Solarwinds MSP Script Check – Spectre

Ah, Mr Bond I have been.. no that’s a different Spectre.

If you are reading this then you will know what Spectre is. It is of course a new, vulnerability announced in nearly every device on the planet. Possibly some on Mars and the ISS as well. Definitely on many you look after.

Skipping over the technical details of the problem, which are covered in far greater detail and by those with far superior expertise elsewhere, I wanted to focus on a quick check I implemented for our MSP clients.


Microsoft has determined that Third Party Anti Virus vendors must test their software, and confirm its compatibility with the patches as documented here. Once they are satisfied, it is on them to set a registry key on the client computers they protect to confirm the Spectre patch is ok to install.

For example, Sophos and Trend Micro will be testing this patch, once they are happy it is compatible they will set the registry key on your client computer.

Crucially, Client computers who do not have this key set will not receive any future security updates from Microsoft.

So it seemed to me a good idea to keep an eye on what systems have this key added and which don’t. Enter PowerShell and Solarwinds.

We can add a simple Script Check to report to the MSP Console the status of the registry key.


$regPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"
$regVal = "cadca5fe-87d3-4b96-b7fb-a231484277cc"
try{
$regData = Get-ItemProperty $regPath -Name $regVal -ErrorAction Stop
if(($regData.$regVal) -ne 0)
{
Write-Warning "Registry Value Not set to Zero"
Exit 1001
}
else
{
Write-Output "Value Set Correctly"
Exit 0
}
}
catch
{
Write-Warning "Value Missing"
Exit 1001
}

This will report to our MSP portal any machine who has the value missing or incorrectly set.

2018-01-08_17-58-17

Of course there are many tools available already for checking your environments (the Speculation Control PowerShell Module for one) and this is by no means an attempt at a replacement, this is just a very quick addition I added to our MSP tool so we can see at a glance what is happening.

It seems Sophos started to push out the registry key on January the 5th, and Trend Micro are suggesting it may be up to us administrators to take manual action to set the registry key, this may change when they complete their testing.

If you have an AMD CPU you should review the guidance in the link below before taking any action.

More Info:

About Robert Pearman
Robert Pearman is a UK based Small Business Server enthusiast. He has been working within the SMB IT Industry for what feels like forever. Robert likes Piña colada and taking walks in the rain, on occasion he also enjoys writing about Small Business Technology like Windows Server Essentials or more recently writing PowerShell Scripts. If you're in trouble, and you can find him, maybe you can ask him a question.

Leave a reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: