Evaluation Time For Action - 10 Minutes

(imported topic written by Steve91)

Hi Guys

I’m trying to figure out why one of the baselines we issue takes 10 minutes to evaluate (got the timings from the clientdebuglog)

It’s a patch run for some XP desktops

This is the relevance of the baseline:

(value “ProductType” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions” of registry as string as lowercase = “winnt”) AND (member of group 5931 of site “actionsite”)

It has the following components:

00-161752: MS08-001: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution - Windows XP SP2

00-161753: MS08-002: Vulnerability in LSASS Could Allow Local Elevation of Privilege - Windows XP SP2

00-161754: MS08-003: Vulnerability in Active Directory Could Allow Denial of Service - ADAM - Windows XP SP2

00-161755: MS08-005: Vulnerability in Internet Information Services Could Allow Elevation of Privilege - Windows XP SP2

00-161756: MS08-006: Vulnerability in Internet Information Services Could Allow Remote Code Execution - Windows XP SP2

00-161757: MS08-007: Vulnerability in WebDAV Mini-Redirector Could Allow Remote Code Execution - Windows XP SP2

00-161758: MS08-008: Vulnerability in OLE Automation Could Allow Remote Code Execution - Windows XP SP2

00-161759: MS08-008: Vulnerability in OLE Automation Could Allow Remote Code Execution - Visual Basic 6.0 SP6

00-161760: MS08-010: Cumulative Security Update for Internet Explorer - IE 6 - Windows XP SP2

00-161761: MS08-010: Cumulative Security Update for Internet Explorer - IE 7 - Windows XP SP2

00-161762: MS08-011: Vulnerabilities in Microsoft Works File Converter Could Allow Remote Code Execution - Office 2003 SP2/SP3

00-161763: MS08-014: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution - Office 2007

00-161764: MS08-014: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution - Excel Viewer 2003

00-161765: MS08-014: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution - Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats

00-161766: MS08-015: Vulnerability in Microsoft Outlook Could Allow Remote Code Execution - Outlook 2007

00-161767: MS08-016: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution - Office Excel Viewer 2003

00-161768: MS08-017: Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution - Visual Studio .NET 2002 SP1

00-161769: MS08-017: Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution - Visual Studio .NET 2003 SP1

00-161770: MS08-018: Vulnerability in Microsoft Project Could Allow Remote Code Execution - Project 2000 SR-1

00-161771: MS08-018: Vulnerability in Microsoft Project Could Allow Remote Code Execution - Project 2002 SP1

00-161772: MS08-018: Vulnerability in Microsoft Project Could Allow Remote Code Execution - Project 2003 SP2

00-161773: MS08-019: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution - Visio 2002 SP2

00-161774: MS08-019: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution - Visio 2003 SP2/SP3

00-161775: MS08-019: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution - Visio 2007 Gold/SP1

00-161776: MS08-020: Vulnerability in DNS Client Could Allow Spoofing - Windows XP SP2

00-161777: MS08-021: Vulnerabilities in GDI Could Allow Remote Code Execution - Windows XP SP2

00-161778: MS08-022: Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution - Windows XP SP2

00-161779: MS08-023: Security Update of ActiveX Kill Bits - Windows XP SP2

00-161780: MS08-024: Cumulative Security Update for Internet Explorer - IE 6 - Windows XP SP2

00-161781: MS08-024: Cumulative Security Update for Internet Explorer - IE 7 - Windows XP SP2

00-161782: MS08-025: Vulnerability in Windows Kernel Could Allow Elevation of Privilege - Windows XP SP2

00-161783: MS08-026: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution - Office 2007

00-161784: MS08-026: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution - Office Word Viewer 2003

00-161785: MS08-026: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution - Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats

00-161786: MS08-027: Vulnerability in Microsoft Publisher Could Allow Remote Code Execution - Office 2007

00-161787: MS08-028: Vulnerability in Microsoft Jet Database Engine Could Allow Remote Code Execution - Windows XP SP2

00-161788: MS08-030: Vulnerability in Bluetooth Stack Could Allow Remote Code Execution - Windows XP SP2/SP3

00-161789: MS08-031: Cumulative Security Update for Internet Explorer - IE 6 - Windows XP SP2/SP3

00-161790: MS08-031: Cumulative Security Update for Internet Explorer - IE 7 - Windows XP SP2/SP3

00-161791: MS08-032: Cumulative Security Update of ActiveX Kill Bits - Windows XP SP2/SP3

00-161792: MS08-033: Vulnerabilities in DirectX Could Allow Remote Code Execution - DirectX 9.0 - Windows XP SP2/SP3

00-161793: MS08-035: Vulnerability in Active Directory Could Allow Denial of Service - ADAM - Windows XP SP2/SP3

00-161794: MS08-036: Vulnerabilities in Pragmatic General Multicast (PGM) Could Allow Denial of Service - Windows XP SP2/SP3

00-161795: MS08-037: Vulnerabilities in DNS Could Allow Spoofing - DNS Client - Windows XP SP2/SP3

I target an automatic group with the baseline and the group has the following relevance:

((name of operating system as string as lowercase = “winxp”) AND (exists folder “D:\minint\System32\Build\GroupPolicy” whose (exists file “XPC.js” of it)) AND (value “ProductType” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions” of registry as string as lowercase = “winnt”) AND (distinguished name of local computer of active directory does not contain “OU=Accounts”)) OR (computer name as string as lowercase starts with “scf” AND name of operating system as string as lowercase = “winxp”) OR (computer name as string as lowercase starts with “d” AND value “CachePrimaryDomain” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” of registry as string as lowercase = “csdev”)

This relevance takes 1.5ms to evaluate

We’re running 7.0.7.96 server and clients

Is 10 minutes to be expected you think?

Cheers

Steve

(imported comment written by BenKus)

Hey Steve,

10 minutes is very long for that baseline… I imagine that something is wrong…

My guess is that you have something else wrong that is causing the long evaluation… Do you have a lot of constrained actions (perhaps large actions from baselines that are constrained by time of day or user or other things like that)?

Note that BigFix 7.0 using efficient mime (http://support.bigfix.com/cgi-bin/kbdirect.pl?id=420) is much more efficient with how it generates baselines and actions.

Ben

(imported comment written by Steve91)

Hi Ben

Yeah we do have a lot of constrained actions, I’m attempting to relax them a little.

What I think is odd is this particular action that’s taking 10 minutes to evaluate was an action issued last month and expired and deleted 2 weeks ago but is still being evaluated by the clients.

Shouldn’t evaluation have stopped if the action has been deleted?

Cheers

Steve

(imported comment written by BenKus)

Hi Steve,

Actions are removed from the BES Client when the action is stopped OR after it deletes and the user propagates any other action… So if this action was sent by a user and the user hasn’t sent another action for a long time, the action will still be on the agent. If the user sends out any other action, the agent will forget about the action.

Deleting actions only affects the console and the agents don’t know or care about deleted actions.

Ben