The information in this article applies to the following products:
• Prism Deploy
Summary:
The MSBlaster worm is hitting computer users hard, both at home and at work. Below are some links with more background information on the worm.
Microsoft: http://www.microsoft.com/security/security_bulletins/ms03-026.asp
Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
Use Prism Deploy’s Smart Update technology to both patch and clean up the infected systems.
Method:
In your Prism Deploy Channel, create three new user-defined configuration groups and an “All Others” group representing the four possible states in relation to the MSBlaster worm: infected and not patched, patched but still infected, patched and cleaned up, and not patched but not infected. The rulesets are configured to look for msblaster.exe in the %systemdir%\system32 directory, and to look for the presence or absence of the registry key that indicates if the system is patched (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Hotfix\KB823980. (Note: this is the relevant key for Windows XP and Windows 2000 systems; on NT systems the registry key is Q823980).
Next, create Tasks to perform the remediation process:
1) Run the Microsoft patch executable as a Command Task. Use the Microsoft-supported switches to configure how the patch is installed (e.g., quiet, force reboot, etc.)
2) Turn off System Restore (with a Prism package)
3) Run the cleanup utility from your anti-virus vendor as a Command Task.
4) Turn on System Restore (again, with a Prism package)
Assign the Tasks to the appropriate configuration groups (e.g. the Tasks to patch and turn off System Restore go to the first group). The Task that runs the Microsoft patch can optionally be assigned to recur at system startup to allow infected systems as much time as possible to run the patch before rebooting. This may not be necessary, however, because computers poll the channel as soon as they’re on line, and the patch runs very quickly.
Your computers will automatically move themselves in and out of the appropriate Configuration Groups as the status changes, and they will receive the appropriate Tasks for their current status.
Below is a screenshot of a sample Channel.
Please contact New Boundary Technical Support if you’d like further assistance: 612-379-1851.