Created
December 4, 2019 22:26
-
-
Save Colby-PDQ/60b087ad2d07cbe12c1ea7ef0f1633c5 to your computer and use it in GitHub Desktop.
Collections, a Scan Profile, Reports, and a Package for this blog: https://www.pdq.com/blog/intel-sa-00086/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="utf-8"?> | |
<AdminArsenal.Export Code="PDQInventory" Name="PDQ Inventory" Version="14.1.0.0" MinimumVersion="4.0"> | |
<Collection> | |
<ReportDefinition name="Definition"> | |
<RootFilter name="Filter"> | |
<Comparison>All</Comparison> | |
<Filters type="list"> | |
<ValueFilter> | |
<Table>Computer</Table> | |
<Column>Name</Column> | |
<Comparison>Contains</Comparison> | |
</ValueFilter> | |
</Filters> | |
</RootFilter> | |
<ReportDefinitionTypeName>BasicReportDefinition</ReportDefinitionTypeName> | |
<Columns type="list"> | |
<Column> | |
<Column>ComputerId</Column> | |
<Summary></Summary> | |
<Table>Computer</Table> | |
<Title></Title> | |
</Column> | |
</Columns> | |
</ReportDefinition> | |
<IsDrilldown value="false" /> | |
<Created>2017-11-22T10:13:18.0000000-07:00</Created> | |
<Description>https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr</Description> | |
<Error></Error> | |
<Id value="1504" /> | |
<ImportedPath>Intel SA-00086</ImportedPath> | |
<Modified>2017-11-22T15:10:23.0000000-07:00</Modified> | |
<Name>Intel SA-00086</Name> | |
<ParentId value="null" /> | |
<Path>Intel SA-00086</Path> | |
<TypeName>DynamicCollection</TypeName> | |
<Type>DynamicCollection</Type> | |
<Children type="list"> | |
<Collection> | |
<ReportDefinition name="Definition"> | |
<RootFilter name="Filter"> | |
<Comparison>All</Comparison> | |
<Filters type="list"> | |
<ValueFilter> | |
<Table>Registry</Table> | |
<Column>PathName</Column> | |
<Comparison>Contains</Comparison> | |
<Value>SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool</Value> | |
</ValueFilter> | |
<ValueFilter> | |
<Table>Registry</Table> | |
<Column>Name</Column> | |
<Comparison>Equals</Comparison> | |
<Value>System Risk</Value> | |
</ValueFilter> | |
<ValueFilter> | |
<Table>Registry</Table> | |
<Column>Value</Column> | |
<Comparison>Equals</Comparison> | |
<Value>This system is vulnerable.</Value> | |
</ValueFilter> | |
</Filters> | |
</RootFilter> | |
<ReportDefinitionTypeName>BasicReportDefinition</ReportDefinitionTypeName> | |
<Columns type="list"> | |
<Column> | |
<Column>ComputerId</Column> | |
<Summary></Summary> | |
<Table>Computer</Table> | |
<Title></Title> | |
</Column> | |
</Columns> | |
</ReportDefinition> | |
<IsDrilldown value="false" /> | |
<Created>2017-11-22T10:13:41.0000000-07:00</Created> | |
<Description>Computers that the detection tool has determined are vulnerable.</Description> | |
<Error></Error> | |
<Id value="1505" /> | |
<ImportedPath>Intel SA-00086\Intel SA-00086 - Vulnerable</ImportedPath> | |
<Modified>2017-11-22T15:13:47.0000000-07:00</Modified> | |
<Name>Intel SA-00086 - Vulnerable</Name> | |
<ParentId value="1504" /> | |
<Path>Intel SA-00086\Intel SA-00086 - Vulnerable</Path> | |
<TypeName>DynamicCollection</TypeName> | |
<Type>DynamicCollection</Type> | |
<Children type="list" /> | |
</Collection> | |
<Collection> | |
<ReportDefinition name="Definition"> | |
<RootFilter name="Filter"> | |
<Comparison>All</Comparison> | |
<Filters type="list"> | |
<GroupFilter> | |
<Comparison>All</Comparison> | |
<Filters type="list"> | |
<ValueFilter> | |
<Table>Computer</Table> | |
<Column>NeverScanned</Column> | |
<Comparison>!IsTrue</Comparison> | |
</ValueFilter> | |
</Filters> | |
</GroupFilter> | |
<GroupFilter> | |
<Comparison>Any</Comparison> | |
<Filters type="list"> | |
<GroupFilter> | |
<Comparison>All</Comparison> | |
<Filters type="list"> | |
<ValueFilter> | |
<Table>Registry</Table> | |
<Column>PathName</Column> | |
<Comparison>Contains</Comparison> | |
<Value>SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool</Value> | |
</ValueFilter> | |
<ValueFilter> | |
<Table>Registry</Table> | |
<Column>Name</Column> | |
<Comparison>Equals</Comparison> | |
<Value>System Risk</Value> | |
</ValueFilter> | |
<ValueFilter> | |
<Table>Registry</Table> | |
<Column>Value</Column> | |
<Comparison>!Equals</Comparison> | |
<Value>This system is vulnerable.</Value> | |
</ValueFilter> | |
</Filters> | |
</GroupFilter> | |
<GroupFilter> | |
<Comparison>NotAll</Comparison> | |
<Filters type="list"> | |
<ValueFilter> | |
<Table>CPU</Table> | |
<Column>Manufacturer</Column> | |
<Comparison>Equals</Comparison> | |
<Value>GenuineIntel</Value> | |
</ValueFilter> | |
</Filters> | |
</GroupFilter> | |
</Filters> | |
</GroupFilter> | |
</Filters> | |
</RootFilter> | |
<ReportDefinitionTypeName>BasicReportDefinition</ReportDefinitionTypeName> | |
<Columns type="list"> | |
<Column> | |
<Column>ComputerId</Column> | |
<Summary></Summary> | |
<Table>Computer</Table> | |
<Title></Title> | |
</Column> | |
</Columns> | |
</ReportDefinition> | |
<IsDrilldown value="false" /> | |
<Created>2017-11-22T10:14:56.0000000-07:00</Created> | |
<Description>Computers that have passed the detection tool's test or do not have an Intel CPU.</Description> | |
<Error></Error> | |
<Id value="1506" /> | |
<ImportedPath>Intel SA-00086\Intel SA-00086 - Not Vulnerable</ImportedPath> | |
<Modified>2017-11-27T13:19:00.0000000-07:00</Modified> | |
<Name>Intel SA-00086 - Not Vulnerable</Name> | |
<ParentId value="1504" /> | |
<Path>Intel SA-00086\Intel SA-00086 - Not Vulnerable</Path> | |
<TypeName>DynamicCollection</TypeName> | |
<Type>DynamicCollection</Type> | |
<Children type="list" /> | |
</Collection> | |
<Collection> | |
<ReportDefinition name="Definition"> | |
<RootFilter name="Filter"> | |
<Comparison>Any</Comparison> | |
<Filters type="list"> | |
<GroupFilter> | |
<Comparison>All</Comparison> | |
<Filters type="list"> | |
<ValueFilter> | |
<Table>Computer</Table> | |
<Column>NeverScanned</Column> | |
<Comparison>IsTrue</Comparison> | |
</ValueFilter> | |
</Filters> | |
</GroupFilter> | |
<GroupFilter> | |
<Comparison>All</Comparison> | |
<Filters type="list"> | |
<GroupFilter> | |
<Comparison>NotAny</Comparison> | |
<Filters type="list"> | |
<ValueFilter> | |
<Table>Computer</Table> | |
<Column>Model</Column> | |
<Comparison>Equals</Comparison> | |
<Value>HVM domU</Value> | |
</ValueFilter> | |
<ValueFilter> | |
<Table>Computer</Table> | |
<Column>Model</Column> | |
<Comparison>Equals</Comparison> | |
<Value>Virtual Machine</Value> | |
</ValueFilter> | |
<ValueFilter> | |
<Table>Computer</Table> | |
<Column>Model</Column> | |
<Comparison>Equals</Comparison> | |
<Value>VirtualBox</Value> | |
</ValueFilter> | |
<ValueFilter> | |
<Table>Computer</Table> | |
<Column>Model</Column> | |
<Comparison>Equals</Comparison> | |
<Value>VMware Virtual Platform</Value> | |
</ValueFilter> | |
</Filters> | |
</GroupFilter> | |
<GroupFilter> | |
<Comparison>NotAll</Comparison> | |
<Filters type="list"> | |
<ValueFilter> | |
<Table>Registry</Table> | |
<Column>PathName</Column> | |
<Comparison>Contains</Comparison> | |
