Monthly Archives: August 2013

Tracking software versions with WLS and Splunk


While initially intended to aid in detecting malware, the data WLS provides has many other uses. One that we use is to track software updates and outdated software being used on our network. In theory you could schedule a report similar to the ones below and automatically email people who are using incorrect software versions.

The search I used for the examples is shown below, and could easily be turned into a Splunk form where you can specify any BaseFileName for a quick report.

(EventID=4688 OR EventID=592) BaseFileName=firefox.exe  | dedup host | stats count(MD5) by CompanyName, FileVersion, ProductVersion, MD5

Breakdown:

  • Find all process creation events
    • (EventID=4688 OR EventID=592)
  • Find processess named “firefox.exe”
    • BaseFileName=firefox.exe
  • Deduplicate hosts so we only get the most recent execution
    • dedup host
  • Calculate statistics (count all the MD5s) by the fields specified
    • stats count(MD5) by CompanyName, FileVersion, ProductVersion, MD5

Example results!

firefox.exe

FirefoxVersions

chrome.exe

ChromeVersions

iexplore.exe

IExploreVersions

acrord32.exe

AcroRd32Versions

java.exe

Too embarrassing to post 😦

Have other ideas for using the data WLS provides? Let me know in the comments below or via the contact form.

What is WLS?

If you’d like more information on WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

WLS 3.0.0.55 Released


WLS 3.0.0.55 has been released! This release includes many new features, as well as enhanced performance and reduced CPU/memory utilization.

New Features:

  • Bad clock detection
  • Bandwidth throttling
  • Certificate store monitoring
  • File attribute collection as part of FileMetadata
  • Device monitoring – partial successor to WatchDevices
  • Drive monitoring – partial successor to WatchDevices
  • Network can be defined by min-max range (previously CIDR only)
  • Performance counter instance re-evaluation
  • Port monitoring now includes process id and name
  • Removable drive file monitoring
  • Tagging of logs by user defined regular expressions

What is WLS?

If you’d like more information on WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.