< Blog

Petya/NotPetya Kill Switch and SCCM

By Garth Jones

There’s yet another WannaCry variant out there and this time it’s called Petya! I heard about a method in ZDNet from Amit Serper that will prevent this variant of WannaCry/Petya from infecting computers.

This method involves creating a file called perfc with no file extension.

In my opinion this is solely a stop-gap measure, but in spite of its apparent short-comings, I decided that I’d figure out a way to easily implement it by using System Center Configuration Manager (SCCM) and Configuration Item (CI).

I’m going to use SCCM 1702 in my example below, BUT there isn’t any reason why it shouldn’t work with all versions of SCCM going back to 2007.

I wrote this script in PowerShell, and I will use this script for both CI checking and CI remediation.

$win=$env:windir
$strFileName=”$win\perfc.”

If (Test-Path $strFileName){
    ## Do nothing
}Else{
    #write-host “file does not exist, Creating”
    Add-Content -Path $strFileName -Value “”
}

If (Test-Path $strFileName){
    write-host “file exist”
}Else{
    #write-host “file does not exist, Creating”
    #Add-Content -Path $strFileName -Value “”
}
Exit

Create Configuration Item

Open the SCCM console. Select the Assets and Compliance node, expand Compliance Settings | Configuration Items. Then in the ribbon, select Create Configuration Item.

General Tab

Give the Configuration Item (CI) a Name and click Next. I called it, “Wanna Cry Kill Switch,” when creating this CI, but in hindsight maybe I should have called it, “Petya,” instead.

Supported Platforms

Click Next.

Settings
Click on the New button.

Create Setting

Enter a Name and click on the first Add Script button for the Discovery script. You will repeat the next step for the second arrow (Remediation script) too.

Edit Discovery Script

Paste the script in the Script window and click OK.

Now back on the General tab, click on the second Add Script button for the Remediation script. Paste the script in the Script window and click OK.

Create Setting

After pasting the script in the Script window for both the Discovery script and the Remediation script, your window will look similar to the one above. Click OK to continue.

Settings

Click Next.

Compliance Rules

Click on the New button.

Create Rule

Click Browse…

Select Setting

Your CI should be selected by default, so next click on the Select button.

Create Rule

Enter file exist within the value text box. Change Noncompliance severity for reports to Critical before clicking on OK.

Compliance Rules

Click Next.

Summary

Click Next.

Completion

Click Close.

Create Configuration Baseline

On the Configuration Baselines node, in the ribbon, click on Create Configuration Baseline.

Create Configuration Baseline

Provide a Name. Next, click on Add and select Configuration Items.

Add Configuration Items

Locate your CI and click Add.

Add Configuration Items

Click OK.

Create Configuration Baseline

Click OK.

Deploy

Make sure that your baseline is selected and click on the Deploy button.

Deploy Configuration Baselines

Click on the Browse button in order to select a collection. Next change the Simple schedule to run every 1 Days. Once that is completed click on OK.

With that your client will evaluate this CI once they receive the policy. By default this will happen every 60 minutes.

Download Computer Policy

You can hurry-up the process by using Download Computer Policy. First, select a collection, click on Client Notifications and then click on Download Computer Policy.

Will this stop computers from being infected? I really don’t know, but based on what I read, it should help, so in my opinion it certainly can’t hurt!

There’s one last question that I should answer. How can you clean-up the $win\perfc. file? Simply use the same PowerShell script and adjust the logic to delete the file. Don’t forget to change the compliance setting too.

I hope that you find this blog post useful and if you have any questions, please feel free to contact me @GarthMJ.