Extra dat – how to auto/schedule push to clients

https://community.mcafee.com/thread/109899?start=0&tstart=0

 

Hello,

I’ve installed the Extra dat for the Petya ransomware that is on the internet at the moment.  I normally have to highlight all the PC in ePo > Update > choose the dat file and push.

How do I get this to automatically get pushed when the agent checks in?  the normal sdat does get automatically push when the a new sdat come into the ePolicy server though.

  • Hello,

     

    This sounds like what I need.  I found these instructions, but set the run immediately with a randomise of 15mins as we have 500 PCs.  Does t look good?

     

    First, under Menu –> Policy –> Client Task Catalog, Hit the ‘New Task’ button at the bottom of the page. Select ‘Product Update’ and hit ‘OK’. Name your new task (I chose Deploy Extra.DAT). See the attached picture for settings. Then save.

    Next, Go to ‘System Tree’, and choose ‘Assigned Client Tasks’ at the top of the page. Click ‘Actions’ at the bottom of the page, and choose ‘New Client Task Assignment’. Choose ‘McAfee Agent’ in the first column, ‘Product Update’ in the second, and you new task (Deploy Extra.DAT) in the third, then click ‘Next’. Set Schedule Type to ‘Run Immediately’, and if you have many systems, you’ll want to check ‘Enable Randomization’ and set the interval over which you want ePo to spread out the deployment (Keeps you from flooding your network). Click ‘Save’.

  • t is good to set randomization. I had over 1700 systems and set mine to 10 minutes. I did perform a wakeup call to groups of 200 systems at a time. Didn’t notice any real slow down on my ePO server when deploying the extra.dat. Managed to get it out to 1700 system within about 45 minutes. What you are doing looks good.

  • How can I tell it has been installed on the client machines without visit them?  For example I can see my laptop has the extradat, but via the ePo server I can see where this might show?

  • What I did was to create a query that lists the extra.dat and called it find Ransomware extradat. Below are some screen captures.

     

    when run, it will list if the system got the ransomware extra dat as shown below;

     

Delegating the permission to generate Group Policy Results of Computer Configuration for domain users

Delegating the permission to generate Group Policy Results of Computer Configuration for domain users

By default, domain users cannot generate the “Group Policy Results” or “Resultant Set of Policy” of Computer Configuration due to insufficient permissions. Only users with local administrator rights on the target computer can remotely access Group Policy Results data.
Figure 1: Gpresult of a domain user
Figure 2: The warning of “Resultant Set of Policy
Figure 3: “Resultant Set of Policy” is being processed
Figure 4: The result of “Resultant Set of Policy
To allow domain users generating the “Group Policy Results” or “Resultant Set of Policy” of Computer Configuration, we can delegate the permission for domain users by using GPMC. The permission can be assigned in a domain or organization unit level.
Remark: To delegate the permission, make sure the forest functional level of the domain environment is Windows Server 2003 or later.
Goals
Allow the domain user,Terry, reading the “Group Policy Results” of Computer Configuration in “Win7 Workstations” OU.
Lab environment
  • 1 domain controller named DC02 which is installed Windows Server 2008
  • 1 workstation named W701 which is installed Windows 7 is under Win7 Workstation OU
  • 1 server named FS01 which is installed Windows Server 2008 R2 is under Computer container
  • 1 domain user account named Terry
1. On DC02, log in as Domain Administrator.
2. Launch “Group Policy Management Console“.
3. Expand “Forest > Domains > Domain Name > Win7 Workstations“.
4. Select “Delegation” tab.
5. Next to “Permission“, select “Read Group Policy Results data“.
6. Click “Add“.
7. In “Select User, Computer, or Group” window, enter “Terry“.
8. On “Add Group or User” window, next to “Permissions“, select “This container and all child containers“.
Remark: The child OU of “Win7 workstations” will inherit the permission because “This container and all child containers” is selected.
9. Click “OK“.
10. Click “Advanced“.
11. Next to “Security“, select “Terry“.
The “Generate resultant set of policy” permission is granted Terry.
12. Click “Cancel“.
Now, Terry can generates the “Group Policy Results” or “Resultant Set of Policy” of Computer Configuration on workstations which  is under “Win7 Workstations” OU.
Test result
1. On W701, log in as Terry.
2. Launch “Command Prompt“.
3. Perform “gpresult /r“.
The “Group Policy Results” of Computer Configuration can be generated by Terry.
4. Perform “rsop.msc“.
When the “Resultant Set of Policy” is being processed, there is no warning message. Terry can generate “Resultant Set of Policy” of Computer Configuration.
5. Log out W701.
6. On FS01, log in as Terry.

