and
Compliance window, but will be
compatible for version 8.8 and lower using Security and Patch
Manager.
In LANDesk Patch and Compliance the ability to create a “user
defined” vulnerability provides an
extremely flexible and powerful tool that can be used to implement
and maintain the Management Suite
environment. Create custom vulnerabilities (and detection rules) to
scan managed devices for any
operating system, application, single file or registry condition to
be termed “Vulnerability.” Then, for
vulnerable devices, there is the ability to remediate that
vulnerability by configuring the appropriate
response, such as deploying a patch file, replacing files on the
managed devices, or updating installed
applications.
Scope
This document will go over the best known methods for creating a
custom definition in LANDesk
Management Suite 9.0
Possible Implementations
Implementations of the custom vulnerabilities are almost limitless.
It can be used to update any
application on managed devices. It can also be used to apply a
single file executable or MSI to a managed
device based on detection rules defined by the LANDesk
Administrator.
Assumptions
This white paper assumes that the reader has the LANDesk Management
Suite Core Server and Clients
installed. Managed Devices should be configured with the latest
versions of the LANDesk Management
Suite Vulnerability Scanner. It also assumes a strong understanding
of how LANDesk Patch Management
functions.
Creating a Custom Definition
This guide will walk through creating a custom vulnerability to
determine if Symantec Antivirus is
installed, or is at the desired version on all managed
devices.
1. From the Management Suite Console, click Tools | Security and
Compliance | Patch and
Compliance
2. From the Security and Compliance Manager tool, click Create
Custom Definition
toolbar icon (fourth button from the right on the tool bar.) An
editable version of the
“Vulnerabilities Properties” dialog opens.
a. Vulnerability ID: Type a unique ID in the ID field. The default
generated Vulnerability
ID code can be edited to a more descriptive title.
b. Publish Date: Default is the date that the vulnerability is
created and is not an editable
field.
c. Title: Type a descriptive title for the vulnerability. This is
the title that will be displayed
in the vulnerabilities list.
d. Severity: Specify a “Severity” for the vulnerability. For this
vulnerability, a severity of
“High” will be used since all machines should have antivirus
software installed. Any
option can be selected.
e. Status: Specify the “Status” of the vulnerability. Available
options include: Scan, Don’t
Scan, and Unassigned. We will use Scan for this example
Note: When a status is specified, the vulnerability is placed in
the corresponding group in
the Security and Patch Manager Tree view. If the vulnerability is
to be part of the next
vulnerability scan, select Scan, or it can be moved to the Scan
Group after it is created.
f. Language: The Language setting is automatically set to INTL (
International or
Language Neutral), which means the vulnerability can be applied to
any language version
of the available operating systems and/or applications.
g. Detection Rules: Displays all the rules to be used by this
vulnerability definition. Create
one or more detection rules that the Vulnerability Scanner will use
to determine if they
are vulnerable.
Note: For this custom vulnerability, the condition (i.e.,
“Vulnerability”) to scan for is the
presence and version of an application; in this case the Symantec
Antivirus scanner on
managed devices. The easiest way to do this is to create a
detection rule that scans for a
specific representative of Symantec client being at a lesser
version or not installed.
Creating a Custom Detection Rule
To create a custom detection rule that scans for Symantec Antivirus
being installed, and performs the
remediation by updating or installing the desired version.
There are two different sections for a detection rule. The first is
the detection to determine if the managed
node is vulnerable. The second is to repair the vulnerability.
Also, the repair section logic can be set up to
determine if the fix has already been applied. The first steps will
cover setting up logic to determine if a
managed device is vulnerable.
Detection
1. From the Vulnerability Properties Window, click the ADD button
under the Detection Rules.
This will bring up the “Properties for Rule 1” window.
a. Affected Platforms: Selecting the Operating Systems listed here
can limit this
vulnerability to what Operating Systems will scan for this
definition. Select all the
Operating Systems that will need to be scanned. If a client machine
does not have the
specified OS selected, it will not be found vulnerable for this
definition. More than one
Operating System can be selected. This option can be helpful if
there are different install
files for the Operating System versions.
b. Affected Products: This field is optional, and can be used to
define a specific application
to begin detection on. To select a product, click on the Edit
button and choose the
selected product. For detection to occur, the products in the
Affected Products list must
be installed on the client. In our example this can be left blank.
Currently Symantec
products are not in this list.
c. Files: Populate this section to determine a vulnerability based
on a file or MSI, this
option can be used. These file entries are used by the
Vulnerability Scanner to determine
if the install is at the desired level or installed at all.
d. Registry Settings: Populate this section to determine a
vulnerability based on a registry
setting. All fields need to be completed for this option to work.
