Patch Management Solution

 View Only
Expand all | Collapse all

MS17-010 on old OS - will patch management deploy?

TeleFragger

TeleFraggerMay 15, 2017 07:24 AM

  • 1.  MS17-010 on old OS - will patch management deploy?

    Posted May 13, 2017 11:19 AM

    Ok with the ransomeware attack hitting... I ran the compliance by bulletin on MS17-010 and came back with only 1 system applicable and wasnt installed. I am guessing due to the bundled patches for all the O/S now, that we are covered there?

    Well MS released the patch for XP SP2/SP3, Server 2003 and Server 2008. Do any of you have to deploy this out? I just did a pmimport and I do not see the patch listed so I am guessing either Symantec is working on it as usually they get patches out for us 2 days after MS releases. Well I cant wait 2 days so may have to do via SWD. 

     

    Just curious on how others are handling this...

     



  • 2.  RE: MS17-010 on old OS - will patch management deploy?

    Broadcom Employee
    Posted May 15, 2017 04:50 AM


  • 3.  RE: MS17-010 on old OS - will patch management deploy?

    Broadcom Employee
    Posted May 15, 2017 05:51 AM

    XP and 2003 are to be added to PMI "shortly" today.



  • 4.  RE: MS17-010 on old OS - will patch management deploy?

    Posted May 15, 2017 07:24 AM

    yes it is! thx



  • 5.  RE: MS17-010 on old OS - will patch management deploy?

    Posted May 15, 2017 07:25 AM

    Well that is good news; however, I already rolled it out, but will be nice as hopefully the compliance by bulletin report will reflect all including XP/2003 (fingers crossed)

     



  • 6.  RE: MS17-010 on old OS - will patch management deploy?

    Posted May 15, 2017 09:21 AM

    Hi Fernando,

     

    It doesn't show up in bulletin list either. However it also doesn't show up in my superceded list. Which is making me nervous.

     

    Scott



  • 7.  RE: MS17-010 on old OS - will patch management deploy?

    Posted May 15, 2017 09:30 AM

    It shows for us as partially superseded by MS17-05-2K8 which is presumably why it is not showing in compliance by bulletin? As that new patch is only for 2008 servers, it would be nice to still monitor compliance of the other OS versions though.



  • 8.  RE: MS17-010 on old OS - will patch management deploy?

    Posted May 15, 2017 09:33 AM

    Hi TeleFragger.

     

    In my environment the MS17-010 doesn't exist anymore. My Metadata probably have deleted this bulletin because it was superseded by another one.

     

    Searching for the KBs, my environment is linking to SB17-002, SB17-003 and CSWU-048 bulletins. I suggest you to have a look in these bulletins too.

     

    Regards,

     

     



  • 9.  RE: MS17-010 on old OS - will patch management deploy?

    Posted May 15, 2017 11:04 AM

    This whole patching for MS17-010 and the updates was very hard to monitor, track,  and was probably why all the compliance reports are wrong. So does some have the updated list of which lists all the updates and superseeded information so Security people can get a correct updated list of machines? I also have a call into Symantec Support and will share thier results also.

     



  • 10.  RE: MS17-010 on old OS - will patch management deploy?

    Posted May 15, 2017 01:27 PM

    This is up to date information and support is getting slammed. Hope this helps everyone.

     

    TECH240810

     

     



  • 11.  RE: MS17-010 on old OS - will patch management deploy?

    Posted May 15, 2017 02:03 PM

    yeah we found out the MS17-010 compliance report is mainly just for old OS like Vista...

    you need SB17-002 installed WITH A REBOOT!!!! 

    our compliance report is showing our machines vulnerable and were merely rebooting, that is it and they are coming off the compliance report.

    you need to look for KB4012212

     

    example.. google brings up that it was in the security only for March which we rolled out in April... we do security monthly only and it was installed, but reboots needed...

     

    https://support.microsoft.com/en-us/help/4012212/march-2007-security-only-quality-update-for-windows-7-sp1-and-windows-server-2008-r2-sp1

     



  • 12.  RE: MS17-010 on old OS - will patch management deploy?

    Posted May 15, 2017 02:14 PM

    Hi Scott.

     

    Today I've imported this report in my Altiris. Have a look and check if helps you. I think this report very useful for checking supersed KB, etc.

