Since the action script does not delete the certificate but rather revokes it, I chose not to handle the DLLs to minimize any possible issue. The official removal instructions published by Dell includes deleting of certain DLLs/services which will keep installing this certificate. reg file which writes the eDellRoot Certificate as a blob into the “Untrusted Certificates” store, effectively revoking the certificate. The eDellRoot Certificate is not yet in the “Untrusted Certificates” store. – Relevance #2 – not exists key "HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed\Certificates\98A04E4163357790C4A79E6D713FF0AF51FE6927" of native registry I am trying to use the certificate’s thumbprint to identify it. This relevance tries to see whether the eDellRoot certificate exists in all ‘Trusted Root Certification Authorities’ stores. – Relevance #1 – exists keys "Root\Certificates\98A04E4163357790C4A79E6D713FF0AF51FE6927" of keys "Software\Microsoft\SystemCertificates" of (keys whose (exists key "Software\Microsoft\SystemCertificates" of it) of key "HKEY_USERS" of it keys "HKEY_LOCAL_MACHINE" of it) of native registry Note: the Fixlet is in BETA stage, please test before deploying to production. I can go wrong in many ways, so please do correct me. Here is a Fixlet which (hopefully) does the job. Revoke eDellRoot Certificate - Enable Workaround.bes Any field test and feedback is greatly appreciated. Note: This Fixlet is not yet tested as the removal tool seems only run on affected Dell computers. This Fixlet helps to deploy the removal tool. An eDellRoot and DSDTestProvider removal tool was also provided in the KB page. What Bigfix can offer in terms of certificate discovery?ĭeploy eDellRoot and DSDTestProvider removal tool.besĭell has released the official KB page acknowledging both the eDellRoot and DSDTestProvider. This is a pretty rough attempt at parsing the certificate data from the Windows Registry: ( concatenations " " of (preceding text of first "?" of it | it) whose(it != "" AND it does not contain "") of (preceding text of first "?" of it | it) of (preceding text of first "0?" of it | it) of (preceding text of first "0?" of it | it) of (preceding text of first "0" of it | it) of (preceding text of last "1" of it | it) of (following text of (start of first (first matches (regex "") of it) of it) | it) whose(exists (first matches (regex "") of it)) of (preceding text of first "" of it | it) of substrings separated by "U" of it) of it whose(it contains "U") of (hexadecimal string it) of ( unique values of (it as string) of values "blob" of keys of keys "Certificates" of keys whose(name of it as uppercase contains "CA" OR name of it as uppercase contains "ROOT") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates" of (圆4 registries x32 registries) ) Strategies for Closing CVEs and Deploying Patches - Log4j and beyond WEBUI and a REAL SSL cert -and one more question Names of Computers with “Dell Foundation Services” installed: names of computers of results whose(exists values whose(it contains "Dell Foundation Services") of it) of bes properties "Installed Applications - Windows" Should match the number from the above session relevance: sum of multiplicities of unique values whose(it contains "Dell Foundation Services") of values of results of bes properties "Services - Windows" The following session relevance should give the number of computers with the Dell Foundation Services windows service installed. The following session relevance should give the # of computers with “Dell Foundation Services” installed, which seems to be the source of this cert: sum of multiplicities of unique values whose(it contains "Dell Foundation Services") of values of results of bes properties "Installed Applications - Windows" The following relevance SHOULD detect any certificate containing “eDellRoot”: exists (hexadecimal string it) whose(it contains "eDellRoot") of ( unique values of (it as string) of values "blob" of keys of keys "Certificates" of keys whose(name of it as uppercase contains "CA" OR name of it as uppercase contains "ROOT") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates" of (圆4 registries x32 registries) )
0 Comments
Leave a Reply. |