Identifying and Vaccinating Your Computers Against NotPetya

4/26/2018 2794 Contributors

You wish to identify and vaccinate computers against the NotPetya ransomware exploit using PDQ Inventory and PDQ Deploy.

There are two parts to this resolution. The first is identifying which computers are not vaccinated against NotPetya. The other part is vaccinating those computers.

Identify Vulnerable Computers
In order to identify computers that are not vaccinated against NotPetya, you will need to create a custom Scan Profile and a Dynamic Collection. To create the Scan Profile, perform the following:

1. Open PDQ Inventory and go to Options > Scan Profiles.

2. Click on the New button and name the scan profile something meaningful.

3. Click on the Add button and select Files.

4. In the Include Pattern(s) section of the Files Scanner, add the location to scan for the perfc files: C:\Windows\perfc*.

5. Click OK, and OK again. Close out of the Scan Profiles window.

6. Scan the targets you would like to check for the existence of the perfc files (you can select one computer, multiple computers, or any collection to scan).

Create a Dynamic Collection to Display the Scan Results
1. Open PDQ Inventory and click on the New Dynamic Collection icon in the toolbar.

2. Name the collection something meaningful.

3. Use the following filter:

4. Click OK to save the collection. The results of the collection will be any computer that does not have perfc, perfc.dll, and perfc.dat in C:\Windows, which will include any computer that was not able to be scanned with the custom files scanner you created above. NOTE: if you want to know which computers are vaccinated, change the "Not Any" to "All" or "Any".

Vaccinating Your Computers Against NotPetya
We will use PDQ Deploy to create perfc, perfc.dll, and perfc.dat files identified to vaccinate against the exploit (for more information, please see our Blog Post regarding NotPetya).

1. Open PDQ Deploy, select New Package from the toolbar and name the package something meaningful.

2. Create a New Step > Command.

3. In the Command step, add the following to the Command field:

copy /B NUL C:\windows\perfc & attrib +R c:\windows\perfc
copy /B NUL C:\windows\perfc.dll & attrib +R c:\windows\perfc.dll
copy /B NUL C:\windows\perfc.dat & attrib +R c:\windows\perfc.dat

4. You should end up with a Command step that looks like this:

5. Save the package and test.

6. Deploy the package to all machines identified as vulnerable from the custom Scan Profile and Dynamic Collection you created above.

See Also:
Vaccinating All Your Network Machines Against NotPetya