Skip to content

Checking security software

Jump to bottom Edit New page
Brent Moberly edited this page Jan 12, 2015 · 1 revision

###Overview

Setup

This tutorial assumes that you have completed the tutorial, Let's not do that again (so soon), and have a version of the engine that will start and attempt to contact your web-server.

A note on examples

Our xml files are starting to get too long to include their full text inline in these tutorials. When you see this symbol external link in the text, you can click on it to view the xml in question.

How does InCert check Windows' security software?

The InCert engine provides three tasks for evaluating the health of a computer's security providers:

  • AntiMalware.VerifySecurityCenter
  • AntiMalware.VerifyAntiVirusSoftware
  • AntiMalware.VerifyAntiSpywareSoftware

Each of these tasks uses functionality exposed by the Windows API to query various Windows security providers.

Windows does not return very detailed information about a system's security providers, but it will tell us whether the provider in question is healthy or not. Windows will us, for example, that its anti-virus software is not healthy, but it will not tell us whether this is because its anti-virus software is missing, disabled, out-of-date, or any combination of the above.

This is good enough for our immediate purposes, though if you need more detailed information for purposes of remediation or intervention, you'll have to do your own forensics.

We'll eventually cover remediation and forensics in an advanced tutorial, but for now, let's just ensure that the machine has healthy security software before continuing.

Checking the status of Windows' security software

  1. Create a new xml content file entitled "systemintegrity.xml" with the following contents:
  <Content xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://incert.incommon.org/schemas ../Schemas/tasklist.xsd">
  <Branches>
    <TaskBranch name="systemintegrity.verify security center">
      <UserInterface.ActivateCheckedParagraph minimumTaskTime="1">
        <Properties>
          <Dialog>Main dialog</Dialog>
          <ControlKey>Verifying windows security center</ControlKey>
        </Properties>
      </UserInterface.ActivateCheckedParagraph>
    
      <AntiMalware.VerifySecurityCenter/>
    
      <UserInterface.CompleteCheckedParagraph minimumTaskTime="1">
        <Properties>
          <Dialog>Main dialog</Dialog>
          <ControlKey>Verifying windows security center</ControlKey>
        </Properties>
      </UserInterface.CompleteCheckedParagraph>
    </TaskBranch>

    <TaskBranch name="systemintegrity.verify anti-virus software">
      <UserInterface.ActivateCheckedParagraph minimumTaskTime="1">
        <Properties>
          <Dialog>Main dialog</Dialog>
          <ControlKey>Verifying anti-virus software</ControlKey>
        </Properties>
      </UserInterface.ActivateCheckedParagraph>
    
      <AntiMalware.VerifyAntiVirusSoftware/>
    
      <UserInterface.CompleteCheckedParagraph minimumTaskTime="1">
        <Properties>
          <Dialog>Main dialog</Dialog>
          <ControlKey>Verifying anti-virus software</ControlKey>
        </Properties>
      </UserInterface.CompleteCheckedParagraph>
    </TaskBranch>

    <TaskBranch name="systemintegrity.verify anti-spyware software">
      <UserInterface.ActivateCheckedParagraph minimumTaskTime="1">
        <Properties>
          <Dialog>Main dialog</Dialog>
          <ControlKey>Verifying anti-spyware software</ControlKey>
        </Properties>
      </UserInterface.ActivateCheckedParagraph>
    
      <AntiMalware.VerifyAntiSpywareSoftware/>
    
      <UserInterface.CompleteCheckedParagraph minimumTaskTime="1">
        <Properties>
          <Dialog>Main dialog</Dialog>
          <ControlKey>Verifying anti-spyware software</ControlKey>
        </Properties>
      </UserInterface.CompleteCheckedParagraph>
    </TaskBranch>
  </Branches>
</Content>

As with the last few tutorials, much of this xml is user-interface code. We've added extra white space so that you can see the tasks that check the three security providers. We've also assigned each checking task to its own task branch.

Here again, all of the heavy lifting is done in the tasks themselves. If Windows reports that a provider is unhealthy, each tasks will return an appropriate ErrorResult. Otherwise, it will return a NextResult.

  1. In tasklist.xml, modify the Control.GetContentFromEndpoint xml block in your main branch as follows:
<Control.GetContentFromEndpoint>
  <Properties>
    <ContentName>banners.xml</ContentName>
    <ContentName>restorepoint.xml</ContentName>
    <ContentName>credentials.xml</ContentName>
    <ContentName>antimalware.xml</ContentName>
    <ContentName>systemintegrity.xml</ContentName>
  </Properties>
</Control.GetContentFromEndpoint>

This tells the engine to import the contents of systemintegrity.xml at the start of its main branch.

  1. Add the following xml blocks to your main branch, after the Control.ReturnBranchResult task that we modified in the last tutorial:
<Control.ReturnBranchResult>
  <Properties>
    <Branch>systemintegrity.verify security center</Branch>
  </Properties>
</Control.ReturnBranchResult>
    
<Control.ReturnBranchResult>
  <Properties>
    <Branch>systemintegrity.verify anti-virus software</Branch>
  </Properties>
</Control.ReturnBranchResult>
    
<Control.ReturnBranchResult>
  <Properties>
    <Branch>systemintegrity.verify anti-spyware software</Branch>
  </Properties>
</Control.ReturnBranchResult>

These blocks will, of course, execute each of the task branches in our systemintegrity.xml file.

  1. Upload tasklist.xml external link and systemintegrity.xml external link to your server and run the engine. The engine should now evaluate your system's security center, anti-virus software, and anti-spyware software:

running malicious software removal tool

If, just for laughs, you disable Windows Defender (under Windows 8) and run the engine again, the engine will raise an "Anti-Virus Health Poor" dialog:

Windows defender disabled

Windows defender disabled

Here, the error dialog is a bit vague because there is no way to tell exactly what is wrong with Windows Defender (or even that it is Windows Defender that is broken) without performing additional forensics.

One other thing to keep in mind is that Windows will only evaluate the health of software that hooks into its security-center functionality. If a user has managed to install an anti-virus package that doesn't report its status to Windows, or reports its status incorrectly, the engine will likely throw an "Anti-Virus-" or "Anti-Spyware Health Poor" error.

Conclusion

In this tutorial, we implemented three quick task branches to check the status of a system's security center, anti-virus software, and anti-spyware software. In the next tutorial, we'll start configuring users' systems.

Add a custom footer
Add a custom sidebar
Clone this wiki locally