<Value>SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool</Value> | |
</ValueFilter> | |
</Filters> | |
</GroupFilter> | |
<GroupFilter> | |
<Comparison>All</Comparison> | |
<Filters type="list"> | |
<ValueFilter> | |
<Table>CPU</Table> | |
<Column>Manufacturer</Column> | |
<Comparison>Equals</Comparison> | |
<Value>GenuineIntel</Value> | |
</ValueFilter> | |
</Filters> | |
</GroupFilter> | |
</Filters> | |
</GroupFilter> | |
</Filters> | |
</RootFilter> | |
<ReportDefinitionTypeName>BasicReportDefinition</ReportDefinitionTypeName> | |
<Columns type="list"> | |
<Column> | |
<Column>ComputerId</Column> | |
<Summary></Summary> | |
<Table>Computer</Table> | |
<Title></Title> | |
</Column> | |
</Columns> | |
</ReportDefinition> | |
<IsDrilldown value="false" /> | |
<Created>2017-11-22T10:23:54.0000000-07:00</Created> | |
<Description>Computers that are potentially vulnerable and have not been scanned.</Description> | |
<Error></Error> | |
<Id value="1507" /> | |
<ImportedPath>Intel SA-00086\Intel SA-00086 - Not Scanned</ImportedPath> | |
<Modified>2017-11-27T13:33:39.0000000-07:00</Modified> | |
<Name>Intel SA-00086 - Not Scanned</Name> | |
<ParentId value="1504" /> | |
<Path>Intel SA-00086\Intel SA-00086 - Not Scanned</Path> | |
<TypeName>DynamicCollection</TypeName> | |
<Type>DynamicCollection</Type> | |
<Children type="list" /> | |
</Collection> | |
</Children> | |
</Collection> | |
</AdminArsenal.Export> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="utf-8"?> | |
<AdminArsenal.Export Code="PDQDeploy" Name="PDQ Deploy" Version="14.2.0.0" MinimumVersion="9.0"> | |
<Package> | |
<CurrentLibraryPackageVersionId value="null" /> | |
<PackageDefinition name="Definition"> | |
<CopyMode>Default</CopyMode> | |
<DelayedApprovalTimeSpan>7.00:00:00</DelayedApprovalTimeSpan> | |
<DownloadApprovalMode>Manual</DownloadApprovalMode> | |
<InventoryScanProfileId value="7" /> | |
<IsDownloadApprovalModeInherited value="true" /> | |
<ScanAfterDeployment value="true" /> | |
<Steps type="list"> | |
<PowerShellStep> | |
<CustomCommandLine></CustomCommandLine> | |
<Files></Files> | |
<Script>$VirtualMachineModels = @( | |
"VMware Virtual Platform", # VMware | |
"Virtual Machine", # Microsoft Hyper-V | |
"HVM domU", # Xen | |
"VirtualBox" # VirtualBox | |
) | |
$ComputerModel = ( Get-WmiObject Win32_ComputerSystem ).Model | |
Write-Output "Model: $ComputerModel" | |
Foreach ( $VirtualMachineModel in $VirtualMachineModels ) { | |
if ( $ComputerModel -eq $VirtualMachineModel ) { | |
Write-Error "This target is a virtual machine, aborting." | |
Exit 20 | |
} | |
}</Script> | |
<SuccessCodes>0</SuccessCodes> | |
<RunAs value="null" /> | |
<Conditions type="list"> | |
<PackageStepCondition> | |
<Architecture>Both</Architecture> | |
<Version>All</Version> | |
<TypeName>OperatingSystem</TypeName> | |
</PackageStepCondition> | |
<PackageStepCondition> | |
<IsUserLoggedOn>AlwaysRun</IsUserLoggedOn> | |
<TypeName>LoggedOnUser</TypeName> | |
</PackageStepCondition> | |
</Conditions> | |
<ErrorMode>StopDeploymentFail</ErrorMode> | |
<Title>Check for virtual machines</Title> | |
<TypeName>PowerShell</TypeName> | |
<IsEnabled value="true" /> | |
<IsPostStep value="false" /> | |
<IsPreStep value="false" /> | |
</PowerShellStep> | |
<InstallStep> | |
<CustomCommandLine></CustomCommandLine> | |
<FileName>$(Repository)\Intel\SA00086_Windows\DiscoveryTool\Intel-SA-00086-console.exe</FileName> | |
<Files></Files> | |
