http://forum.bigfix.com BigFix User Group en http://backend.userland.com/rss http://forum.bigfix.com/viewtopic.php?pid=17052#17052 17052@http://forum.bigfix.com Topic: MS09-017 False Positives Message: I think based off of the information you're giving me, that the system is vulnerable to that particular vulnerability. The version of powerpoint is at base SP3 level, and pp7x32.dll isn't at an up to date version.Are you just finding that the fixlet is showing up as relevant after you apply the patch? Is applying the patch manually giving you a problem (expected version of the application not found on the system?)(I think if we can't solve this problem in one more exchange or so you might want to open a trouble ticket for this) Thu, 19 Nov 2009 15:36:38 -0800 http://forum.bigfix.com/viewtopic.php?pid=17050#17050 17050@http://forum.bigfix.com Topic: MS09-017 False Positives Message: Ok here is the information you have requested:Q: version of regapp "powerpnt.exe"A: 11.0.8169.0Q: version of file "pp7x32.dll" of folder (pathname of parent folder of regapp "powerpnt.exe" & "\XLATORS")A: 11.0.8161.0OS WinXP 5.1.2600OS Plus Service Pack - No WMI - Microsoft Windows XP - Service Pack 2  Microsoft Office Configuration Information Microsoft Office Professional Edition 2003, {90110409-6000-11D3-8CFE-0150048383C9}, PRO11.MSI, "C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\", 1033 Microsoft Office Deployment Control Network Installation - Office2003Full Name of Installed Microsoft Office Suite(s) Microsoft Office Professional Edition 2003 (English (United States)) Microsoft Office Installed Components and Service Pack Versions EXCEL.EXE (Office 2003 | Service Pack 3) INFOPATH.EXE (Office 2003 | Service Pack 3) MSACCESS.EXE (Office 2003 | Service Pack 3) MSPUB.EXE (Office 2003 | Service Pack 3) OUTLOOK.EXE (Office 2003 | Service Pack 3) POWERPNT.EXE (Office 2003 | Service Pack 3) WINWORD.EXE (Office 2003 | Service Pack 3) Microsoft Office Suite Installation Date(s) 11/11/2009 Office Communicator version 2.0.6362.97Visio Viewer Version Microsoft Office Visio Viewer 2003 (English) | 11.0.3709.5614  Windows Installer Version 3.1.4000.1823 Thu, 19 Nov 2009 13:31:26 -0800 http://forum.bigfix.com/viewtopic.php?pid=17048#17048 17048@http://forum.bigfix.com Topic: Patching thousands of servers in a server farm just a few at a time? Message: similarly you could do it with locking or using a BES Property.  Have the lock removed, or a property changed, during a certain period of time.  then the action should include "Run Only When" (not locked, or the property is an appropriate value).As the different machines unlock themselves (or change their property value)..."TADA" patching, al fresco !! Thu, 19 Nov 2009 11:51:38 -0800 http://forum.bigfix.com/viewtopic.php?pid=17046#17046 17046@http://forum.bigfix.com Topic: Best Practices for not annoying the hell out of my co-workers -Reboots Message: Thanks so much for the thoughtfull response...I need to reread it a couple of times and digest it.  Right now, I am rathole-ing on redploying all my agents because re just did a fresh reinstall of the BES server  .  sigh. Thu, 19 Nov 2009 11:47:32 -0800 http://forum.bigfix.com/viewtopic.php?pid=17045#17045 17045@http://forum.bigfix.com Topic: Best Practices for not annoying the hell out of my co-workers -Reboots Message: Here's how I'm presently handling it, complicated by the fact that some users want notifications and not all patches need a reboot:either:build a baseline with a postaction (lastbaseline component, with includeingroupreleavence"=false).  This component determines if we need a reboot, caused by BES Action.  (you can also do a pre-action, that determines if you needed to reboot before you started patching...if you want).when <BaselineComponentGroup Name="PostActionGroup">                <BaselineComponent Name="PostAction" IncludeInRelevance="false" ActionName="Action1">                    <ActionScript MIMEType="application/x-Fixlet-Windows-Shell">setting "PATCH_2009_Q3"="{now}" on "{now}" for clientif {if(name of operating system starts with "Win") then((exists key "HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\BESPendingRestart" of it AND exists value "BESPendingRestart" of key "HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\BESPendingRestart" of it) of registry OR (exists key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" of it AND exists value "BESPendingRestart" of key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" of it) of registry) else (true)}  setting "PATCH_rebootneededbypatch"="1" on "{now}"  for clientelse    setting "PATCH_rebootneededbypatch"="0" on "{now}" for clientendif</ActionScript>                    <SuccessCriteria Option="RunToCompletion"></SuccessCriteria>                    <Relevance>true</Relevance>                </BaselineComponent>            </BaselineComponentGroup> Now I know, when my Q3 patches were applied, and if I need a reboot (caused by the patch..assuming there is no other pre-existing reboot condition caused by BES).OR You can do a similar thing in the action screen for deploying baselines too.  I put it in the baseline itsef because my wizard is intended to reduce operations requirements (and mistakes).Now, I have a separate fixlet that will prompt a user to reboot if they have both "reboot needed caused by bes" AND setting "PATCH_rebootneededbypatch" (I'd also check that the effective date of the setting is > 1 or 2 hours from "now")Now, just to cater for the fact that they may reboot on their own (and not use the fixlet), I have another fixlet that looks for "PATCH_rebootneededbypatch"="1" but (reboot needed caused by BES)=false.  This just sets "PATCH_rebootneededbypatch"=0.I probably did a horrible job of explaining all that because I am in a rush today... Thu, 19 Nov 2009 11:27:57 -0800 http://forum.bigfix.com/viewtopic.php?pid=17042#17042 17042@http://forum.bigfix.com Topic: Office Viewer Patches changing file association Message: Nov. Patching set included a few MS document viewer patches.  In my testing, these patches (in 1 case) don't work, (MS issue, not BF) and in the other cases reset file associations to the viewer.  Not a problem if you only have viewers...but if your target population have both, makes for some ANGRY peeps !!I've written a dashboard/wizard for some customers baseline generation as it includes a few custom things, and EXCLUDES OS' that they don't care about.  It also includes some logic for pre-patch and post-patching.So, in hind-site, I'd copy off HKCR and restore it at the end of the baseline.  This keeps the old associations, and doesn't overwrite anything NEW, just anything CHANGED.however, in the interim, I have created a task to try and remedy the situation for the major doc types: delete __appendfiledelete officeext.batappendfile @ECHO OFFif {exists (keys whose (name of it starts with "Word.Document" and (exists key "shell\open\command" whose (exists value "" of it and value "" of it as string as lowercase contains "winword.exe") of it)) of key "HKCR" of registry)}appendfile @set WORD={preceding text of first ";" of concatenation ";" of (unique values of (names of keys whose (name of it starts with "Word.Document" and (exists key "shell\open\command" whose (exists value "" of it and value "" of it as string as lowercase contains "winword.exe") of it)) of key "HKCR" of registry);";")}appendfile @assoc .doc=%WORD%appendfile @assoc .dot=%WORD%endifif {exists (keys whose (name of it starts with "Excel.Sheet" and (exists key "shell\open\command" whose (exists value "" of it and value "" of it as string as lowercase contains "excel.exe") of it)) of key "HKCR" of registry)}appendfile @set EXCEL={preceding text of first ";" of concatenation ";" of (unique values of (names of keys whose (name of it starts with "Excel.Sheet" and (exists key "shell\open\command" whose (exists value "" of it and value "" of it as string as lowercase contains "excel.exe") of it)) of key "HKCR" of registry);";")}appendfile @assoc .xls=%EXCEL%appendfile @assoc .csv=%EXCEL%endifif {exists (keys whose (name of it starts with "PowerPoint.Slide" and (exists key "shell\open\command" whose (exists value "" of it and value "" of it as string as lowercase contains "powerpnt.exe") of it)) of key "HKCR" of registry)}appendfile @set PPNT={preceding text of first ";" of concatenation ";" of (unique values of (names of keys whose (name of it starts with "PowerPoint.Slide" and (exists key "shell\open\command" whose (exists value "" of it and value "" of it as string as lowercase contains "powerpnt.exe") of it)) of key "HKCR" of registry);";")}appendfile @assoc .ppt=%PPNT%appendfile @assoc .pps=%PPNT%appendfile @assoc .pot=%PPNT%endifif {exists (keys whose (name of it starts with "Visio.Drawing" and (exists key "shell\open\command" whose (exists value "" of it and value "" of it as string as lowercase contains "visio.exe") of it)) of key "HKCR" of registry)}appendfile @set VISIO={preceding text of first ";" of concatenation ";" of (unique values of (names of keys whose (name of it starts with "Visio.Drawing" and (exists key "shell\open\command" whose (exists value "" of it and value "" of it as string as lowercase contains "visio.exe") of it)) of key "HKCR" of registry);";")}appendfile @assoc .vsd=%VISIO%appendfile @assoc .vdx=%VISIO%endifmove __apPendfile officeext.batwaithidden officeext.bat Thu, 19 Nov 2009 10:21:40 -0800 http://forum.bigfix.com/viewtopic.php?pid=17018#17018 17018@http://forum.bigfix.com Topic: MS09-017 False Positives Message: Can you tell us more about those 1,050 machines?The relevance is based off of the GUIDs here: http://support.microsoft.com/kb/832672and those only check for various SKUs of office 2003 and powerpoint 2003. What kind of software is installed on these machines? What versions of office are there? What Windows OSes are those machines running? Things like that.If you run the following queries, what do you get back?Q: version of regapp "powerpnt.exe"Q: version of file "pp7x32.dll" of