7. Launch “Command Prompt“.
8. Perform “gpresult /r“.

9. Perform “rsop.msc“.
Because the “Generate resultant set of policy” permission isn’t granted on domain level, Terry cannot generate the “Group Policy Results” or “Resultant Set of Policy” of Computer Configuration.
For more information:
Delegation and policy-related permissions

AUTOMATIC UPDATES CLIENT COMMAND LINE PARAMETERS

Parameter Explanation
/detectnow Run a detection cycle
/a /resetauthorization Resets the WSUS cookie. (If used together with /detectnow; /resetauthorization must be entered before /detectnow.)
/r /ReportNow Sends all queued reporting events to the server asynchronously.
/RunHandlerComServer
/RunStoreAsComServer
/ShowSettingsDialog Display the Windows Update settings dialogue
/ResetEulas
/ShowWU Open the Windows Update Control Panel Applet
/ShowWindowsUpdate Open the Windows Update Control Panel Applet
/SelfUpdateManaged
/SelfUpdateUnmanaged
/UpdateNow
/ShowWUAutoScan Open Windows Update Control Panel Applet and scan for updates
/ShowFeaturedUpdates Opens the Features Updates list
/ShowOptions Opens the Windows Updates Settings window
/ShowFeaturedOptInDialog Opens the OptIn dialogue for Featured Updates
/DemoUI Display Windows Update notification in tray

More info:

One thing to be aware of when it comes to wuauclt.exe is that it has no desire or need whatsoever to inform you whether any of the parameters you submitted actually worked, or were even vaild! No matter what you supply as a parameter to wuauclt.exe you will get absolutely nothing back.

How to Delete Driver Updates from WSUS

How to Delete Driver Updates from WSUS

I ran into the issue where driver updates downloaded into a WSUS infrastructure that had master/replica servers created a bit of a performance problem. Several weeks into in, my WSUS replica could no longer synchronize successfully with the master. No matter what I tried it just would not synchronize anymore. I wrote about the issue here and referred to Microsoft blog post talking about the issue here.

I wasn’t able to find a way to “drop” driver updates from my WSUS WIDS database on the Internet and was left with the only option – reinstall both WSUS servers, and then reconfigure and resynchronize everything. That looked unexciting.

I thought I could as well try to delete driver updates directly from the database. What can possibly go wrong… and even if it does, I have to reinstall anyway.

So here it goes. USE AT YOUR OWN RISK.

Preparations

If you ran WSUS defrag scripts, you already have SQL Native Client and SQL Command Line tools installed on your WSUS servers. If this is the case,

  1. Uninstall SQL Native Client
  2. Install SQL Server Management Studio (SSMS) for SQL Server 2008 R2 Express SP2

If you do not have SQL Native Client installed on the WSUS servers, just go ahead and install SSMS. SSMS will fail to install if you already have Native Client.

The following steps need to be executed once on each WSUS server in your environment.

