Proposed change for nasl to check for file existence

Hello, I’d like to propose a change to gb_ms_windows_defender_priv_escal_vuln_jul20.nasl, which reports on an insecure version of MpSigStub.exe for Windows Defender. Currently, the file only checks the registry for the expected version of the database.
Per the link:

The definitions are not updating on my system. What do I do?
This security update is delivered only through definition updates. This cannot happen if Defender is in a disabled state (such as in the case of a third-party antivirus product providing real time protection).
If Defender is disabled, you can delete the vulnerable file from the system: C:\WINDOWS\System32\MpSigStub.exe.

Given the lack of ability to update the file while a third party AV is installed, and the fact that it appears Windows Defender is not a commonly used antivirus for enterprise, I would like to propose the following changes to the nasl to check for the existence of the MpSigStub.exe file, and only report if the file does exist.

diff --git a/gb_ms_windows_defender_priv_escal_vuln_jul20.nasl b/gb_ms_windows_defender_priv_escal_vuln_jul20.nasl
index 1010e3e..7e2f20b 100644
--- a/gb_ms_windows_defender_priv_escal_vuln_jul20.nasl
+++ b/gb_ms_windows_defender_priv_escal_vuln_jul20.nasl
@@ -22,11 +22,11 @@
-  script_version("2020-07-30T04:31:19+0000");
+  script_version("2020-12-11T18:18:32+0000");
   script_tag(name:"cvss_base", value:"3.6");
   script_tag(name:"cvss_base_vector", value:"AV:L/AC:L/Au:N/C:N/I:P/A:P");
-  script_tag(name:"last_modification", value:"2020-07-30 04:31:19 +0000 (Thu, 30 Jul 2020)");
+  script_tag(name:"last_modification", value:"2020-12-11 18:18:32 +0000 (Thu, 30 Jul 2020)");
   script_tag(name:"creation_date", value:"2020-07-27 11:50:35 +0530 (Mon, 27 Jul 2020)");
   script_name("Microsoft Defender Elevation of Privilege Vulnerability-July 2020");

@@ -63,7 +63,7 @@ if(description)
   script_tag(name:"solution", value:"Run the Windows Update to update the malware
   protection engine to the latest version available. Typically, no action is
   required as the built-in mechanism for the automatic detection and deployment
-  of updates will apply the update itself.");
+  of updates will apply the update itself. Alternatively, delete the MpSigStub.exe file.");

   script_tag(name:"solution_type", value:"VendorFix");
   script_tag(name:"qod_type", value:"executable_version");
@@ -87,6 +87,12 @@ if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2, win8_1:1, win8_1x64:1,win2012

+sysPath = smb_get_system32root();
+mpstigstubVer = fetch_file_version(sysPath:sysPath, file_name:"MpStigStub.exe");
+if (!mpstigstubVer) {
+  exit(0);
 key = "SOFTWARE\Microsoft\Windows Defender";

It’s a seemingly simple change, and I’ve attempted to follow the conventions as seen by the other nasl files, but please review.
I’ve attempted to run openvas-nasl against the file and my server, but I’m not sure how to pass the credentials to the command, nor was I easily finding the config file definition.

openvas-nasl -X -B -d -i /var/lib/openvas/plugins -t <server> gb_ms_windows_defender_priv_escal_vuln_jul20.nasl

Let me know if there’s anything else I can do for this.

Thank you.

1 Like


Just checking- has this been reviewed? Is there something else I can provide regarding this?

Thank you.

Thanks for your report. It seems this thread was missed by the team working on this topic.

I have created an internal issue to review your suggestion.


I just received the feedback that the proposed changes got applied with some minor modifications and the change should be available in one of the next feed updates.

Thanks again for your report.