     

    http://www.symantec.com/docs/HOWTO125818

     

    Regards,



  • 13.  RE: MS17-010 on old OS - will patch management deploy?

    Posted May 15, 2017 02:17 PM

    In my environment was SB17-002, SB17-003 and CSWU-048 bulletins. I suggest you to have a look on the others too.

     

    Regards,



  • 14.  RE: MS17-010 on old OS - will patch management deploy?

    Posted May 15, 2017 04:44 PM

    Those are on that technote. They will probably change or add new ones for Xp and the other out of life OS. Stay tuned. 



  • 15.  RE: MS17-010 on old OS - will patch management deploy?

    Trusted Advisor
    Posted May 16, 2017 04:45 AM

    Hi,

    Have you reviewed the document: https://support.symantec.com/en_US/article.TECH240810.html

    Symantec has been updating this document throughout the last few days - they have recently added a report which can be imported into Altiris to identify what bulletins are required.

    Thanks



  • 16.  RE: MS17-010 on old OS - will patch management deploy?

    Posted May 16, 2017 08:53 AM

    Hi Sam.

     

    The report works good to you? In my environment (7.6 HF7) it's showing me a error because I don't have the "Inv_Software_Update_Distribution_Status" table. I think this report only works in 8.0+ versions.

     

    Talking about reports, in "Compliance by Bulletin" report, can you see the "CSWU - " information in this report? When I type CSWU it's not showing any information, so I have no idea how is the bulletin compliance.

     

    Regards,



  • 17.  RE: MS17-010 on old OS - will patch management deploy?

    Trusted Advisor
    Posted May 16, 2017 10:17 AM

    Hi Fernando,

    I'm using 8.0 HF6 and it is working as expected. 

    In regards to CSWU not showing, have you checked the Remediation Center > Windows Superseded Bulletins report? It is showing all of the CSWU's as superseded for me, which is probably why it will not show in the Compliance by Bulletin report. Please see below:

    patchsuper.png

    Which CSWU Bulletin are you looking for? If you can let me know then I'll take a look in my environment and post the results.

    Thanks


     

     



  • 18.  RE: MS17-010 on old OS - will patch management deploy?

    Posted May 16, 2017 10:52 AM

    Hi Sam.

     

    Makes sense. This report was built to work in 8.x versions. Here i'm still in 7.6 version.

     

    In "Remediation Center" I can see the CSWU-048, but not the information about compliance.

     

    The CSWU-048 is one of the bulletins that we have to deploy to fix the security problem. I run another report that shows all KBs and if they were superseded by another patch or not. As result I could check that all CSWU were superseded by another bulletin, so I also think this is the reason that it's not showing this bulletin in "compliance by bulletin" report.

     

    Thanks!



  • 19.  RE: MS17-010 on old OS - will patch management deploy?

    Posted May 16, 2017 05:49 PM

    well the windows 10 reports are no longer CSWU... May 2017 win10 patch set is

    MS17-05-W10 - Cumulative Update for Windows 10 and Windows Server 2016: May 9, 2017

     

    Thus the patch in question for Windows 10 due to Cumulative nature - is in this patch as well...



  • 20.  RE: MS17-010 on old OS - will patch management deploy?

    Trusted Advisor
    Posted May 17, 2017 04:51 AM

    Hi Fernando, 

    That's exactly right. Using CSWU-047 as an example, I would do the following:

    Check the report "Windows Superseded Bulletins" for CSWU-047 and see if it is superseded by another bulletin. If it has, I then take the next bulletin and check if that has been superseded also, following up the chain to the latest bulletin available. 

    I can see that CSWU-047 has been superseded a number of times:
    CSWU-047 > CSWU-048 > MS17-W10-04 > MS17-05-W10

    The only bulletin that shows in the report "Compliance by Bulletin" is MS17-05-W10 as it is currently the last in the chain. The description for this shows that it was released on May 9th, this month's patch Tuesday: Cumulative Update for Windows 10 and Windows Server 2016: May 9, 2017.

    Hope that helps, thanks!

     



  • 21.  RE: MS17-010 on old OS - will patch management deploy?

    Posted May 18, 2017 07:48 AM

    Hi Sam.

     

    First of all, thanks for your help. Secondly, Symantec uploaded a new report for 7.6 version which works really good.

