Using PowerShell to Assist in Scanning for Conflicker

BEGIN SOAP BOX AND MY ENDORSEMENT FOR GOOD PRACTICES!

Follow these simple guidelines:

http://www.microsoft.com/protect/computer/viruses/worms/prevent.mspx

Make sure you are properly patched, virus scan is up-to-date, passwords are secure, disabling auto-run, etc.  (I recommend staying as up to date as humanly possible.  Check often!)  …. (to use the Seinfeld cliche) yadda, yadda, yadda…

END SOAP BOX!

Ok, let’s use PowerShell to do some scans.

First, download the scs.zip file from:  http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker

Unzip the scan tool to a directory.  I used C:\utilities\scs

This is a pretty simple script I came up with this morning.  After spending most of my date at my company making sure that all systems were patched, it was time to make sure we didn’t have something out there.   I use the following script and windows scheduler to periodically scan (again, AFTER ensuring all systems are patched):

# Create a datestamp for files
function get-datestamp{
	$datestamp = "-" + (get-date).tostring("yyyyMMddHHmmss")
	return $datestamp
}
# Create timestamp by date and hour for scheduled scans
$FileTimeStamp = get-datestamp
$SCSScan = "c:\utilities\scs\scs.exe"
$SCSArguments = "c:\utilities\scs\iplist.txt"
$SCSScan $SCSArguments | Out-File "C:\temp\conflicker-scan-Subnet-$FileTimeStamp.txt"

Make sure to edit iplist.txt with your subnet IP addresses. I use SolarWinds to quickly generate an entire subnet address list, copy and past from first host to last, past in text file, save. Then, you can use the iplist.txt as an argument.

Then, all you have to do is set up Windows scheduler.

Use the following command-line for the scheduled task:

%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe C:\scripts\POSH\start-SCSScan.ps1

A /22 subnet took about 10-14 minutes depending on how busy the system was that I ran it on (which was a WinXP SP3 AMD Processor  using 2GB ram; not a workhorse machine by any stretch of the imagination, but just realize that it doesn’t take all that long to run).

So, each time you run this, you will have a time-stamped file noting when then scan began.