Patch Management Solution

Hello,

Starting 29/03 we can see on all VISTA clients in Altiris 6.x, 7.0 the patch is trying to install every day and finished with error code 1. I think it is related to http://www.symantec.com/docs/TECH204098.

Does anybody have the same problem?

Hi Kada,

It would be great if you can provide the below information:

• 1. Operating System and Service Pack of the affected machines (Vista SP1 or SP2).
• 2. All file Version of below files at location, if any below file is not present on machine please mention it as Not Found:

1. ntdll.dll (C:\WINDOWS\system32)
2. ntkrnlpa.exe (C:\WINDOWS\system32)
3. ntoskrnl.exe (C:\WINDOWS\system32)

This information will helps us to analysis the issue.

Thanks,

Amol Sontakke

Hello Amol,

1. OS is Vista SP2.

2. ntdll.dll - 6.0.6002.22742 

ntkrnlpa.exe - 6.0.6002.23076
ntoskrnl.exe - 6.0.6002.23076

23076 - This version comes from MS13-031-http://support.microsoft.com/kb/2813170.

Then I tried to install MS11-011 manually but this was finished as "The patch doesn't apply to your system"

Then I tried to uninstall MS13-031 KB2813170 and after that I can see in Altiris Agent that MS11-011 is Installed and MS13-031 is planned for installation.

After uninstallation I have

CSDVersion is 512.
ntdll.dll - 6.0.6002.22742
ntkrnlpa.exe - 6.0.6002.22831
ntoskrnl.exe - 6.0.6002.22831

After manual installation of MS13-031 I got in AA that MS11-011 is not installed.

I think the problem can be in ntoskrnl.exe defined in InstalledRule.

I guess there is missing "Higher or same" for 6.0.6002.23000.

Hello Kada :D

Here is the IsInstalled inventory rule that I got from your system (via P.):

    AND {
        EXPR {
            OR {
                EXPR {
                    AND {
                        EXPR {
                            SAME
                            CSDVersion
                            HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows
                            256
                        }
                        EXPR {
                            OR {
                                EXPR {
                                    AND {
                                        EXPR {
                                            HIGHER_OR_SAME
                                            ntdll.dll
                                            %windir%\system32\
                                            6.0.6001.18538
                                        }
                                        EXPR {
                                            LOWER
                                            ntdll.dll
                                            %windir%\system32\
                                            6.0.6001.19000
                                        }
                                    }
                                }
                                EXPR {
                                    AND {
                                        EXPR {
                                            HIGHER_OR_SAME
                                            ntdll.dll
                                            %windir%\system32\
                                            6.0.6001.22777
                                        }
                                        EXPR {
                                            LOWER
                                            ntdll.dll
                                            %windir%\system32\
                                            6.0.6001.23000
                                        }
                                    }
                                }
                            }
                        }
                        EXPR {
                            OR {
                                EXPR {
                                    AND {
                                        EXPR {
                                            HIGHER_OR_SAME
                                            ntkrnlpa.exe
                                            %windir%\system32\
                                            6.0.6001.18538
                                        }
                                        EXPR {
                                            LOWER
                                            ntkrnlpa.exe
                                            %windir%\system32\
                                            6.0.6001.19000
                                        }
                                    }
                                }
                                EXPR {
                                    AND {
                                        EXPR {
                                            HIGHER_OR_SAME
                                            ntkrnlpa.exe
                                            %windir%\system32\
                                            6.0.6001.22777
                                        }
                                        EXPR {
                                            LOWER
                                            ntkrnlpa.exe
                                            %windir%\system32\
                                            6.0.6001.23000
                                        }
                                    }
                                }
                            }
                        }
                        EXPR {
                            OR {
                                EXPR {
                                    AND {
                                        EXPR {
                                            HIGHER_OR_SAME
                                            ntoskrnl.exe
                                            %windir%\system32\
                                            6.0.6001.18538
                                        }
                                        EXPR {
                                            LOWER
                                            ntoskrnl.exe
                                            %windir%\system32\
                                            6.0.6001.19000
                                        }
                                    }
                                }
                                EXPR {
                                    AND {
                                        EXPR {
                                            HIGHER_OR_SAME
                                            ntoskrnl.exe
                                            %windir%\system32\
                                            6.0.6001.22777
                                        }
                                        EXPR {
                                            LOWER
                                            ntoskrnl.exe
                                            %windir%\system32\
                                            6.0.6001.23000
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
                EXPR {
                    AND {
                        EXPR {
                            SAME
                            CSDVersion
                            HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows
                            512
                        }
                        EXPR {
                            OR {
                                EXPR {
                                    AND {
                                        EXPR {
                                            HIGHER_OR_SAME
                                            ntdll.dll
                                            %windir%\system32\
                                            6.0.6002.18327
                                        }
                                        EXPR {
                                            LOWER
                                            ntdll.dll
                                            %windir%\system32\
                                            6.0.6002.19000
                                        }
                                    }
                                }
                                EXPR {
                                    AND {
                                        EXPR {
                                            HIGHER_OR_SAME
                                            ntdll.dll
                                            %windir%\system32\
                                            6.0.6002.22505
                                        }
                                        EXPR {
                                            LOWER
                                            ntdll.dll
                                            %windir%\system32\
                                            6.0.6002.23000
                                        }
                                    }
                                }
                            }
                        }
                        EXPR {
                            OR {
                                EXPR {
                                    AND {
                                        EXPR {
                                            HIGHER_OR_SAME
                                            ntkrnlpa.exe
                                            %windir%\system32\

