Reporting Group

Here's a link describing the vulnerability 

How can I use CMS to identify hosts that contain the plugin?

"The Cisco WebEx ActiveX Plugin for Microsoft Internet Explorer Class ID (CLSID), which organizations can use to identify hosts that contain the plugin, is the following:

E06E2E99-0AA1-11D4-ABA6-0060082AA75C"

Thanks in advance.

Hi Sally,

You could use the below link to create a custom inventory task and create reporting for this, all of this detail is in:

https://support.symantec.com/en_US/article.HOWTO124425.html

Doing a search for that CLSID, there are a few locations where that key can be found:

HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-webex-plugin
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-webex-plugin

Or possibly the below, but I'm unsure if this a good location to get this from:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\GpcContainer.GpcContainer\CLSID

Hopefully that helps, let me know if you need anything else.

Thanks

Is there any way to pull the version of the plugin, though?  If I know a few hundred machines have the webex plugin, it doesn't seem very helpful in this case versus knowing if they're updated or not.

Edit: even if you remove the plugin, it looks like those keys stay in place.  What a pain.  Wish it would just auto update like it's suppposed to.

New question - is there a similar walk through for using CMS to report on version of a .dll?  I think that will give me what I need versus the CLSID above.  

For example - below from my security report.

One or more users have a vulnerable version of the Cisco WebEx Extension for Internet Explorer installed: 

  Installed version : 10031.0.2016.0511
  Fixed Version     : 10031.6.2017.0126
  Path              : C:\Windows\Downloaded Program Files\ieatgpc.dll

You need to look for ieatgpc.dll in C:\Users\Andy\AppData\LocalLow\WebEx and/or C:\ProgramData\WebEx (on my PC this was an older version). Inventory for this and the version of this file is the version of the plug-in.

Thanks.  I'll add those locations to my list.  My security scan picked up on this path C:\Windows\Downloaded Program Files\ieatgpc.dll.  Now to try to figure out how to report on dll's... I wish reporting was easier in cms.  For a vulnerability as well publicized as this, symantec would be well served to write up a how to on how to report on it with their product.

You can add DLLs to the Software Inventory, only EXEs are inventoried by default. But just adding them to the default policy can result in a lot of extra data. I'd clone the default Full Inventory Policy, add DLLs ( Advanced > File Properties Scan Settings tab > Files tab > Include Rule > choose "FileName equals *.dll" and "FileName contains .dll") and remove all the other entries. Under the "Folders" tab just choose "C:\windows\downloaded program files", "C:\ProgramData\WebEx" and maybe "C:\users".

You might need a bit of trial and error to see how exclusions and exclusions work together in that section, you want to avoid being swamped with DLL inventory data. Some more detail here:

http://www.symantec.com/docs/HOWTO84131

Support helped me work through this.  There may be a better way to do it, but if anyone is interested. I wrote it up as an article here