APM windows KB posture checks

Question

I would like to understand how the APM (posture check) windows KB checks works exactly.

Based on the sample condition below, will the F5 compares all of the KB's or any one or few of them to pass the connection successfully.

Expression: expr { [mcget {session.windows_info_os.last.updates}] contains "123456" || [mcget {session.windows_info_os.last.updates}] contains "7891011" || [mcget {session.windows_info_os.last.updates}] contains "3247922"

Is there any order in which the KB checks happen?

We observed an issue with a user unable to connect to VPN due to KB checks failing. The client machine had a few additional KB's compared with access profile.

We still had common/matching KB's on F5 and client machine.

Later once we added the additional KB on client machine to access profile, it resolved the issue.

lucas_thompson · Answer

The KB endpoint checks are performed on the client machine by using a Windows API to obtain the OS patch info, transformed into a list, signed, transmitted to APM, then verified with whatever expression you have set up. So all BIG-IP does here is obtain a simple text string.
In your example you have:
expr { [mcget {session.windows_info_os.last.updates}] contains "123456" || [mcget {session.windows_info_os.last.updates}] contains "7891011" || [mcget {session.windows_info_os.last.updates}] contains "3247922"&nbsp;
Leaving aside the missing end square and curly-braces, this is essentially 3 IF statements joined by an OR (||) operator, so there is no precedence here, it's just "X contains A or X contains B or X contains C" If X has A, B, or C it'll match.
It may be that X (session.windows_info_os.last.updates)&nbsp;wasn't being transmitted to BIG-IP correctly. In that case, you'll have to check the session variable viewer or logs to obtain the raw value of that session variable.&nbsp;
There are also some rare cases where strings become malformatted due to the our TCL script interpreter, but this usually happens with non-ASCII characters.

f5team · Answer

Hi Lucas,Thanks for the update.Could you help confirm more details on the Windows API and how does it fetch the OS patch info and transmit to APM.would the API use commands similar to "wmic qfe list full / brief" or any other specific commands&nbsp;

lucas_thompson · Answer

After a more thorough review, it appears that this particular function is part of the OPSWAT / OESIS functionality that we include in the client. We use the "GetInstalledPatches" method documented here:
https://software.opswat.com/OESIS_V4/html/c_method.html
&nbsp;Sorry for the confusion.

Forum Discussion

APM windows KB posture checks

Recent Discussions

ports are showing open on online scanning tool

Upgrade F5 BIGIP

DNS HM Probe issue

Is XFF a must for ASM WAF DoS

Switch ssl profile based on weak cipher detection via IRULE

Related Content

Windows Critical RCE Vulnerability, Malicious Solana-py, and EDRKillShifter

F5 BIG-IP Access Policy Manager (APM) Machine Tunnels for Windows

Pegasus, Salt Typhoon, Turla Covert Campaign, Windows 11 TPM2.0, and Chrome's 'Store Review'

Check a Virtual Server's SSL Status

Nginx vs Windows

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS