Client Management Suite

Can you havea  look att he attachement. All the hotfixes have been downloaded and in a policy. This machine is in the target of the policy.

Is this normal? I know some people have comented on the differences betweeen altiris and MSBA but I just have concerns ever since I had the MS12-020 patch not showing as vulnerable for any Windows XP machine. which isn't right!

Joe.

Attachment(s)

Tenpc022.docx   78 KB 1 version

Hello,

May I ask you please provide a version of PMImport on your NS? You may check it in <NS installation folder>\Altiris\Patch Management\Downloads\Manifest.xml file. The version of this manifest would be the version of PMImport.

Thanks!

 Volume in drive C is System
 Volume Serial Number is 3C81-7F0D

 Directory of C:\Program Files\Altiris\Patch Management\Downloads

04/20/2012  01:54 PM    <DIR>          .
04/20/2012  01:54 PM    <DIR>          ..
04/20/2012  01:54 PM                 0 flies.txt
04/18/2012  08:45 PM            24,976 pmimport.cab
04/18/2012  08:45 PM            14,168 PMImport_English.cab
04/18/2012  08:45 PM            76,587 PMImport_InvariantLanguage.cab
09/09/2010  02:10 AM           145,016 Q815062_W2K_spl_X86_EN.exe
04/18/2012  08:03 AM            24,355 WindowsOSEnglish.cab
04/18/2012  08:05 AM            26,732 WindowsOSInvariantLanguage.cab
               7 File(s)        311,834 bytes
               2 Dir(s)  20,605,820,928 bytes free

This is version 7.0 if that matters!

Thanks for letting me know about the version. You may determine the version for PMImport for 7.0 according to instructions here - http://www.symantec.com/business/support/index?page=content&id=HOWTO59812

Thanks!

Last nights run!

As always, you have rebooted the machine to ensure that all patches are applied and there are no files pending move? You have also ensure that your client has run a full inventory & uploaded to the server?

That being said, are you sure your WSUS is up to date? Not just from a downloaded patch point of view, but also that the client has correctly uploaded its infor to WSUS?

I do know that Symantec uses different rules than Microsoft to determine if patches apply. My non-Symantec source tells me that Symantec do a more indepth check than MS.

I would be interested to know what the cause of this problem is.

Thank you for your answer.

Could you please check if TENPC022 client from the attached word document has Service Pack 3 installed (or if it is actually 64-bit Windows then SP2 installed)?.

Do Patch report and MSBA report come from the SAME machine (with SP3 for x86 or SP2 for x64 installed)?

Thank you!

Yes Machine is WinXP SP3 x86. The reports came from that same same machine. I got a feeling i'm going to have the same results If I run both tests on all the XP machines...

yep - machines have rebooted. Inventopry has been sent. I'm not using WSUS. I just download the MS baseline analayser fromt he web and it updates itself. I've logged a ticket with support. I got a feeling this is affecting a lot of machines with a lot of patches!

the only reason I'm concerned about this is becuase not 1 of my WinXP machine showed as vulnerable to the RDP patch MS12-020 even though it wasn't deployed and installed on any machines. (i've got a support ticket raised for this but as yet had had solution back.)

Joe.

the more I look into this the more it looks like its not applying OS patches to winXP SP3 machines. The ofifice and .NET etc look OK. but the OS ones just dont look right!

See attached screenshot. The high numbers all seem to be office/.net patches 98% of machines on this list are WinXP SP3. To me that doesn't look right! would you agree ?

jharrings mentions the SUA Diag tool and Single Rule evaluator. Hopefully they work with Altiris v7.

Sorry, don't have any answers for you.

Has anybody tried the utilities on 7.1 SP2 that Ian linked to in his post?  I'd love to know if they work with 7.1.

Ran the SUA diag tool and got an unhandled exception error. - thanks anyway. Worth a shot.

Joe.

Running the SUA_Diagnostics tool on a Windows 2003 server with Altiris Agent v6.0.2416 and .Net 1.1 works for me.

Might be an OS or .Net dependancy.

Confirmed, I get the same error on a Windows 7 PC with Altiris v7 agent.

Basically these tools are unsupported by 7.1.SP1+. The main reason for that is changed process of getting information about vulnerable updates(So Rule Evaluator results will not be valid), but some functionality still might be working if you will be able to launch this tool without exceptions. It looks like it is OS or .NET dependent.

I tried it with 7.1 SP2 on Windows Server 2008 SP1 and I was able to launch tool and collect the following information for updates targeted to tested machine (Note: I needed to copy Agent logs from “C:\ProgramData\Symantec\Symantec Agent\Logs” to “...\Altiris\Altiris Agent\Logs”):

 - Global Agent information

 - Package Details

 - Last Vulnerability Analysis Results(Applicable/Installed/To be installed/Superseded)

 - List of all applicable and not installed bulletins per Windows Update scan

Advantage of those tools is quick and comfortable way to collect all needed information in one place, but if you need to get information that is provided by these tools and tool is not working by any reason, you also can get it by other ways:

- You can try another Agent Diagnostic tool that provides remotely some information about Software Update plug-in - [Remote Altiris Agent Diagnostics 2.0] http://www.symantec.com/business/support/index?page=content&id=HOWTO21449

This tool works with 7.1 SP1+ and displays the Patch Management Solution’s Software Updates that the computer knows about (where it has received a Patch policy for it) and the status and execution results of the Software Updates. Additionally you can Start Patch Inventory, Start Full Patch Cycle or Run Separate Update using tool's GUI

Also you can collect all needed information manually:

- Information about Global Agent details and package details can be found in Agent UI. Also You can enable Diagnostic mode to extend Agents UI using AexNSAgent.exe /diags

- Advertisements currently targeted to the managed computer can be found in XML file: ...\Altiris\Altiris Agent\SoftwareManagement\Software Delivery/AeXSWDPolicy.xml

- Last Vulnerability Analysis Results can be found in XML file : ...\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{6D417916-467C-46A7-A870-6D86D9345B61}\cache\STPatchAssessment.xml

- List of all applicable and not installed bulletins per Windows Update scan can be copied from Windows Update scan results

For executing any actions with Software Update plug-in you can use Agent UI or AexPatchUtil(http://www.symantec.com/business/support/index?page=content&id=HOWTO9770)

I have RAAD and use it. Unfortunately its doesn't offer any help in this situation.

- Last Vulnerability Analysis Results can be found in XML file : ...\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{6D417916-467C-46A7-A870-6D86D9345B61}\cache\STPatchAssessment.xml

I do not have have above folder in my client PCs! I have informed support of this but not had any response from them as yet..

Also you can collect all needed information manually:

The point of the tools was to automatically collect the info & not make a mistake or miss something. The SUA Diagnostic tool was also very useful because you could

• evaluate a single rule
• try & force an update
• view GUIDs for the rule
• View bulleting & patch executeable name
• See effective SUA policy

RAAD is a fantastic tool and I have previously made suggestions to improve it. The Altiris Log viewer is much better though for review as you can search / find, hightlight, filter & jump to next occurrence.

I still wish SUA would be updated for v7+ and newer OSs.

OK - was on with support who got me to run a few commands. You'll notice the screenshot - a lot of updates are now in the 500-600 range rather than the low 10s range. for some reason it was not pciking up WinXP machines

Thsi is the command I ran

1. Perform a SQL database backup.

After the backup is done, do the following:

2. Open CMD 
Set the prompt for the installed drive - default: C:\ (Ensure the installed drive matches the environment):
Input: cd "Program Files\Altiris\Notification Server\bin"
CMD should appear as: C:\Program Files\Altiris\Notification Server\Bin>

3. Input these configuration commands, following the path in CMD outlined in step 1, and run them one by one to reconfigure the product to the database (Ensure the installed drive matches the environment):
AexConfig /Configure "C:\Program Files\Altiris\Patch Management\Core\Config\PatchManagementCore.config"
AexConfig /Configure "C:\Program Files\Altiris\Patch Management\Windows\Config\PatchManagement.config"
Note: This process may take some time, depending on how many Software Update Policies are created and the performance of the NS and SQL Servers.

My only concern is that I now consider these reports to be very unreliable And will have to check using other tools. NOT GOOD.

Joe.

Hi Joe,

It would be great if you can provide below information about MS12-020:

1. file version of "rdpwd.sys" at location "%windir%\system32\drivers\"
2. Manual update (MS12-020_ WindowsXP-KB2621440-x86-ENU.exe) installation status on machine and file version of “rdpwd.sys” after update installation.
3. If ‘rdpwd.sys’ file is not present at above location then please provide detailed repro steps for same.

Thanks,

Amol Sontakke

Hi Amol, It wasn't specific to this hotfix. (ms12-020) It seemed to have a problem with any WinXP OS hotfix. It looks as though at some point is just stopped working. All windows XP machines were not showing as vulnerable to a lot of hotfixes.

Joe.