Sawaba/CVE2017-11937-check.cmd

## CVE2017-11937-check.cmd
@echo off
REM Local Windows check to ensure we're safe from CVE-2017-11937
REM https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11937
cls
ECHO.
ECHO CVE-2017-11937 Vulnerability Check version 1.0
ECHO Checking to make sure your antivirus isn't going to sell you out to cyberbaddies.
ECHO The last vulnerable version was 1.1.14306.0 - anything newer should be safe.
ECHO.

REM Initialize Variables
set sigloc=""
set sigverfull=""
set sigver=""

REM Approach no1 (shouldn't require admin privs)
ECHO Finding your current signature location...
for /f "tokens=1,2,3,4,5" %%a in ('dir /OD "C:\ProgramData\Microsoft\Windows Defender\Definition Updates" ^| find "{"') do set sigloc=%%e
ECHO Current signature location is C:\ProgramData\Microsoft\Windows Defender\Definition Updates\%sigloc%
ECHO.
REM Approach no2 - Not implemented yet, but would use the registry to check
REM version instead of file version.
REM HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates\EngineVersion

REM Use WMIC to grab file version
ECHO Finding MPE version...
for /f "tokens=1,2 delims==" %%a in ('wmic datafile where name^="C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\%sigloc%\\mpengine.dll" get Version /value ^| find "Version"') do set sigverfull=%%b
ECHO MPE Version found...
ECHO.
for /f "tokens=1,2,3,4 delims=." %%a in ('wmic datafile where name^="C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\%sigloc%\\mpengine.dll" get Version /value ^| find "Version"') do set sigver=%%c

ECHO Checking MPE version...
if sigver GTR 14306 (
	set conclusion=SAFE
	ECHO SAFE from CVE-2017-11937 - you are running MPE version %sigverfull%.
	) ELSE (
		set conclusion=VULNERABLE
		ECHO VULNERABLE to CVE-2017-11937.
		ECHO You are running MPE version %sigverfull% which can give specially crafted malware full access to systems
		ECHO It is recommended that you update immediately
	)

REM If not in front of a console to view the output, comment out the next line.
goto end

REM This will write the results out to a file to the root of USERPROFILE
REM You could rewrite this to update a webdav server, send a syslog message, etc
REM You could also modify the file output to go to a mapped file server.
REM To do that, add COMPUTERNAME to make the file name unique and then move
REM or copy it to the destination. If you're feeling adventurous, you could
REM skip the copy and just write directly to the file server or a UNC path.
echo Time: %DATE% %TIME% >> %USERPROFILE%\CVE2017-11937-check.txt
echo Hostname: %COMPUTERNAME% >> %USERPROFILE%\CVE2017-11937-check.txt
echo MPEVersion: %sigverfull% >> %USERPROFILE%\CVE2017-11937-check.txt
echo Conclusion: %conclusion% >> %USERPROFILE%\CVE2017-11937-check.txt

:end
	@echo off
	REM Local Windows check to ensure we're safe from CVE-2017-11937
	REM https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11937
	cls
	ECHO.
	ECHO CVE-2017-11937 Vulnerability Check version 1.0
	ECHO Checking to make sure your antivirus isn't going to sell you out to cyberbaddies.
	ECHO The last vulnerable version was 1.1.14306.0 - anything newer should be safe.
	ECHO.

	REM Initialize Variables
	set sigloc=""
	set sigverfull=""
	set sigver=""

	REM Approach no1 (shouldn't require admin privs)
	ECHO Finding your current signature location...
	for /f "tokens=1,2,3,4,5" %%a in ('dir /OD "C:\ProgramData\Microsoft\Windows Defender\Definition Updates" ^\| find "{"') do set sigloc=%%e
	ECHO Current signature location is C:\ProgramData\Microsoft\Windows Defender\Definition Updates\%sigloc%
	ECHO.
	REM Approach no2 - Not implemented yet, but would use the registry to check
	REM version instead of file version.
	REM HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates\EngineVersion

	REM Use WMIC to grab file version
	ECHO Finding MPE version...
	for /f "tokens=1,2 delims==" %%a in ('wmic datafile where name^="C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\%sigloc%\\mpengine.dll" get Version /value ^\| find "Version"') do set sigverfull=%%b
	ECHO MPE Version found...
	ECHO.
	for /f "tokens=1,2,3,4 delims=." %%a in ('wmic datafile where name^="C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\%sigloc%\\mpengine.dll" get Version /value ^\| find "Version"') do set sigver=%%c

	ECHO Checking MPE version...
	if sigver GTR 14306 (
	set conclusion=SAFE
	ECHO SAFE from CVE-2017-11937 - you are running MPE version %sigverfull%.
	) ELSE (
	set conclusion=VULNERABLE
	ECHO VULNERABLE to CVE-2017-11937.
	ECHO You are running MPE version %sigverfull% which can give specially crafted malware full access to systems
	ECHO It is recommended that you update immediately
	)

	REM If not in front of a console to view the output, comment out the next line.
	goto end

	REM This will write the results out to a file to the root of USERPROFILE
	REM You could rewrite this to update a webdav server, send a syslog message, etc
	REM You could also modify the file output to go to a mapped file server.
	REM To do that, add COMPUTERNAME to make the file name unique and then move
	REM or copy it to the destination. If you're feeling adventurous, you could
	REM skip the copy and just write directly to the file server or a UNC path.
	echo Time: %DATE% %TIME% >> %USERPROFILE%\CVE2017-11937-check.txt
	echo Hostname: %COMPUTERNAME% >> %USERPROFILE%\CVE2017-11937-check.txt
	echo MPEVersion: %sigverfull% >> %USERPROFILE%\CVE2017-11937-check.txt
	echo Conclusion: %conclusion% >> %USERPROFILE%\CVE2017-11937-check.txt

	:end