Identifying Compromised SolarWinds Components

If you haven’t heard the news, a major exploit occurred in popular software from SolarWinds.  We encourage you to review Alert AA20-352A from the Cybersecurity & Infrastructure Security Agency.

In order to assist our customers in remediating this threat, we have added a product definition to PRS for the compromised versions.  While most anti-malware solutions will likely have addressed this by now, we offer this as an extra level of detection and confidence.

If PRS is working in your configuration and any of these programs are in your environment, you should already have this Product and be able to report on it.  It is important to understand the exploit is in a dll file in certain versions of the software.  We can not directly detect the dll or the presence of the exploit, but we can detect if the afflicted versions of the host program are present.  As such, this is a method to flag systems that need further remediation.  It is not a guarantee of exploit detection, nor any method of automatic remediation.

If you see Installs listed in your Products window for this new product, it is highly advised that you address these systems.  You can right click on the product and choose Audit -> Audit Products (PROD x comp) to get a report of all computers with the listed variants above.

Getting the Definition

If you do not see the Product on your server, do not assume that you’re safe.  Ensure that PRS checks are working on your server first.  Go into KeyConfigure -> Config -> General Settings -> PRS.  Verify the last check was successful.  If not, click Contact Now and contact Sassafras Support if you’re seeing issues.

You can also manually get the definition in KeyConfigure -> Tasks -> Find Product Definitions.  Type in solarwinds and search.  You’ll see the below item in the list.  Ensure it is checked (you can uncheck anything else potentially listed) and click Import.

Computer Audits

Remember that we can only show data from systems that have reported in to the server.  If you have machines without KeyAccess, you may want to address that as needed.  If your Audit cycle is set to the default 2 weeks, you may have stale data.  In KeyConfigure -> Config -> General Settings -> Audits you can set the default frequency at the top to daily in many environments (i.e. a couple thousand clients or less).  Larger sites may want to consider potential traffic impact and server load with increased frequency.  You can also always select a number of Computers and right click -> Request Audit to audit on demand.  Once Computers have submitted audits, you can then trigger a Product Audit instead of waiting overnight.  This again is in General Settings -> Audits -> Now ( button grayed out if currently in progress).

We hope this is helpful to anyone facing remediation of the compromise.

With a history in desktop support, systems administration, diverse software solutions, and creative problem solving, Yadin joined Sassafras after 15 years as a customer. His impact on the support team has been exceeded only by the exponential increase in bad puns and office plant life expectancy since his arrival.

Get started

If you want to get a free consultation without any obligations, fill in the form below and we'll get in touch with you.

Live Demo

  • Sassafras will not share your personal information, period. We take privacy seriously. You may opt out of our communications at any time.