By Datto, For the MSP Community
This is a PowerShell-based script that can be run on a Windows system (it has been neither written for, nor tested with, other platforms) to:
- (Optionally) inoculate the system against Log4Shell attacks with vulnerable Log4j versions by setting the
LOG4J_FORMAT_MSG_NO_LOOKUPSenvironment variable toTRUE- Check whether any JAR files on the system contains code linking it to a vulnerable Log4j version
- This is not conclusive and should be used for reference only
- Check whether any JAR files on the system contains code linking it to a vulnerable Log4j version
- Using the YARA tool and Florian Roth's definitions, check all JAR, LOG and TXT files on the system for indicators of Log4Shell attacks
The script was originally developed as a Component for the Datto RMM software; however, as part of Datto's ongoing commitment to the MSP, it has been released for free for the Community.
Three environment variables (ie: $env:variableName) must be furnished, either by editing the script or by adding them in your runtime environment:
- usrScanScope
- Value of 1: Only scan home drive (usually C:) (Fastest scan time)
- Value of 2: Scan all fixed and removable drives
- Value of 3: Scan all drives, including Network drives (Slowest scan time -- may take several hours)
- usrUpdateDefs
- Value of
true: Download the latest YARA definitions from Florian Roth to scan files against - Value of
false: Use definitions attached
- Value of
- usrMitigate
- Value of Y: Inoculate system by setting
LOG4J_FORMAT_MSG_NO_LOOKUPSenvironment variable toTRUE - Value of N: De-inoculate system by setting
LOG4J_FORMAT_MSG_NO_LOOKUPSenvironment variable toFALSE(Use with caution!) - Value of X: Ignore inoculation subroutine entirely
- Value of Y: Inoculate system by setting
- Yara 4.1.3-1755 (32- & 64-bit) & COPYING document
- Florian Roth's YARA definitions for Log4Shell as of 13th December 2021
- Build 8b > Build 9c
- Readability improvements for users running script from a single PowerShell console window
- Log.txt and L4JDetectiond.txt will be written to local directories if C:\ProgramData\CentraStage does not exist
- Example variables commented out at beginning of script for easy onboarding
- Script now checks for administrative status
- Script does not refer to UDFs for Non-RMM partners anymore
This script was written by seagull for Datto RMM and the wider MSP Community. It may be freely copied, edited and redistributed provided credits to Datto, seagull & a link to this GitHub repo remain in the comments.
YARA is a tool by the VirusTotal project. The definitions used here were created by Florian Roth.
www.datto.com/rmm