<IncludeDirectory value="true" /> | |
<LeaveInstallFile value="false" /> | |
<MsiOperation>Install</MsiOperation> | |
<MsiQuiet value="true" /> | |
<MsiRestart>Never</MsiRestart> | |
<Parameters>-d 0</Parameters> | |
<SuccessCodes>0,100,101,1641,3010,2359302</SuccessCodes> | |
<RunAs value="null" /> | |
<Conditions type="list"> | |
<PackageStepCondition> | |
<Architecture>Both</Architecture> | |
<Version>All</Version> | |
<TypeName>OperatingSystem</TypeName> | |
</PackageStepCondition> | |
<PackageStepCondition> | |
<IsUserLoggedOn>AlwaysRun</IsUserLoggedOn> | |
<TypeName>LoggedOnUser</TypeName> | |
</PackageStepCondition> | |
</Conditions> | |
<ErrorMode>StopDeploymentFail</ErrorMode> | |
<Title>Run the detection tool</Title> | |
<TypeName>Install</TypeName> | |
<IsEnabled value="true" /> | |
<IsPostStep value="false" /> | |
<IsPreStep value="false" /> | |
</InstallStep> | |
</Steps> | |
<Timeout value="60" /> | |
<UseCustomTimeout value="false" /> | |
<RunAs value="null" /> | |
</PackageDefinition> | |
<Description>https://downloadcenter.intel.com/download/27150 | |
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr | |
Due to a bug in Deploy 15.3 I had to include 100 as a Success code.</Description> | |
<NewLibraryPackageVersionId value="null" /> | |
<Version>1</Version> | |
<IsAutoDownload value="false" /> | |
<FolderId value="15" /> | |
<LibraryPackageVersionId value="null" /> | |
<Name>Intel SA-00086 Detection</Name> | |
<Path>Intel SA 00086\Intel SA-00086 Detection</Path> | |
<PackageDisplaySettings name="DisplaySettings"> | |
<DisplayType>Normal</DisplayType> | |
<IconKey>Icon-Package</IconKey> | |
<SortOrder value="17" /> | |
</PackageDisplaySettings> | |
</Package> | |
</AdminArsenal.Export> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="utf-8"?> | |
<AdminArsenal.Export Code="PDQInventory" Name="PDQ Inventory" Version="14.1.0.0" MinimumVersion="3.1"> | |
<ReportFolder> | |
<Name>Intel SA-00086</Name> | |
<ParentId value="1" /> | |
<Path>Reports\Intel SA-00086</Path> | |
<Children type="list" /> | |
<Reports type="list"> | |
<Report> | |
<ReportDefinition name="Definition"> | |
<RootFilter name="Filter"> | |
<Comparison>All</Comparison> | |
<Filters type="list"> | |
<ValueFilter> | |
<Table>Registry</Table> | |
<Column>PathName</Column> | |
<Comparison>Contains</Comparison> | |
<Value>SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool</Value> | |
</ValueFilter> | |
<ValueFilter> | |
<Table>Registry</Table> | |
<Column>Name</Column> | |
<Comparison>Equals</Comparison> | |
<Value>System Risk</Value> | |
</ValueFilter> | |
</Filters> | |
</RootFilter> | |
<ReportDefinitionTypeName>BasicReportDefinition</ReportDefinitionTypeName> | |
<Columns type="list"> | |
<Column> | |
<Column>Name</Column> | |
<Summary></Summary> | |
<Table>Computer</Table> | |
<Title></Title> | |
</Column> | |
<Column> | |
<Column>Value</Column> | |
<Summary></Summary> | |
<Table>Registry</Table> | |
<Title>System Risk</Title> | |
</Column> | |
</Columns> | |
</ReportDefinition> | |
<Created>2017-11-21T16:10:01.0000000-07:00</Created> | |
<Description></Description> | |
<IsNew value="false" /> | |
<Modified>2017-11-22T15:15:29.0000000-07:00</Modified> | |
<Name>Intel SA 00086 - All Scanned Computers</Name> | |
<Path>Reports\Intel SA-00086\Intel SA 00086 - All Scanned Computers</Path> | |
<ReportFolderId value="33" /> | |
<TypeName>BasicReport</TypeName> | |
<ReportType>BasicReport</ReportType> | |
</Report> | |
<Report> | |
