Find OpenSSL files with SCOM (Heartbleed)

OpenSSL for Windows are two DLL files which could be installed on some of your windows servers. The two files are: libssl32.dll or libssl64.dll and I am not saying these should be removed – but perhaps updated.

 

Powershell Script

You could find the two files either by a powershell script like this one: – Start the script like : FindFile.ps1 libssl32.dll, libssl64.dkk and it will create an event for every finle found.

   1:  Param([String[]] $FileName)
   2:   
   3:  $api = new-object -comObject 'MOM.ScriptAPI'
   4:   
   5:  $Drives = Get-psdrive -psprovider "FileSystem" | select name
   6:  ForEach ($File in $FileName)
   7:  {
   8:  ForEach ($Drive in $Drives)
   9:  {
  10:  Get-ChildItem -Path "$($Drive.Name):\" -include "*$File*" -Recurse -Force -ErrorAction SilentlyContinue -OutVariable Found | 
  11:  Where-Object { ($_.PSIsContainer -eq $false) -and ( $_.Name -like "*$File*") } | 
  12:  Select-Object Name,Directory| Format-Table -AutoSize *
  13:  If ($Found -ne $null)
  14:  {
  15:  $api.LogScriptEvent('FindFile.ps1',20,4,$found)
  16:  }
  17:  } 
  18:  }

VBS Script

Same script done with a VBS script:

   1:  Option Explicit
   2:  On Error Resume Next
   3:   
   4:  Dim oFSO, oDrive, oAPI, sFileName1, sFileName2 
   5:  Set objArgs = wscript.Arguments
   6:  Set oAPI    = CreateObject("MOM.ScriptAPI") 
   7:  Set oFSO    = CreateObject("Scripting.FileSystemObject") 
   8:   
   9:  sFileName1  = objArgs(0)
  10:  sFileName2  = objArgs(1)
  11:   
  12:  For Each oDrive In oFSO.Drives 
  13:    If oDrive.DriveType = 2 Then Recurse oDrive.RootFolder
  14:  Next 
  15:   
  16:  Sub Recurse(oFolder)
  17:    Dim oSubFolder, oFile
  18:   
  19:    If IsAccessible(oFolder) Then
  20:      For Each oSubFolder In oFolder.SubFolders
  21:       Recurse oSubFolder
  22:      Next 
  23:   
  24:      For Each oFile In oFolder.Files
  25:        If oFile.Name = sFileName or oFile.Name = sFileName1 or oFile.Name = sFileName2 Then
  26:           msgbox "found: " & oFile.Path
  27:           Call oAPI.LogScriptEvent("FindFile.vbs", 25, 0, "Found the following file: " & oFile.Name & " in the Path: " &oFile.Path)
  28:        End If
  29:      Next 
  30:    End If
  31:  End Sub
  32:   
  33:  Function IsAccessible(oFolder)
  34:    On Error Resume Next
  35:    IsAccessible = oFolder.SubFolders.Count >= 0
  36:  End Function
 

Management Pack

I have created a Management Pack you can use in your SCOM Management Group, be careful since this one is using some resources
on your Windows servers. But let it run for a day or two and you will get warnings for all the OpenSSL implementations your got. 
The default timeout are 1 hour but on large drives it could really take long – I saw at a customer at least 55 mins 
on a 2 TB large drive.
 
If you would like to have a copy of the management pack – send me an email 
 
Hope this could give you some inspiration in creating you own managementpack
 
See you at Teched 2014… 
 
Remember to check up on the upcomming SCOM training Sessions at www.Glasspaper.no, www.Labcenter.se and www.Truesec.com
 
/Kåre
 

Comments (3):

  1. Werner says:

    hi,

    please send me the Management Pack

  2. Marc says:

    can you send me the MP, too?

  3. Hans says:

    Can you send me also the managementpack please?

Leave a Reply