You will need to get this
information from the client to ensure that the information is
accurate. Registry settings
will not be used in this example.
e. Custom Script: This section can be used to utilize VBScript to
perform advanced
vulnerability detection functions.
Click the Add Button and add a file to scan for using these
settings:
i. Verify Using: Set to “File Version”. (default)
ii. Path: If the path is known it can be added to speed up the
scanning. The default
location for the Symantec executable is: “C:\Program
Files\Symantec
Antivirus\VPC32.exe”
If the path is not known or is not in a standard location on all
Operating Systems,
supplying the executable name “VPC32.exe” without the path can be
used When
supplying only the executable name the box “Search for file
recursively” must be
checked.
iii. Min Version: The version used is “10.0.0.359”. Anything lower
than this
version will be considered vulnerable.
iv. Requirement: Set at “File Must Exist”. This states that the
file must be on the
managed device and must be at the Min Version. This will also
detect the
managed devices that do not have Symantec Antivirus installed as
vulnerable.
2. After adding the information to scan for, select the Update
button to save the rule.
Remediation
This section covers the remediation of the vulnerability. Our
example will install the desired version of
antivirus software if the target device is considered
vulnerable.
In order to remediate this vulnerability, the install files should
be compressed and placed in the patch
directory. (Default location is \%Program
Files%\LANDesk\ManagementSuite\LDlogon\patch)
1. Patch information: The patch information item in the tree view
settings will tell the definition if
it is repairable or just a detection rule.
a. From the first drop down menu select “Repairing this issue
requires downloading a
patch.”
b. Patch URL: For this example, this can be left blank as the files
should already be
downloaded and placed in the patch directory. A URL for the patch
download can be
supplied to download patch files for other definitions.
c. Auto-Downloadable: This setting tells the content download tool
if it should download
the file. For this example, this should be left at “No”. The file
should already be manually
copied to the patch directory.
d. Unique Filename: Type the name of the compressed file in the
patch directory that
contains the client installation.
e. Generate MD5 Hash button: This ensures the file in the patch
directory is the original
file and has not been changed. If the file is changed on the patch
location the hash will
need to be re-generated. Once you have entered the Unique Filename,
click Generate
MD5 Hash
f. Repair Information: This is informational only. It will show up
in the property fields for
this custom definition. Set the Requires Reboot to NO, and the
Silent Install to Yes.
2. Detecting the Patch: This section determines whether the patch
has been installed. The same
information is set here as detecting if the machine is
vulnerable.
a. Files: If using a file in your detection logic, enter the same
information as you did in the
Detection Logic section under File.
b. Registry Settings: If using a Registry Settings to detect,
please enter the same
information as entered prior in Registry Settings under the
Detection Logic section.
Once the Patch information is set, the commands to install the
program need to be set in the Patch
Installation and Removal section.
3. Patch Install Commands: There are several commands necessary to
install the patch once it is
downloaded. We will add the following:
a. Click Add from the Commands window, the “Choose a Command Type”
window
appears. Select “Unzip a file”. Click OK. Click Add again and
choose “Execute a
program” from the command type.
You should now have both command options available in the commands
window.
b. Unzip a file: Because the file is compressed, it needs to be
uncompressed before it can be
executed.
i. Highlight Unzip a file in the Commands window.
ii. Change dest default value of %TempDir% to %Temp%. This will
extract the zip
file to the C:\Windows\temp directory.
iii. Leave the source directory default:
%SDMCACHE%%PATCHFILENAME%.
This will copy the file to the sdmcache directory on the client
device.
c. Execute a Program: In this example, in order to take advantage
of command line
options, setup will be launched using the MSI instead of an .Exe
file.
i. Path: Set this to call the msiexec.exe
ii. Args: Switches that the msiexec.exe will use to install the msi
file. After the
%temp%, add the directory structure of what the zip file extracts.
In this example
when the zip file is extracted it is in the SAV directory. The /qn
is for silent and
is a switch for the msiexe.exe. The /i gives the install patch for
the msi file.
/i “%temp%\sav\Symantec antivirus.msi” /qn
iii. Timeout: can be left at default
iv. Wait: left at default
You have now configured your Custom Definition. Please Click OK to
any open windows, and remain at
the Patch and Compliance window.
