Simon336697

Hi guys, Great site and first question from an altiris newbie. Guys,we are using NS 6.2 with Patch Management, and having a big problem with Office 2003 patches.






Problem:

• Altiris NS Server reports that most our workstations are vulnerable, but the patch is actually installed on them.

Bulletin/Patch in question:

• MS08-052/KB954478
• The patch exe is as follows:
• Office2003-kb954478-fullfile-enu.exe

What we have done:

• The patch was released over a month ago, and if we remote on locally to the workstations, and go to Add/Remove programs, we see an entry in there for the patch: Security Update for Office 2003 (KB954478)
• Looking at the Altiris Agent, we find that the patch is continually trying to download and we dont know why.
• If we go into the Reports section of the NS server, most systems are reporting that they are vulnerable with respect to this patch, even though they have the patch installed.
• The machines have been rebooted since the patch was deployed.
• Ive used the remote altiris agent diagnositcs tool.
• Ive tried to run an update inventory using the agent, but the reporting ns server is not updating.
• Inventory collection is set at an interval every 6 hours.

Because my knowledge of altiris is really limited, im stumped and would love your guys seasoned expertise.

I spose the concern here is how do we get the ns server to report that systems that have actually been patched, dont show as vulnerable when doing the report on the ns server.

Q: How can you force an inventory update, including entries seen in Add/Remove programs, from the client? How and where then do you check on the ns server that this machine will show the patch has been installed?

We have over 3000 machines reporting that this patch has not been installed, when in reality, it is.

Any help greatly appreciated.

GeoMac

Just fer chuckles, may I ask what version of PMImport are you using?

I believe there is a report you can run to determine the version of PMImport in use.

__________________
"Any sufficiently advanced technology is indistinguishable from magic". - Arthur C. Clarke

GeoMac

This link can help you determine the PMImport level:
How do I determine the version of PMImport.cab installed on the NS server (Article ID: 22140)?
https://kb.altiris.com/article.asp?article=22140&p=1

This can be an important resouce for Patch Management PMImport issues and fixes:
How to subscribe to notifications for Altiris products (Article ID: 42448):
https://kb.altiris.com/article.asp?article=42448&p=1

I hope this is helpful...

__________________
"Any sufficiently advanced technology is indistinguishable from magic". - Arthur C. Clarke

Simon336697

Hi GeoMac,

Really appreciate your kind help.
I am a newbie as you can tell :>)
Once back in to work tomorrow, ill post the version here mate.
Have you seen this before, where the NS Server might have an out of date PMimport file, which reports machines as vulnerable even though a kb has been installed on machines?
I thought the pmimport file just lists the updates that need to be applied, and if that is the case, then why would the ns server be reporting the machines as vulnerable when the ns server itself was the one that deployed the kb in the first place?
As you can tell, simple questions from a newbie.

GeoMac

Hello,

The reason I mentioned the PMImport version: Altiris updates this resource every patch cycle (and sometimes "out of cycle", as well). The "out-of-cycle' releases often addresses reporting issues, like yours.

I searched the Altiris Knowledgebase (KB.Altiris.Com) with the keywords: PMImport MS08-052

and found the following articles:

PMImport 6.2.1234.1 (23 September 2008) - Article ID 43779:
https://kb.altiris.com/article.asp?article=43779&p=1

PMImport 6.2.1237.0 (12 November 2008) - Article ID 44394:
https://kb.altiris.com/article.asp?article=44394&p=1

Supplementary PMImport 6.2.1246.2 (12 March 2009) - Article ID 46044:
https://kb.altiris.com/article.asp?article=46044&p=1

PMImport 6.2.1247.0 (10 March 2009) - Article ID 46022:
https://kb.altiris.com/article.asp?article=46022&p=1

Another interesting read for Altiris Patch Management:

List of 6.x PMImport.cab file versions and release dates - Article ID 21897:
https://kb.altiris.com/article.asp?article=21897&p=1

You mentioned you used the Altiris Agent Diagnositcs tool. Did you see any errors in the Agent logs?

Perhaps, the logs may nail down the possible culprit(s).

__________________
"Any sufficiently advanced technology is indistinguishable from magic". - Arthur C. Clarke

Simon336697

Hi GeoMac,
Back in the office.

PMIMport version is the latest (6.2.1255.1) but only imported 4 days ago.
Prior to that, the version was a 2008 version.

Ive run the compliance reports again, and they still show a lot of vulnerable systems that have indeed been patched.

GeoMac,
Do you have to "force" the PMImport version to be used somehow?
Is there any way to immediately update the reports and utilize the new PMImport version on the NS Server?

Simon336697

Here is some logs with regards to a client that does have the patch installed, but is listed as vulnerable in Altiris.

Attached Images

kb954478.jpg (200.5 KB, 18 views)

Attached Files

kb957784.xls (74.0 KB, 11 views)

Lery

It sounds like you may have a faulty rule check going on. Follow this KB to get the isinstalled rule information (what Altiris actually checks for) https://kb.altiris.com/article.asp?article=19200&p=1

After you get what it is checking for (perhaps a version of a file or registry key), go to the machine(s) in question and check to see what is up. I'm guessing that it might be checking for a file version that is still on the machine and therefore saying it is vulnerable.

Altiris does often get the rules wrong every single month. However, they do correct it pretty fast. By now I would assume that bulletin should be accurate on the Altiris side of the house.

Simon336697

Thanks so much Lery.
I will have a look and report back.

Simon336697

Hi Lery and everyone.
Lery I took your advice and checked the rule.

The rule is checking for the existence of a particular version of gdiplus.dll.

Let's say it is looking for version 8.1

In Altiris, machines that have the patch installed are reporting as vulnerable, BUT they DO have the patch installed. The problem is, is that the version of gdiplus.dll they have is an older version eg.version 7.8, than what the rule is looking for.

So it is trying to keep on installing the patch and failing.
I just dont know what to do from here.
There are so many patches and multiple patches it seems install there own version of gdiplus.dll.

Calling on you gurus who have struck similar issues before.

Really appreciate all your expertise.

Lery

The way I understand your reply, you have an older version of a .dll file that the rule is looking for. So then yes you are vulnerable? Altiris gets the rule definition from Microsoft, so if Microsoft says you should have version X or higher of a file, and you do not, then we will flag you as vulnerable.

Now that you understand how to correctly evaluate a rule on a client machine, I would recommend running through the combined Patch Management Fixes KB. Located here https://kb.altiris.com/article.asp?article=46144&p=1

Since PM 6.x was released Altiris put out a lot of different little hot fixes and patches. This combined KB article contains a single executable to apply them all. The fixes are also listed in the article. There is a known issue in reporting discrepencies that might help you as well.

Simon336697

Hi Lery,
You are spot on.
The version of the dll is older on the machines that have been patched, than what the rule is looking for.
Ill implement the combined fix and see if that makes a difference.
Thanks so much for your help on this.