Hello Michael,
Thank you for the support session.
Based on your clarifications on the logic rules I was able to determine the vulnerability status. I copy them here so others may benefit too.
SA-00075 Any major version AMT 6-11 will be impacted
Major Minor Hotfix Version Build
Two numbers to key off of are "Major" and "Build"
SA-00075
Major between 6-11
and
Version Build >3000
If conditions are met, given systems are NOT vulnerable
SA-00086
If conditions are met, systems are vulnerable
ME Versions 11.x.x.x with SVN < 3 ME Version
10.x.x.x < 10.0.56.3002* ME Version
9.5.x.x < 9.5.61.3012* ME Version
9.0.x.x < 9.1.42.3002* ME Version
8.x.x.x < 8.1.72.3002*
The following SQL queries target my vulnerable systems.
--Intel SA-00075
SELECT vc.Name
,hw.Model
,vpro.[FWVersion]
, Right(vpro.FWVersion,4) as Build
FROM vComputer vc
left join [Symantec_CMDB].[dbo].[Inv_vPro] vpro on vpro._ResourceGuid = vc.Guid
left join vHWComputerSystem hw on hw._ResourceGuid = vc.Guid
where
(
vpro.FWVersion like '6%'
or vpro.FWVersion like '7%'
or vpro.FWVersion like '8%'
or vpro.FWVersion like '9%'
or vpro.FWVersion like '10%'
or vpro.FWVersion like '11%'
)
and Right(vpro.FWVersion,4) < 3000
--Intel SA-00086
SELECT vc.Name
,vc.[OS Name]
,hw.Model
,vpro.[FWVersion]
FROM vComputer vc
left join [Symantec_CMDB].[dbo].[Inv_vPro] vpro on vpro._ResourceGuid = vc.Guid
left join vHWComputerSystem hw on hw._ResourceGuid = vc.Guid
where vc.IsManaged = 1
and
(
( vpro.FWVersion like '11%' and Right(vpro.FWVersion,4) < 3000)
or
(vpro.FWVersion between '10.0.0.0' and '10.0.56.3001')
or
(vpro.FWVersion between '9.5.0.0' and '9.5.61.3011')
or
(vpro.FWVersion between '9.0.0.0' and '9.1.42.3001')
or
(vpro.FWVersion between '8.0.0.0' and '8.1.72.3001')
or
(vpro.FWVersion like '7%' and (vpro.AMTSKU = 'Intel(R) Full AMT Manageability' or vpro.AMTSKU = 'Full AMT Manageability'))
or
(vpro.FWVersion like '6%' and (vpro.AMTSKU = 'Intel(R) Full AMT Manageability' or vpro.AMTSKU = 'Full AMT Manageability'))
)
Of course your database may look differently but you get the ideas.
As of the detection tools for SA-00075 and SA-00086 I am not going to use them.
For me the subject can be closed.
Thanks
Tomasz