Connecting to WSUS WIDS Database

Open SSMS and connect to the following SQL instance:

np:\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query

If you get a security/access rights error, close SSMS, restart it using elevated context (right-click, run as administrator). This will get your SQL Server Management Studio connected to the WIDS database. If your database is not hosted in WIDS, chances are you are not experiencing the timeout errors anyway and don’t need to do this, but if you are doing it anyway then connect to your named or default SQL instance as appropriate.

Determine GUID of the Driver Update Type

Open a new query window and run the following two queries:

USE SUSDB
GO
SELECT UpdateTypeID FROM tbUpdateType WHERE Name = 'Driver'
GO

This query gives you the GUID that you will need to substitute in all subsequent queries (if the GUID you get is not the same as what I have in subsequent statements). In my case, it is D2CB599A-FA9F-4AE9-B346-94AD54EE0629. I saw this GUID in several WSUS databases so I think it does not change – at least not between WSUS 3.0 SP2 servers.

Delete Drivers from Tables with Foreign Key Constraints

The bad news is that WSUS database has over 100 tables. The good news is that SQL allows to enforce referential integrity in data model designs, which in this case can be used to essentially reverse engineer a procedure, that as far as I know isn’t documented anywhere.

Trick is to delete all driver type records from tbUpdate table – but FIRST we have to delete all records in all other tables (revisions, languages, dependencies, files, reports…), which refer to driver rows in tbUpdate. Here’s how this is done, in 16 tables/queries. I recommend running each query separately.

delete from tbrevisionlanguage where revisionid in (select revisionid from tbRevision where LocalUpdateId in (select LocalUpdateId from tbUpdate where UpdateTypeID = 'D2CB599A-FA9F-4AE9-B346-94AD54EE0629')) 
delete from tbProperty where revisionid in (select revisionid from tbRevision where LocalUpdateId in (select LocalUpdateId from tbUpdate where UpdateTypeID = 'D2CB599A-FA9F-4AE9-B346-94AD54EE0629'))
delete from tbLocalizedPropertyForRevision where revisionid in (select revisionid from tbRevision where LocalUpdateId in (select LocalUpdateId from tbUpdate where UpdateTypeID = 'D2CB599A-FA9F-4AE9-B346-94AD54EE0629'))
delete from tbFileForRevision where revisionid in (select revisionid from tbRevision where LocalUpdateId in (select LocalUpdateId from tbUpdate where UpdateTypeID = 'D2CB599A-FA9F-4AE9-B346-94AD54EE0629'))
delete from tbInstalledUpdateSufficientForPrerequisite where prerequisiteid in (select Prerequisiteid from tbPreRequisite where revisionid in (select revisionid from tbRevision where LocalUpdateId in (select LocalUpdateId from tbUpdate where UpdateTypeID = 'D2CB599A-FA9F-4AE9-B346-94AD54EE0629')))
delete from tbPreRequisite where revisionid in (select revisionid from tbRevision where LocalUpdateId in (select LocalUpdateId from tbUpdate where UpdateTypeID = 'D2CB599A-FA9F-4AE9-B346-94AD54EE0629'))
delete from tbDeployment where revisionid in (select revisionid from tbRevision where LocalUpdateId in (select LocalUpdateId from tbUpdate where UpdateTypeID = 'D2CB599A-FA9F-4AE9-B346-94AD54EE0629'))
delete from tbXml where revisionid in (select revisionid from tbRevision where LocalUpdateId in (select LocalUpdateId from tbUpdate where UpdateTypeID = 'D2CB599A-FA9F-4AE9-B346-94AD54EE0629'))
delete from tbPreComputedLocalizedProperty where revisionid in (select revisionid from tbRevision where LocalUpdateId in (select LocalUpdateId from tbUpdate where UpdateTypeID = 'D2CB599A-FA9F-4AE9-B346-94AD54EE0629'))
delete from tbDriver where revisionid in (select revisionid from tbRevision where LocalUpdateId in (select LocalUpdateId from tbUpdate where UpdateTypeID = 'D2CB599A-FA9F-4AE9-B346-94AD54EE0629'))
delete from tbFlattenedRevisionInCategory where revisionid in (select revisionid from tbRevision where LocalUpdateId in (select LocalUpdateId from tbUpdate where UpdateTypeID = 'D2CB599A-FA9F-4AE9-B346-94AD54EE0629'))
delete from tbRevisionInCategory where revisionid in (select revisionid from tbRevision where LocalUpdateId in (select LocalUpdateId from tbUpdate where UpdateTypeID = 'D2CB599A-FA9F-4AE9-B346-94AD54EE0629'))
delete from tbMoreInfoURLForRevision where revisionid in (select revisionid from tbRevision where LocalUpdateId in (select LocalUpdateId from tbUpdate where UpdateTypeID = 'D2CB599A-FA9F-4AE9-B346-94AD54EE0629'))
delete from tbRevision where LocalUpdateId in (select LocalUpdateId from tbUpdate where UpdateTypeID = 'D2CB599A-FA9F-4AE9-B346-94AD54EE0629')
delete from tbUpdateSummaryForAllComputers where LocalUpdateId in (select LocalUpdateId from tbUpdate where UpdateTypeID = 'D2CB599A-FA9F-4AE9-B346-94AD54EE0629')