<ReportDefinition name="Definition"> | |
<Sql>SELECT | |
Computers.Name AS "Computer Name", | |
-- https://stackoverflow.com/a/3611606 | |
MAX(CASE WHEN RegistryEntries.Name = 'System Risk' THEN RegistryEntries.Value END) AS "System Risk", | |
MAX(CASE WHEN RegistryEntries.Name = 'ME Version' THEN RegistryEntries.Value END) AS "ME Version" | |
FROM | |
Computers | |
INNER JOIN | |
RegistryEntries ON Computers.ComputerId = RegistryEntries.ComputerId | |
WHERE | |
<ComputerFilter> | |
GROUP BY Computers.Name</Sql> | |
<ReportDefinitionTypeName>SqlReportDefinition</ReportDefinitionTypeName> | |
</ReportDefinition> | |
<Created>2017-11-22T10:04:32.0000000-07:00</Created> | |
<Description></Description> | |
<IsNew value="false" /> | |
<Modified>2017-11-22T15:15:43.0000000-07:00</Modified> | |
<Name>Intel SA 00086 - All Scanned Computers + ME Version</Name> | |
<Path>Reports\Intel SA-00086\Intel SA 00086 - All Scanned Computers + ME Version</Path> | |
<ReportFolderId value="33" /> | |
<TypeName>SqlReport</TypeName> | |
<ReportType>SqlReport</ReportType> | |
</Report> | |
<Report> | |
<ReportDefinition name="Definition"> | |
<RootFilter name="Filter"> | |
<Comparison>All</Comparison> | |
<Filters type="list"> | |
<ValueFilter> | |
<Table>Registry</Table> | |
<Column>PathName</Column> | |
<Comparison>Contains</Comparison> | |
<Value>SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool</Value> | |
</ValueFilter> | |
<ValueFilter> | |
<Table>Registry</Table> | |
<Column>Name</Column> | |
<Comparison>Equals</Comparison> | |
<Value>System Risk</Value> | |
</ValueFilter> | |
<ValueFilter> | |
<Table>Registry</Table> | |
<Column>Value</Column> | |
<Comparison>Equals</Comparison> | |
<Value>This system is vulnerable.</Value> | |
</ValueFilter> | |
</Filters> | |
</RootFilter> | |
<ReportDefinitionTypeName>BasicReportDefinition</ReportDefinitionTypeName> | |
<Columns type="list"> | |
<Column> | |
<Column>Name</Column> | |
<Summary></Summary> | |
<Table>Computer</Table> | |
<Title></Title> | |
</Column> | |
</Columns> | |
</ReportDefinition> | |
<Created>2017-11-22T10:02:40.0000000-07:00</Created> | |
<Description></Description> | |
<IsNew value="false" /> | |
<Modified>2017-11-22T15:20:28.0000000-07:00</Modified> | |
<Name>Intel SA 00086 - Vulnerable</Name> | |
<Path>Reports\Intel SA-00086\Intel SA 00086 - Vulnerable</Path> | |
<ReportFolderId value="33" /> | |
<TypeName>BasicReport</TypeName> | |
<ReportType>BasicReport</ReportType> | |
</Report> | |
</Reports> | |
</ReportFolder> | |
</AdminArsenal.Export> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="utf-8"?> | |
<AdminArsenal.Export Code="PDQInventory" Name="PDQ Inventory" Version="14.1.0.0" MinimumVersion="3.1"> | |
<ScanProfile> | |
<Scanners type="list"> | |
<Scanner> | |
<ExcludePattern></ExcludePattern> | |
<Hive>HKEY_LOCAL_MACHINE</Hive> | |
<IncludePattern>SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool\System Status\System Risk | |
SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool\ME Firmware Information\ME Version</IncludePattern> | |
<RowLimit value="2500" /> | |
<TypeName>Registry</TypeName> | |
<SourceScannerId value="31" /> | |
</Scanner> | |
</Scanners> | |
<ScheduleTriggerSet name="ScheduleTriggers"> | |
<Triggers type="list" /> | |
</ScheduleTriggerSet> | |
<Description></Description> | |
<ScanProfileId value="7" /> | |
<Name>Intel SA-00086</Name> | |
</ScanProfile> | |
</AdminArsenal.Export> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment