JoStableford
commented
2 months ago Note that while Defender is the one we specifically need to see for Vanta/SOC2 purposes, capturing any default software that is loaded onto devices is ideal.
Open spokanemac opened 2 months ago
JoStableford
commented
2 months ago Note that while Defender is the one we specifically need to see for Vanta/SOC2 purposes, capturing any default software that is loaded onto devices is ideal.
noahtalerman
commented
2 months ago @spokanemac and @JoStableford thanks for tracking this.
Assuming we want this ASAP to meet SOC2, I bet there's an osquery query we can add to dogfood to export this data in the meantime. Will that work?
Here's what we could do:
Add a query to the workstations and workstations (canary) teams in dogfood via GitOps. For us, dogfood lives in the it-and-security/ folder here.
Wait 24 hours. As hosts check in during working hours, they will send data.
Export the queries results in the Fleet UI. We can use the Export results button the query report page. For example, here's the query report for the "Collect VC Code extensions" query:
Tagging @nonpunctual here for query writing assistance.
spokanemac
commented
2 months ago @nonpunctual I have this basic query to see if the path exists, but unsure if we should check for the exe (I think it's MpCmdRun.exe)
SELECT * FROM file WHERE path LIKE "C:\Program Files\Windows Defender\%" AND filename = "MpCmdRun.exe";or a process. (this does not return anything)
SELECT * FROM processes WHERE path LIKE "C:\Program Files\Windows Defender\%";
nonpunctual
commented
2 months ago @spokanemac @noahtalerman @JoStableford That 1st query returns Windows Defender on my Windows VM.
This would return the process if it was running I think:
SELECT processes.pid, processes.name, users.username, processes.path, processes.cmdline FROM processes LEFT JOIN users ON processes.uid = users.uid WHERE processes.path != '' AND name LIKE 'MpCmdRun.exe';
It works, e.g., if I replace the .exe name with msedge.exe when the Edge browser is running.
This is an amazing list of Windows threat detection queries: https://medium.com/@gabriel.pirjolescu/demystifying-windows-malware-hunting-part-1-detecting-persistence-with-osquery-b53573c2aac0
noahtalerman
commented
2 months ago Thanks @nonpunctual!
@spokanemac my two cents is that checking for the path is a good enough first pass.
SELECT * FROM file WHERE path LIKE "C:\Program Files\Windows Defender\%"(I think this is what the tables we use for software inventory queries check under the hood)
If you agree, let's get this query in dogfood! That way, we can point auditors to the query results in Fleet.
Let's discuss adding Windows Defender to the default software inventory at the next feature fest.
cc @JoStableford
spokanemac
commented
2 months ago After further discussion, we will move this to an AV policy for Windows to show an auditor that AV is enabled.
SELECT 1 from windows_security_center wsc CROSS JOIN windows_security_products wsp WHERE antivirus = 'Good' AND type = 'Antivirus' AND signatures_up_to_date=1;It looks like we hand Vanta a software list to check this. Thus, we need to add Defender to the software list.
sharon-fdm
commented
1 month ago Estimations: BE 5 FE 1
sharon-fdm
commented
1 month ago On the backend side use the table mentioned in the figma to collect this extra info. On the FE side, match the proper logo to the SW.
Goal
Context
Requestor(s): @spokanemac
Product designer: @rachaelshaw
Windows Defender (%ProgramData%\Microsoft\Windows Defender\Platform) is not included in the software inventory. Vanta is unable to see that Windows Defender is installed.
Changes
Product
windows_security_productstableEngineering
QA
Risk assessment
Manual testing steps
Testing notes
Confirmation