fleetdm
Include Windows security products in software list
Goal
| User story |
|---|
| As a user viewing software, |
| I want to see Windows security products |
| so that I can see whether Windows Defender is installed. |
Context
- Requestor(s): @spokanemac
- Product designer: @rachaelshaw
- Windows Defender (%ProgramData%\Microsoft\Windows Defender\Platform) is not included in the software inventory. Vanta is unable to see that Windows Defender is installed.
Changes
Product
- [ ] UI changes: Figma
- [ ] fleetd changes: add version information to results returned from the
windows_security_productstable - [ ] Outdated documentation changes: TODO
Engineering
- [ ] Database schema migrations: TODO
- [ ] Load testing: TODO
ℹ️ Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".
QA
Risk assessment
- Requires load testing: TODO
- Risk level: Low / High TODO
- Risk description: TODO
Manual testing steps
- Step 1
- Step 2
- Step 3
Testing notes
Confirmation
- [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
- [ ] QA (@____): Added comment to user story confirming successful completion of QA.
Note that while Defender is the one we specifically need to see for Vanta/SOC2 purposes, capturing any default software that is loaded onto devices is ideal.
@spokanemac and @JoStableford thanks for tracking this.
Assuming we want this ASAP to meet SOC2, I bet there's an osquery query we can add to dogfood to export this data in the meantime. Will that work?
Here's what we could do:
-
Add a query to the workstations and workstations (canary) teams in dogfood via GitOps. For us, dogfood lives in the
it-and-security/folder here. -
Wait 24 hours. As hosts check in during working hours, they will send data.
-
Export the queries results in the Fleet UI. We can use the Export results button the query report page. For example, here's the query report for the "Collect VC Code extensions" query:
Tagging @nonpunctual here for query writing assistance.
@nonpunctual I have this basic query to see if the path exists, but unsure if we should check for the exe (I think it's MpCmdRun.exe)
SELECT * FROM file WHERE path LIKE "C:\Program Files\Windows Defender\%" AND filename = "MpCmdRun.exe";
or a process. (this does not return anything)
SELECT * FROM processes WHERE path LIKE "C:\Program Files\Windows Defender\%";
@spokanemac @noahtalerman @JoStableford That 1st query returns Windows Defender on my Windows VM.
This would return the process if it was running I think:
SELECT processes.pid, processes.name, users.username, processes.path, processes.cmdline FROM processes LEFT JOIN users ON processes.uid = users.uid WHERE processes.path != '' AND name LIKE 'MpCmdRun.exe';
It works, e.g., if I replace the .exe name with msedge.exe when the Edge browser is running.
This is an amazing list of Windows threat detection queries: https://medium.com/@gabriel.pirjolescu/demystifying-windows-malware-hunting-part-1-detecting-persistence-with-osquery-b53573c2aac0
Thanks @nonpunctual!
@spokanemac my two cents is that checking for the path is a good enough first pass.
SELECT * FROM file WHERE path LIKE "C:\Program Files\Windows Defender\%"
(I think this is what the tables we use for software inventory queries check under the hood)
If you agree, let's get this query in dogfood! That way, we can point auditors to the query results in Fleet.
Let's discuss adding Windows Defender to the default software inventory at the next feature fest.
cc @JoStableford
After further discussion, we will move this to an AV policy for Windows to show an auditor that AV is enabled.
SELECT 1 from windows_security_center wsc CROSS JOIN windows_security_products wsp WHERE antivirus = 'Good' AND type = 'Antivirus' AND signatures_up_to_date=1;
It looks like we hand Vanta a software list to check this. Thus, we need to add Defender to the software list.
On the backend side use the table mentioned in the figma to collect this extra info. On the FE side, match the proper logo to the SW.
@mostlikelee Moving this ticket back to "Ready for spec" on the drafting board because there are still "TODOs" listed under the "Engineering" header.
@mostlikelee reminder that this one is ready to spec. Can you please complete the "TODOs" in the "Engineering" section so we can estimate this one?
I took a look at this one to add a test plan draft, but per discussion we may need further investigation to determine the fix, and that will affect the test plan.
Playing catch-up a bit @noahtalerman, but it looks like adding MSIX support to osquery (#27199) fixed this. osquery 5.17.0 includes this fix, and while the version hasn't been officially released yet it's on edge already for Fleet, and we can see Defender listed in software now on a machine that's both Windows and on osquery 5.17.0. So if Vanta picks that up I think we got this feature for free?
Playing catch-up a bit @noahtalerman, but it looks like adding MSIX support to osquery (https://github.com/fleetdm/fleet/issues/27199) fixed this. osquery 5.17.0 includes this fix, and while the version hasn't been officially released yet it's on edge already for Fleet, and we can see Defender listed in software now on a machine that's both Windows and on osquery 5.17.0. So if Vanta picks that up I think we got this feature for free?
Oh nice!
@rachaelshaw I adding this story to drafting and assigned you. What's left? Can we call this user story done?
Probably need to hit up @Sampfluger88 to see if Defender is showing up in Vanta.
Sending to IT and enablement to verify. Did this solution work? @Sampfluger88 is Defender showing up in Vanta?
@rachaelshaw Negative, the test never stops running (at least per the UI)