Scanning the Managed Device
Once the vulnerability and detection rule is created, the managed
devices should be scanned to find out
which devices are vulnerable. A Security and Compliance scan will
need to be run on the managed
device. The Scan and Repair setting must be configured to scan for
Custom Definitions. Please refer to
other articles on setting up a scan and repair setting if you have
questions on this process. This will not be
discussed further in this document. Once the Vulnerability is
detected the “Patch” will need to be applied
by one of the following methods:
1. Set the patch to Auto-Fix.
2. Using an Application Policy
3. Schedule a repair task to deploy the patch.
Create a Custom Definition to use a Batch File
The same process can be used to install software or complete a task
using a Batch Script. Specific batch
scripting examples will not be given. You will need to create the
batch file to perform the desired
function. Test thoroughly on devices to ensure that the batch file
will run as expected independent of
LANDesk. LANDesk will run the script as LocalSystem.
1. Create a definition as explained in the previous section
2. Under the “Properties for Rule 1” window, you will need to give
it a unique file name of your
batch script and then Generate MD5 Hash
3. In Patch Installation and Removal, click Add.
4. Select “Copy a file” from the list and enter the destination and
source paths.
a. Destination can be C:\Program
Files\LANDesk\LDClient\sdmcache
b. Source path needs to be a location that can be accessed by all.
The Patch Directory can
function as this Source Path. Make sure you copy your .bat file to
that location.
5. Click Add again on the Patch Install Commands and choose
“Execute a Program.” Keep all
defaults.
6. Click OK to save the configuration and then OK again.
This will give you a custom definition that will use a batch
script. You will need to once again scan
against this vulnerability by placing this in your scan folder, and
then set up a repair task as described.
Create a Custom Definition to Change a Registry Setting
You can also use a custom definition to edit, add or delete a
registry setting. In our example we will be
detecting for a registry setting that controls the LANDesk Remote
Control security type
(HKLM\SOFTWARE\Intel\LANDesk\WUSER32 | Security Type)
1. Create a new Custom definition by following the example
above.
2. Under the Properties for Rule 1 window go to the Detection Logic
Tree and select Registry
Settings
3. Click ADD to add a new registry key.
4. Update the information with the preferred values. In our example
the following:
a. Key: HKLM\: SOFTWARE\Intel\LANDesk\WUSER32
b. Value name: Security Type
c. Value Data: 9
d. Requirement: Registry value must exist.
5. After entering the registry settings, click Update button to
commit the changes
6. Choose Patch Information
7. Change the dropdown to “This issue can be repaired without
downloading a patch.”
8. Choose Registry Settings under Detecting the Patch, Click
Add
9. Enter the registry settings that will be changed to so you can
detect when the change has occurred
on the device. In our example the following:
a. Key: HKLM\: SOFTWARE\Intel\LANDesk\WUSER32
b. Value name: Security Type
c. Value Data: 0
10. Click Update
11. Choose Patch Install Commands, Click Add.
12. Choose command type “Write a value to the registry,” Click
Ok
13. Add the following Command Arguments:
a. Key: HKEY_Local_Machine\SOFTWARE\Intel\LANDesk\WUSER32
b. Type: REG_DWORD
14. Click OK, OK.
This will give you a custom definition that will change a registry
setting. You will need to once again
scan against this vulnerability by placing this in your scan
folder, and then set up a repair task as
described.
Creating a Custom Definition that uses a custom VBScript
The usage of VBScript in the detection and remediation section of a
custom vulnerability adds a lot of
versatility to the vulnerability detection and remediation features
of LANDesk. This enables the user to
perform complex tasks. We will not discuss how to create a custom
VBScript, but will show how to set it
up in your Custom definition.
1. Create a new Custom Definition as explained in this
article.
2. In the “Properties for Rule 1” window, choose Custom
Script
3. Enter a Description for your Script
4. Use the Editor, or enter your script command arguments in the
Script Content pane.
5. Choose Patch Install Commands, under Patch Installation &
Removal.
6. Click Add and select Run script
7. Enter your VBScript in the text box and click OK.
This will give you a custom definition that will use a VBScript.
You will need to once again scan against
this vulnerability by placing this in your scan folder, and then
set up a repair task as described.
Conclusion
There are several ways to create and use custom definitions with
Patch and Compliance in LANDesk Management
Suite. Custom definitions can be very helpful. This guide gives an
overlay of the basic functions and settings to
create custom definitions. While LANDesk support does not assist in
the creating of custom definitions, this
information should allow you to understand the basics of doing
so.
For more information on creating custom definitions, or to see
examples you can visit a third party website
http://www.droppedpackets.org/security/custom-defintions/