folder (pathname of parent folder of regapp "powerpnt.exe" & "\XLATORS") Wed, 18 Nov 2009 18:18:41 -0800 http://forum.bigfix.com/viewtopic.php?pid=16989#16989 16989@http://forum.bigfix.com Topic: MS09-017 False Positives Message: It is just one MS09-017 fixlet:MS09-017: Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution - Office 2003 SP3 (Local/Network Install)    1,050 / 21,863Thanks,Scott Wed, 18 Nov 2009 07:16:20 -0800 http://forum.bigfix.com/viewtopic.php?pid=16978#16978 16978@http://forum.bigfix.com Topic: Windows 2003 SP2 not reporting Message: Right-click refresh didn't work at first, same old darn SP1... ugh.But then I righ-clicked opened the server, and browsed around in the tabs checking stuff out and then I looked up and it displayed Service Pack 2 in the list.  I'm not sure if there was a timing/refresh that needed to happen on the console, but something changed, and it's now reporitng Service Pack 2.  This did not happen when the date/time changed right away, and I don't recall what I was clicking on in the comuter tabs, but I did not execute any tasks or jobs.xxxxxx-VS-01    Win2003 5.2.3790    2200 MHz Dual Core AMD Opteron(tm) Processor 275 x211/17/2009 8:23:30 PM    Service Pack 1    xxxxxx-VS-01    Win2003 5.2.3790    2200 MHz Dual Core AMD Opteron(tm) Processor 275 x2    11/17/2009 8:41:07 PM    Service Pack 2 Tue, 17 Nov 2009 20:04:36 -0800 http://forum.bigfix.com/viewtopic.php?pid=16969#16969 16969@http://forum.bigfix.com Topic: Windows 2003 SP2 not reporting Message: So the confusing thing is that the computer properly reports its information when you run the QnA locally, but not when you look in the console (it appears to be the same relevance query in both cases)... The agent should report its new info up automatically but can you right-click send refresh to the computer and see if things update.Thanks,Ben Tue, 17 Nov 2009 18:21:58 -0800 http://forum.bigfix.com/viewtopic.php?pid=16968#16968 16968@http://forum.bigfix.com Topic: MS09-017 False Positives Message: We just published a change to 901711    MS09-017: Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution - Office 2003 SP3 (Local/Network Install)    but that wasn't a detection issue. That was responding to what seemed like an unpublished Microsoft binary change on the bulletin.Are you having trouble across all the different MS09-017 fixlets, or is there one MS09-017 fixlet in particular that seems to be off? Tue, 17 Nov 2009 17:40:31 -0800 http://forum.bigfix.com/viewtopic.php?pid=16965#16965 16965@http://forum.bigfix.com Topic: Column Settings question Message: Hey acwilson,I think that, in order to add a property as a column, it most be a "Custom Property" that is defined using the "Manage Properties" section of the console  (Tools -> Manage Properties). Any properties were defined from an analysis cannot be set as columns (AFAIK). To work around this, you could create "Custom Properties" for the properties that you would like to set as columns. Then, you should be able to copy the relevance from the analysis into your "Custom Property." Sheesh, this post has the word "property" in it too much. Tue, 17 Nov 2009 14:32:38 -0800 http://forum.bigfix.com/viewtopic.php?pid=16962#16962 16962@http://forum.bigfix.com Topic: Column Settings question Message: I'm looking for a way to use additional properties in the Computers tab column settings view.  We use BES power management.  It provides properties for current power scheme, turn off monitor, turn off hard disks, system standby, hibernation, computer type, etc.Some of those properties would be useful to see from the main computers tab view (like computer type) to quickly tell if were looking at a workstation, laptop, or server.When we try to right-click and add more column settings within the computers tab view, the additional properties from power management are not available.Can someone please tell me how we can update the list of available properties for the column settings within the computers tab?  Seems like we should be able to do this if they are already defined/collected and viewable within the power management dashboard tabs...  Thanks. Tue, 17 Nov 2009 13:29:03 -0800 http://forum.bigfix.com/viewtopic.php?pid=16945#16945 16945@http://forum.bigfix.com Topic: MS09-017 False Positives Message: It appears that we are getting alot of false positives from MS09-017. The number has continuously grown larger over the last weeks from <400 to now over 1000. I saw there were some other posts about false positives, I was wondering if anything has been done about this issue?Thanks,Scott Tue, 17 Nov 2009 07:16:44 -0800 http://forum.bigfix.com/viewtopic.php?pid=16937#16937 16937@http://forum.bigfix.com Topic: Windows 2003 SP2 not reporting Message: I'm new to BigFix, so I don't entirely understand the question or concepts.Is this the property relevance? Retrieved Property Name  |  Retrieved Property Relevance OS Service Pack Level      |  csd version of operating system Mon, 16 Nov 2009 20:16:01 -0800