     

    http://www.symantec.com/docs/TECH240810

     

    Regards,



  • 22.  RE: MS17-010 on old OS - will patch management deploy?

    Trusted Advisor
    Posted May 18, 2017 08:26 AM

    @Fernando - Anytime, happy to help.

    @Telefragger - Are there any remaining questions for this post or has everything been answered? Let me know!

    Thanks



  • 23.  RE: MS17-010 on old OS - will patch management deploy?

    Posted May 19, 2017 01:50 PM

    For whatever reason I'm getting a 404 when I go to download the 8.x XML provided on the TECH240810 page. Can download 7.x but we're on 8.0. Anyone know if it is OK to import 7.x XML provided there into an 8.x platform?

     

    Regarding compliance reports, we ended up building a custom SQL report for it. Here it is in case anyone is interesteJust remove comments "/* and */" from the update you want compliance for

    SELECT
    Inv_AeX_AC_Identification.Name,
    Inv_AeX_AC_Identification.[OS Name],
    Inv_AeX_AC_Identification.[System Type],
    Inv_AeX_AC_Identification.[Client Date] 'Last Client Communication',
    Inv_Software_Update.[FileName]
    from Inv_Applicable_Windows_Software_Update
    left join Inv_AeX_AC_Identification on Inv_AeX_AC_Identification.[_ResourceGuid] = Inv_Applicable_Windows_Software_Update.[_ResourceGuid]
    left join Inv_Software_Update on Inv_Software_Update.[_ResourceGuid] =  Inv_Applicable_Windows_Software_Update.[SoftwareUpdateGuid]
    where
        /* Inv_Software_Update.[FileName] LIKE '%4012598%'  Windows XP */
        /* Inv_Software_Update.[FileName] LIKE '%4012212%'  Windows 7 March 2017 Security Only Rollup*/
        /* Inv_Software_Update.[FileName] LIKE '%4012215%' Windows 7 March 2017 Monthly Rollup*/
        /* Inv_Software_Update.[FileName] LIKE '%4012213%'  Windows 8.1 March 2017 Security Only Rollup*/
        /* or Inv_Software_Update.[FileName] LIKE '%4012216%' Windows 8.1 March 2017 Monthly Rollup*/
        /* Inv_Software_Update.[FileName] LIKE '%4012606%' Windows 10 (1507) March 2017*/
        /* Inv_Software_Update.[FileName] LIKE '%4013198%' Windows 10 (1511) March 2017*/
        /* Inv_Software_Update.[FileName] LIKE '%4013429%' Windows 10 (1607) March 2017*/
        /* Inv_Software_Update.[FileName] LIKE '%4012598%' Windows Vista*/
    EXCEPT
    SELECT
    Inv_AeX_AC_Identification.Name,
    Inv_AeX_AC_Identification.[OS Name],
    Inv_AeX_AC_Identification.[System Type],
    Inv_AeX_AC_Identification.[Client Date] 'Last Client Communication',
    Inv_Software_Update.[FileName]
    from Inv_Installed_Windows_Software_Update
    left join Inv_AeX_AC_Identification on Inv_AeX_AC_Identification._ResourceGuid = Inv_Installed_Windows_Software_Update.[_ResourceGuid]
    left join Inv_Software_Update on Inv_Software_Update.[_ResourceGuid] =  Inv_Installed_Windows_Software_Update.[SoftwareUpdateGuid]
    order by Inv_AeX_AC_Identification.[Client Date] ASC

     



  • 24.  RE: MS17-010 on old OS - will patch management deploy?

    Trusted Advisor
    Posted Jun 01, 2017 05:09 AM

    Hi Grumbles2015,

    I've only just got around to checking the article download link for the 8.0 report and it is working fine for me. Either this has been reported to support and resolved or sometimes we see errors like this when we're not logged in to connect. 

    Thanks



  • 25.  RE: MS17-010 on old OS - will patch management deploy?

    Posted Jun 02, 2017 10:39 AM

    This was informational only... I cant select anyone as the correct answer...

    was just throwing this out there as it is a very big deal and curious how others were handling.

     



  • 26.  RE: MS17-010 on old OS - will patch management deploy?

    Posted Jun 12, 2017 08:37 PM

    Thanks Sam. That link ended up working the next day