- notageek.it di Mirko Iodice - http://www.notageek.it -

muicache! – Eng

Posted By Mirko On 22 Ottobre 2009 @ 19:51 In Progetti,Scripts | No Comments

cliccate qui ^[1] per la versione italiana di questa pagina

Shortly: an alternative solution which is able to collect information from every pc of a company's network about executed applications with the aim of identifying and maybe blocking malware and non-authorized software.

Authors: Mirko Iodice, Luca Alberti

Server-side script tested on: Windows 2000 Server (32 bit), Windows 2003 Server (32bit), Windows 2008 R2 (64 bit), Windows XP Professional (32bit), Windows Vista (32 bit and 64 bit), Windows 7 (32 bit)

Client-side script tested on: Windows 2003 Server (32bit) Windows XP Professional (32 bit), Windows Vista (32 bit and 64 bit)

Are you sure to have the complete control of what you have installed and are using on your network computers?

Just imagine the fact you are examinating a computer which is obviously showing signs of an infection. Once located the problem the first question you'll probably ask yourself is: "How is it possible that this pc has been infected?" The only thing you know for sure is that your operating system is completely up to date and that the user does not have any administrative rights on it. But checking it properly you'll find out that other kinds of software have been installed or used and you were not aware of it: Skype, Emule, uTorrent,… three programs which may cause a diffusion of non-authorized data and also permit the penetration of malware in your network. The problem of this scenario is that, in absence of complicated and expensive solutions (also administratively speaking) which enables you to monitor and block the outgoing network traffic, for OS's security and integrity you are relying only on the fact that "limited" users can't install programs without your permission. You are forgetting that today it is possible to download and use applications which can be simply installed in the user's security context…. You do not believe it? Watch the following video (1:45 min):

How do you resolve this problem and possibly set software restriction policies?

The toolkit "muichache!" tries to give you a steady answer to this question also showing how this is possible with the only tools already in your possession and also with a minimal impact on the network performance and the administrative costs.

The idea behind this tool is very simple: collect into a database various informations about the software executed by your users using only the technologies already available in a Microsoft Active Directory domain.
Starting from the values contained in the "HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache" registry key already existing in every network computer, muichache! is able to collect a majority of information for every single detected application:

its path within the file system
its description
its version
the SRP-string based on a MD5 hash fingerprint of the program's main executable
the user who used the program
the computer on which the above values were obtained
a series of time-related informations that can be used for deeper investigations

Once filled the database it will be automatically exported in XLS format so it will be easy to consult thanks to Microsoft Excel or OpenOffice.org Calc ^[2].

One of the most interesting aspects is given by the chance of having an SRP-string ^[3] for every single application obtained. It means that you already have sufficient information to create and maintain rules for Software Restriction Policies ^[3].

How does muicache! work in specific!? Which are the technologies used in detail?

muicache! is composed of two parts:

the first one, defined "Client", is composed of a WSH/VBScript which is executed on the networks computers thanks to a Logon Script Policy (Group Policy Object ^[4]) and is used to memorize all the necessary data on the Fileserver (in XML format). The script is also able to generate the SRP-string of the detected executables using the fciv.exe ^[5] utility which calculates the MD5 hash. Unfortunately fciv.exe is not included in Windows OS but it can be downloaded for free on the Microsoft website.
the second one, defined "Server", is composed of another WSH/VBScript which uses ADO ^[6] and imports the above mentioned XML files into a MDB database. The result is a report in XLS format. This technology is already pre-installed in every Windows OS and its functionality does not depend on the Microsoft Office Suite.

For further information please read the installation and user's guide ^[7].

Watch the following video showing you muichache! in action.

Download

muicache.zip ^[8] | version 1.0 | last update on October 22, 2009 | Read the installation and user's guide ^[7]

Known Issues

Windows 7 and Windows 2008 are not yet supported by the script RegToXml.vbs.
On 64-bit Windows Systems the script CollectData&XLSOutput.vbs exits showing the error "impossible to find the provider. Maybe it’s not installed correctly." To solve the problem execute the scripts using WSH engines ("cscript.exe" e "wscript.exe") located in the folder "C:\Windows\SysWOW64" instead of those predefined located in "C:\Windows\System32".

Changelog

22/10/2009 – muichace! v1.0 – initial release