                                            18327
                                        }
                                        EXPR {
                                            LOWER
                                            ntkrnlpa.exe
                                            %windir%\system32\
                                            6.0.6002.19000
                                        }
                                    }
                                }
                                EXPR {
                                    AND {
                                        EXPR {
                                            HIGHER_OR_SAME
                                            ntkrnlpa.exe
                                            %windir%\system32\
                                            6.0.6002.22505
                                        }
                                        EXPR {
                                            LOWER
                                            ntkrnlpa.exe
                                            %windir%\system32\
                                            6.0.6002.23000
                                        }
                                    }
                                }
                            }
                        }
                        EXPR {
                            OR {
                                EXPR {
                                    AND {
                                        EXPR {
                                            HIGHER_OR_SAME
                                            ntoskrnl.exe
                                            %windir%\system32\
                                            6.0.6002.18327
                                        }
                                        EXPR {
                                            LOWER
                                            ntoskrnl.exe
                                            %windir%\system32\
                                            6.0.6002.19000
                                        }
                                    }
                                }
                                EXPR {
                                    AND {
                                        EXPR {
                                            HIGHER_OR_SAME
                                            ntoskrnl.exe
                                            %windir%\system32\
                                            6.0.6002.22505
                                        }
                                        EXPR {
                                            LOWER
                                            ntoskrnl.exe
                                            %windir%\system32\
                                            6.0.6002.23000
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}

I know it's a mouthful, but it shows the exact file versions we are looking at for MS11-031, which for ntoskrnl are (for SP1, but the values are pretty close for the SP2 releases ;-):

OR {
                                EXPR {
                                    AND {
                                        EXPR {
                                            HIGHER_OR_SAME
                                            ntoskrnl.exe
                                            %windir%\system32\
                                            6.0.6001.18538
                                        }
                                        EXPR {
                                            LOWER
                                            ntoskrnl.exe
                                            %windir%\system32\
                                            6.0.6001.19000
                                        }
                                    }
                                }
                                EXPR {
                                    AND {
                                        EXPR {
                                            HIGHER_OR_SAME
                                            ntoskrnl.exe
                                            %windir%\system32\
                                            6.0.6001.22777
                                        }
                                        EXPR {
                                            LOWER
                                            ntoskrnl.exe
                                            %windir%\system32\
                                            6.0.6001.23000
                                        }
                                    }
                                }

Clearly 23076 is not lower than 23000, which causes the false negative.

As a quick work around you should be able to edit the inventory on your NS, but the root ause should be resolved at Symantec if not Microsoft (i.e. the MS13-031 update clearly supersedes some of the MS11-011 ones.

Thank you Kada for providing detail information on this.

Yes, once higher version of update is installed on machine MS11-011_Windows6.0-KB2393802-x86.msu update is not installing.

We were tried with below option also, result is same…

1. Installed MS11-068_Windows6.0-KB2556532-x86.msu or MS12-001_Windows6.0-KB2644615-x86.msu

2. Then tried installing MS11-011_Windows6.0-KB2393802-x86.msu which results in “update not applicable”

Ludovic Ferre – Yes, this is the problem from Microsoft. Bulletin MS11-011 is not superseded in MS11-068, MS12-001 or MS13-031.

We have modified LOWER range mentioned in IsInstalled rule of MS11-011_Windows6.0-KB2393802-xXX.msu update, to avoid this issue.

Please let us know if issue is still persisting on machine after this modification. 

Fix is available in Jun-13 patch Tuesday PMImport release version (x.x.1372.1)  which is available for download now.

Amol,

thanks for info. We did check on Friday NS 6.x and found lot of ItemNotFoundException.

