BigFix Missing .dll Files When Patching

jco · November 3, 2016, 9:34pm

Hello all, first time posting here!

We have been using IEM for some time to patch our servers and Nessus has been identifying vulnerabilities relating to old/missed.dll versions. So what will happen is that every patch cycle, 5-10 servers will miss the same group of .dll files. Then during the next patching cycle a completely different group of servers will miss a new group of specific .dll files. I will post the results from our latest Nessus scan below, found on 6 servers:

 "Plugin Output: 
MS16-112: Security Update for Windows Lock Screen (3178469)
  - C:\Windows\system32\pnidui.dll has not been patched.
    Remote version : 6.3.9600.17415
    Should be      : 6.3.9600.18434"
"Plugin Output: 
MS16-114: Security Update for Windows SMBv1 Server (3185879)
  - C:\Windows\system32\drivers\srv.sys has not been patched.
    Remote version : 6.3.9600.18340
    Should be      : 6.3.9600.18432"
"Plugin Output: 
MS16-115: Security Update for Microsoft Windows PDF Library (3188733)
  - C:\Windows\system32\windows.data.pdf.dll has not been patched.
    Remote version : 6.3.9600.18403
    Should be      : 6.3.9600.18454"
"Plugin Output: 
MS16-116: Security Update in OLE Automation for VBScript Scripting Engine (3188724)
  - C:\Windows\system32\Oleaut32.dll has not been patched.
    Remote version : 6.3.9600.17560
    Should be      : 6.3.9600.18434"

For whatever reason, IEM did not touch or update these .dll during the patch cycle, and then sees the patch as not relevant forcing us to manually apply the patch. Has anyone else seen an issue like this? This happens every deployment and is not consistent to any specific server. It is however consistent that the same group of .dll files are missed on multiple random servers each patching cycle. We manage over a thousand servers with IEM and manually applying patches anywhere is an extreme hassle.

Any help would be greatly appreciated!

steve · November 3, 2016, 10:40pm

BigFix doesn’t decide to patch or not patch individual dlls, it just executes (or not) patch installations. So is it clear from your scan and or patch action results whether the patch installation was attempted/occurred or not? Assuming that the patches were deployed to these servers, then either there was an issue with relevance detection such that the patch was not relevant and the install was not attempted, or there was an issue with the patch itself such that the install was attempted but did not properly update the files.

jco · November 4, 2016, 12:19am

These patches were relevant to the server, and were only a part of the MS Bulletin IEM was trying to apply, but for some reason it misses these dlls, not the entire patch. The rest of the dlls within the same bulletin are applied correctly.

BaiYunfei · November 4, 2016, 12:49am

Hi Joe,

When a patch is installed in Windows, it’s not necessarily that all DLLs be updated by the patch. It is also possible that some DLLs are updated at a later time after patch installation. For example, sometimes updates to USB drivers will only be loaded in a cache folder, the actual DLLs will not be present/updated until the USB driver is loaded.

To confirm that a patch has been installed correctly, instead of looking at DLL versions, you can run a MBSA scan. The MBSA report will show which bulletins have been installed, and which ones are still missing.

You can also try to manually run the patch binary on affected devices to see whether it installs.

Lastly, if you do find a patch where the device needs it but BigFix reports not relevant, kindly open a PMR.

Thanks! Hope the above helps.