Menu

Search
InstantKB

InstantKB



Using Smart Update and Configuration Groups to Patch and Remove MSBlaster Worm

19 Years Ago
Pam
Smart Update (Configuration Groups, Organizational Groups)

The information in this article applies to the following products:

• Prism Deploy

Summary:

The MSBlaster worm is hitting computer users hard, both at home and at work. Below are some links with more background information on the worm.

Microsoft: http://www.microsoft.com/security/security_bulletins/ms03-026.asp

Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Use Prism Deploy’s Smart Update technology to both patch and clean up the infected systems.

Method:

In your Prism Deploy Channel, create three new user-defined configuration groups and an “All Others” group representing the four possible states in relation to the MSBlaster worm: infected and not patched, patched but still infected, patched and cleaned up, and not patched but not infected. The rulesets are configured to look for msblaster.exe in the %systemdir%\system32 directory, and to look for the presence or absence of the registry key that indicates if the system is patched (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Hotfix\KB823980. (Note: this is the relevant key for Windows XP and Windows 2000 systems; on NT systems the registry key is Q823980).

Next, create Tasks to perform the remediation process:

1) Run the Microsoft patch executable as a Command Task. Use the Microsoft-supported switches to configure how the patch is installed (e.g., quiet, force reboot, etc.)

2) Turn off System Restore (with a Prism package)

3) Run the cleanup utility from your anti-virus vendor as a Command Task.

4) Turn on System Restore (again, with a Prism package)

Assign the Tasks to the appropriate configuration groups (e.g. the Tasks to patch and turn off System Restore go to the first group). The Task that runs the Microsoft patch can optionally be assigned to recur at system startup to allow infected systems as much time as possible to run the patch before rebooting. This may not be necessary, however, because computers poll the channel as soon as they’re on line, and the patch runs very quickly.

Your computers will automatically move themselves in and out of the appropriate Configuration Groups as the status changes, and they will receive the appropriate Tasks for their current status.

Below is a screenshot of a sample Channel.

Please contact New Boundary Technical Support if you’d like further assistance: 612-379-1851.


Also In This Category



On a scale of 1-5, please rate the helpfulness of this article


Not Helpful
Very Helpful
Optionally provide your comments to help us improve this article...

Thank you for your feedback!

Add Your Comments
Name:
Email Address:
RadEditor - HTML WYSIWYG Editor. MS Word-like content editing experience thanks to a rich set of formatting tools, dropdowns, dialogs, system modules and built-in spell-check.
RadEditor's components - toolbar, content area, modes and modules
   
Toolbar's wrapper 
 
Content area wrapper
RadEditor's bottom area: Design, Html and Preview modes, Statistics module and resize handle.
It contains RadEditor's Modes/views (HTML, Design and Preview), Statistics and Resizer
Editor Mode buttonsStatistics moduleEditor resizer
 
 
RadEditor's Modules - special tools used to provide extra information such as Tag Inspector, Real Time HTML Viewer, Tag Properties and other.
   
Verification Code:
Details
Last Modified: 19 Years Ago
Last Modified By: Pam
Type: HOWTO
Article not rated yet.
Article has been viewed 5.1K times.
Options
Print Article
Comments RSS
Export As PDF
Customer Support Software By InstantKB 2015-2
Execution: 0.000. 13 queries. Compression Disabled.