Log from NS:

<event date='Jun 17 10:18:08' severity='1' hostName='YYYYYYY' source='Altiris.NS.LegacyInterop.ItemMessageDispatcherService.Dispatch' module='AltirisNativeHelper.dll' process='aexsvc.exe' pid='1388' thread='468' tickCount='154645328' >
  <![CDATA[ItemMessageDispatcherService::Dispatch  ( Unhandled exception.  Type=Altiris.NS.Exceptions.AeXItemNotFoundException Msg=Unable to load the target item for the client message. (Guid: "{e80fcc34-a70e-475a-9883-14dcc07c2f18}") Src=Altiris.NS.5xInterop
StackTrace=
   at Altiris.NS.LegacyInterop.ItemMessageDispatcherService.Dispatch(String message, Boolean useFilename) )]]>
</event>
<event date='Jun 17 10:18:08' severity='1' hostName='YYYYYYY' source='Altiris.NS.ClientMessaging.FileDispatcher.ProcessFileCallback' module='AltirisNativeHelper.dll' process='aexsvc.exe' pid='1388' thread='468' tickCount='154645328' >
  <![CDATA[Unable to process the file "G:\Altiris\Notification Server\NSCap\EvtQFast\Process\nseB813.tmp" Moving to "G:\Altiris\Notification Server\NSCap\EvtQFast\Bad\ItemNotFoundException\nse11B4.tmp". Reason: Unable to load the target item for the client message. (Guid: "{e80fcc34-a70e-475a-9883-14dcc07c2f18}")]]>
</event>

Event from machine:

<?xml version='1.0' ?>
<XmlData>
<WbemEventObject class='CE_NfySvrRemoteEvent'>
<MessageID></MessageID>
<Resource guid='{A345923B-7CB1-4044-9F86-28D99ABC6EBC}' typeGuid='493435F7-3B17-4C4C-B07F-C23E7AB7781F'><Attribute name='Domain' value='UUUUUUU'/><Attribute name='Name' value='XXXXXXXX'/><Attribute name='Altkey1' value=''/><Attribute name='Altkey2' value='00-FF-78-56-55-86'/></Resource>
<ScenarioGUID>{E80FCC34-A70E-475A-9883-14DCC07C2F18}</ScenarioGUID>
<RemoteEvent class="CE_XmlEvent">
<XmlData>
 <SWDExecutionEvent src="Altiris.SWD">
  <PackageId>{39A88B91-7993-4EEF-A4CD-58098B50BCDC}</PackageId>
  <JobId>{E80FCC34-A70E-475A-9883-14DCC07C2F18}</JobId>
  <PackageName>windows6.0-kb2393802-x86.msu</PackageName>
  <AdvertisementName>windows6.0-kb2393802-x86.msu for MS11-011</AdvertisementName>
  <ProgramName>windows6.0-kb2393802-x86.msu for MS11-011</ProgramName>
  <CommandLine>wusa.exe windows6.0-kb2393802-x86.msu /quiet /norestart</CommandLine>
  <RunNumber>22</RunNumber>
  <Start>20130615030032.991000-120</Start>
  <End>20130615030043.723000-120</End>
  <Context>Administrator</Context>
  <User></User>
  <ReturnCode>1</ReturnCode>
  <Status>Failed</Status>
 </SWDExecutionEvent>
</XmlData>
</RemoteEvent>
<TimeGenerated>20130615030043.786000-120</TimeGenerated>
<MessageBody></MessageBody>
<MessageLabel></MessageLabel>
<TransportFlag></TransportFlag>
<TransactionCookie></TransactionCookie>
</WbemEventObject></XmlData>
 

I did replace some date with X,Y, U.

Can you please check it?

I did check another customer with 6.x and it seems to be solved, in AA the patch is showed as Installed. I will check 7.0.

I tried to compare IsInstalled rule and found only one change - from 6.0.6002.19000 to 20000

but no change for 6.0.6002.23000.

For my info can you please let me know what exactly was changed?

Hi Kada,

Thanks for the update.

We have changed both the range:

 ‘6.0.6002.19000 to 20000’ and

 ‘6.0.6002.23000 to 30000’.

If you are able to see .20000 range in the Isinstalled rule than .30000 range should also get reflected there.

It would be great if you can confirm it again.

 For the above ItemNotFoundException, there are several reasons why this could happen:

•  The NSE format is not correct.
•  The XML in the NSE cannot be loaded (is not recognized as XML code).
•  No such policy exists.

If the Event Processor cannot find the policy that the NSE is supposed to go to, it returns a ‘Failed’ message to the Notification Server Dispatcher Service, which places the NSE in a Bad event directory.

Example: if an inventory agent sends an NSE to the Notification Server, but the Notification Server does not have Inventory Solution installed any more, then the NSE cannot be processed and gets placed in a Bad event directory. If you install Inventory Solution, then place this NSE back in the Event Queue, it should be processed correctly.

 However there are other causes, and this article points to some help on how to investigate.

http://www.symantec.com/business/support/index?page=content&id=HOWTO8119

Hi Amol,

yes, 30000 is there.

I did check 7.0 and there it is solved too.

Regarding bad event the problem was in the policy - policy for MS11-011 is there but patch for x86 is not marked there.

We can say that the fix did solve the issue with KB2393802.

I appreciate your help, thank you very much for it.