The last query is really what we came here for:

delete from tbUpdate where UpdateTypeID = 'D2CB599A-FA9F-4AE9-B346-94AD54EE0629'

If at this point you get an error saying something about foreign key constraint, that will be most likely due to the difference between which reports I ran in my WSUS installation and which reports were ran against your particular installation. Fortunately, the error gives you exact location (table) where this constraint is violated, so you can adjust one of the queries in the batch above to delete references in any other tables.

These 16 queries, in my case, dropped a total of 1,381,184 rows from each SUSDB database (each WSUS server has its own, obviously). Don’t forget to do this on all WSUS servers.

Verify Functionality and Try to Synchronize WSUS Hierarchy

This should be pretty straight forward and self-explanatory. You will want to make sure that your WSUS systems are functioning as expected before declaring victory.

  1. Run index defrags on all WSUS databases (see articles cited at the top)
  2. Restart WSUS console and look for Driver updates (you should not see any)
  3. Click around in WSUS console and look for any weirdness
  4. Run WSUS Cleanup Wizard from bottom to top of your WSUS infrastructure
  5. Synchronize Master WSUS server with Microsoft
  6. Now try to synchronize Replica WSUS servers with the Master

If all is well so far, it’s looking good but there’s more.

  1. Look for any Needed and Unapproved patches, and Approve them
  2. Run wuauclt /detectnow on one or two of the servers
  3. Servers should pick up updates; install them and reboot if necessary
  4. Run wuauclt /reportnow and ensure that reports are submitted/accepted by replica WSUS
  5. Synchronize replica WSUS server with the master once more and confirm that reports are rolling up from replica to master

 

A PowerShell Afterthought

Similar functionality can also be done through WSUS API, implemented in Microsoft.UpdateServices.Administration assembly (in C:\Program Files\Update Services\Api, by default). If you use PowerShell, deleting declined updates using this assembly might look something like this:

1
2
3
4
5
[reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer();
$wsus.GetUpdates() | Where {$_.IsDeclined -eq $true} | ForEach-Object {$wsus.DeleteUpdate($_.Id.UpdateId.ToString()); Write-Host $_.Title removed }

This runs quite well, and does the job described earlier in the SQL scripts, perhaps in a more elegant and quite possibly in a more supported way; that said, deleting updates through the API is a very slow process – the rate I was seeing was around 180 updates an hour. So if your system stopped synchronizing because its declined update count crossed into 1000+ territory, don’t expect this powershell shortcut to be a quick fix. SQL scripts do the job many times quicker.

Probably the best way to deal with this issue is to setup this PowerShell script to run nightly, along with database index defrags. See Downloads page for the scripts I use.