Reporting Group

I'm working on trying to gather reporting data to see which of our machines are vulnerable to the recent Intel Vulnerability.

I haven't done much with custom inventory, but I did create the class with the columns I want to collect based on the registry output from the Intel Vuln scanner. 

Anyone have an example of a script I could use to gather multiple registry keys into the new custom data class (some are in different subkeys if that matters)?

I am trying to follow this example & starting with just one registry key to start (before tackling how to get multiple keys).

I'm uncommenting out MsgBox nse.Xml for troubleshooting, but I keep getting error about invalid type for data field on the "objDataRow.SetField 0, ComputerModel" line.

I'm sure I'm missing something obvious.

'Pick the appropriate WMI registry hive code and comment the line you don’t use

Const HKEY_LOCAL_MACHINE = &H80000002

'Another example: Const HKEY_LOCAL_MACHINE = &H80000002

Set wshShell = WScript.CreateObject( "WScript.Shell" )

ComputerName = wshShell.ExpandEnvironmentStrings( "%COMPUTERNAME%" )

 

set nse = WScript.CreateObject ("Altiris.AeXNSEvent")

nse.To = "{1592B913-72F3-4C36-91D2-D4EDA21D2F96}" 'Do not modify this GUID

nse.Priority = 1

dim objDCInstance

set objDCInstance = nse.AddDataClass ("IntelSA00086") 'Your Data Class Here

set objDataClass = nse.AddDataBlock (objDCInstance)

 

KeyPath = "SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool\Hardware Inventory" 'Your Registry Key Path Here

ValueName = "Computer Model" 'Your Registy Entry Here


Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")

 

'Use the HKEY constant defined earlier and use the oReg function appropriate to the type of data in the registry entry

error_returned = oReg.GetStringValue(HKEY_LOCAL_MACHINE,KeyPath,ValueName,Value)

'Another example: error_returned = oReg.GetStringValue(HKEY_LOCAL_MACHINE,KeyPath,ValueName,Value)

if error_returned <> 0 then Value = "Does Not Exist" end if

 

set objDataRow = objDataClass.AddRow

objDataRow.SetField 0, ComputerModel
'objDataRow.SetField 1, MEVersion
'objDataRow.SetField 2, SystemRisk

'If your data class has more than one attribute add a line for each

'objDataRow.SetField 1, Value2

'nse.Send

'Uncomment the line below for testing purposes

MsgBox nse.Xml

Changing that line to objDataRow.SetField 0, Value got it working.

I'm going to work on writing up my whole procedure for this vulnerability in case others are interested.  I'll link it here when it's complete.

This is what I did for this, based on the standard template for custom inventory. If I recall the INTEL-SA-00075-console.exe command creates the registry entries which can then be collected:

const HKLM = &H80000002
strComputer = "."
strKeyPath = "SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool\ME Firmware Information"

Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")

strCommand = "INTEL-SA-00075-console.exe -c"
execCommand strCommand

'===================================================================================================================

'Create instance of Altiris NSE component and set the header data of the NSE
dim nse
set nse = WScript.CreateObject ("Altiris.AeXNSEvent")

' Set the header data of the NSE
' Please don't modify this GUID
nse.To = "{1592B913-72F3-4C36-91D2-D4EDA21D2F96}"
nse.Priority = 1

'Create Inventory data block. Here assumption is that the data class with below guid is already configured on server
'Specify either the name or the guid of the associated dataclass. The name is recommended.
dim objDCInstance
set objDCInstance = nse.AddDataClass ("AMT Version Info") ' Your dataclass here

dim objDataClass
set objDataClass = nse.AddDataBlock (objDCInstance)
'

oReg.GetStringValue HKLM,strKeyPath,"EHBCP Enabled",strEHBCP
oReg.GetStringValue HKLM,strKeyPath,"LMS State",strLMS
oReg.GetStringValue HKLM,strKeyPath,"ME Driver Installed",strMEDriver
oReg.GetStringValue HKLM,strKeyPath,"ME Provisioning State",strMEProv
oReg.GetStringValue HKLM,strKeyPath,"ME SKU",strMESKU
oReg.GetStringValue HKLM,strKeyPath,"ME Version",strMEVer
oReg.GetStringValue HKLM,strKeyPath,"Micro LMS State",strMicroLMS


 'Add a new row and set column values
        dim objDataRow
        set objDataRow = objDataClass.AddRow
        
'Set columns
objDataRow.SetField 0, strEHBCP
objDataRow.SetField 1, strLMS
objDataRow.SetField 2, strMEDriver
objDataRow.SetField 3, strMEProv
objDataRow.SetField 4, strMESKU
objDataRow.SetField 5, strMEVer
objDataRow.SetField 6, strMicroLMS
   

nse.SendQueued

' Functions
Sub execCommand(strCommand)
    Dim ws : Set ws = WScript.CreateObject("WScript.Shell")
    ws.Run strCommand,true,1
    Set WshShell = Nothing
End Sub   

Just posting the introductory KB for 'How to build custom inventories' - https://support.symantec.com/en_US/article.HOWTO10487.html (for those new SMP admins)

If anyone is interested, we deployed this Intel vulnerability scanning custom inventory using a MSD and a powershell script. Reviewing registry output wasnt feasible for us, so we took to reading the XML results file.

There's a new Intell 00086 vulnerability and the results are still in registry, but in separate subkeys. Thanks for posting this though, it's helpful

I switch to powershell for this, making it a bit less complex. This is for IE version, but can be changed to suit needs

#************************DO NOT EDIT********************************
$nse = new-object -comobject Altiris.AeXNSEvent
$nse.priority = 1
$nse.To = "{1592B913-72F3-4C36-91D2-D4EDA21D2F96}"
#************************DO NOT EDIT********************************

#Modify this varaible with the custom data class guid
$objDCInstance = $nse.AddDataClass("{Insert data class guid here}")

$objDataClass = $nse.AddDataBlock($objDCInstance)
# PowerShell script to find Reg Values for IE
$Regkey = Get-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Internet Explorer' | Select Version, svcVersion

ForEach ($Name in $Regkey) {
#Add new row of data
$objDataRow = $objDataClass.AddRow()
$objDataRow.SetField(0, $Name.Version)
$objDataRow.SetField(1, $Name.svcVersion)
}

#Send the data
$nse.sendqueued()

So there is.

easy mod of the script to make it work - Intel using same process with exe to create registry entries which are easy to collect via vbs script and custom inventory

Here u go, as you mentioned, separete subkeys

simply add line

strCN = ws.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool\Computer Name")

objDataRow.SetField 0, strCN

full code as below thread,

https://www.symantec.com/connect/forums/custom-data-class-and-scan-report-ime-critical-firmware-update-intel-sa-00086

Thanks @michael.  I wrote an article for Connect on what I ended up doing, will link it here when/if it gets approved, hopefully soon.

Here's how I ended up addressing the Intel vuln if anyone needs help and finds this post

https://www.symantec.com/connect/articles/using-cms-report-machines-vulnerable-latest-intel-vulnerability-intel-sa-00086