Snow Inventory Agent Script - PKFail Sensor 1
Here you can find the release notes for Snow Inventory Agent Script - PKFail Sensor 1.
1.0.0 latest
Release date: 2024-08-12
Compatible Versions
| Snow Inventory Agent for Windows | Microsoft PowerShell |
|---|---|
| 7 or later | 3 and later |
Information
This script scan-PKFailSensor.ps1 is designed to validate a systems Bios Settings, if it is effected by PKFail. The vulnerability in SecureBoot was detected on over 200 different computer models from various manufacturers.
The script must be executed as part of the Snow Inventory Agent for Windows. For more information, see Running PowerShell scripts as part of the scanning process on Snow Docs.
If you want to run a manual scan, you must execute the script with the appropriate permissions. Execute using sc.exe control SnowInventoryAgent5 128, as described in the Windows Agent - Command line topic on Snow Docs.
For debugging purposes, the script can be executed manually and supports common parameters, so you will receive detailed logs using the command Scan-PKFailSensor.ps1 -Debug -InformationAction 'Continue'.
The script is digitally signed by Snow Software AB for enhanced security and verification.
Function
The Script uses the Get-SecureBoot -Name PK command to retrieve the used certificate. It then tries to validate the certificate against a list of affected certificates. In a second step it validate the certificate against the knows strings "DO NOT TRUST" and "DO NOT SHIP".
If the system is effected, the script will create an artificial software row, with the parameters Name = "SECURITY - PKFailSensor:Positive", Manufacturer = "Flexera Software LLC" and Path = "scan_reg" which can be used in software recognition.
The script also returns other values for validation purposes. Those are returned as CustomRegKey in the RegKey HKEY_LOCAL_MACHINE\Software\Snow Software\PKFailSensor.
It returns the script manifest using the name scan-PSFailSensor.
MediumIntegrity
This script does need medium integrity to access the Get-SecureBootUEFI command and UEFI stores.
Troubleshooting
Custom encryption might need to be applied to this script when running on Snow Inventory Agent for Windows prior to version 7, as it will not be executed in medium integrity.
DEPRECATED
- There will be no encrypted snow-ps1 version of this script provided by Snow Software.
CURRENT LIMITATIONS
N/A
3rd party attribution
The script uses parts of the research of Binarly Inc.
Flexera does not own the third party trademarks, software, products, or tools (collectively, the "Third Party Products") referenced herein. Third Party Product updates, including user interface updates, may not be reflected in this content.