(imported topic written by Steve91)
Hi Guys
I’m trying to figure out why one of the baselines we issue takes 10 minutes to evaluate (got the timings from the clientdebuglog)
It’s a patch run for some XP desktops
This is the relevance of the baseline:
(value “ProductType” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions” of registry as string as lowercase = “winnt”) AND (member of group 5931 of site “actionsite”)
It has the following components:
00-161752: MS08-001: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution - Windows XP SP2
00-161753: MS08-002: Vulnerability in LSASS Could Allow Local Elevation of Privilege - Windows XP SP2
00-161754: MS08-003: Vulnerability in Active Directory Could Allow Denial of Service - ADAM - Windows XP SP2
00-161755: MS08-005: Vulnerability in Internet Information Services Could Allow Elevation of Privilege - Windows XP SP2
00-161756: MS08-006: Vulnerability in Internet Information Services Could Allow Remote Code Execution - Windows XP SP2
00-161757: MS08-007: Vulnerability in WebDAV Mini-Redirector Could Allow Remote Code Execution - Windows XP SP2
00-161758: MS08-008: Vulnerability in OLE Automation Could Allow Remote Code Execution - Windows XP SP2
00-161759: MS08-008: Vulnerability in OLE Automation Could Allow Remote Code Execution - Visual Basic 6.0 SP6
00-161760: MS08-010: Cumulative Security Update for Internet Explorer - IE 6 - Windows XP SP2
00-161761: MS08-010: Cumulative Security Update for Internet Explorer - IE 7 - Windows XP SP2
00-161762: MS08-011: Vulnerabilities in Microsoft Works File Converter Could Allow Remote Code Execution - Office 2003 SP2/SP3
00-161763: MS08-014: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution - Office 2007
00-161764: MS08-014: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution - Excel Viewer 2003
00-161765: MS08-014: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution - Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats
00-161766: MS08-015: Vulnerability in Microsoft Outlook Could Allow Remote Code Execution - Outlook 2007
00-161767: MS08-016: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution - Office Excel Viewer 2003
00-161768: MS08-017: Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution - Visual Studio .NET 2002 SP1
00-161769: MS08-017: Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution - Visual Studio .NET 2003 SP1
00-161770: MS08-018: Vulnerability in Microsoft Project Could Allow Remote Code Execution - Project 2000 SR-1
00-161771: MS08-018: Vulnerability in Microsoft Project Could Allow Remote Code Execution - Project 2002 SP1
00-161772: MS08-018: Vulnerability in Microsoft Project Could Allow Remote Code Execution - Project 2003 SP2
00-161773: MS08-019: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution - Visio 2002 SP2
00-161774: MS08-019: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution - Visio 2003 SP2/SP3
00-161775: MS08-019: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution - Visio 2007 Gold/SP1
00-161776: MS08-020: Vulnerability in DNS Client Could Allow Spoofing - Windows XP SP2
00-161777: MS08-021: Vulnerabilities in GDI Could Allow Remote Code Execution - Windows XP SP2
00-161778: MS08-022: Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution - Windows XP SP2
00-161779: MS08-023: Security Update of ActiveX Kill Bits - Windows XP SP2
00-161780: MS08-024: Cumulative Security Update for Internet Explorer - IE 6 - Windows XP SP2
00-161781: MS08-024: Cumulative Security Update for Internet Explorer - IE 7 - Windows XP SP2
00-161782: MS08-025: Vulnerability in Windows Kernel Could Allow Elevation of Privilege - Windows XP SP2
00-161783: MS08-026: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution - Office 2007
00-161784: MS08-026: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution - Office Word Viewer 2003
00-161785: MS08-026: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution - Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats
00-161786: MS08-027: Vulnerability in Microsoft Publisher Could Allow Remote Code Execution - Office 2007
00-161787: MS08-028: Vulnerability in Microsoft Jet Database Engine Could Allow Remote Code Execution - Windows XP SP2
00-161788: MS08-030: Vulnerability in Bluetooth Stack Could Allow Remote Code Execution - Windows XP SP2/SP3
00-161789: MS08-031: Cumulative Security Update for Internet Explorer - IE 6 - Windows XP SP2/SP3
00-161790: MS08-031: Cumulative Security Update for Internet Explorer - IE 7 - Windows XP SP2/SP3
00-161791: MS08-032: Cumulative Security Update of ActiveX Kill Bits - Windows XP SP2/SP3
00-161792: MS08-033: Vulnerabilities in DirectX Could Allow Remote Code Execution - DirectX 9.0 - Windows XP SP2/SP3
00-161793: MS08-035: Vulnerability in Active Directory Could Allow Denial of Service - ADAM - Windows XP SP2/SP3
00-161794: MS08-036: Vulnerabilities in Pragmatic General Multicast (PGM) Could Allow Denial of Service - Windows XP SP2/SP3
00-161795: MS08-037: Vulnerabilities in DNS Could Allow Spoofing - DNS Client - Windows XP SP2/SP3
I target an automatic group with the baseline and the group has the following relevance:
((name of operating system as string as lowercase = “winxp”) AND (exists folder “D:\minint\System32\Build\GroupPolicy” whose (exists file “XPC.js” of it)) AND (value “ProductType” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions” of registry as string as lowercase = “winnt”) AND (distinguished name of local computer of active directory does not contain “OU=Accounts”)) OR (computer name as string as lowercase starts with “scf” AND name of operating system as string as lowercase = “winxp”) OR (computer name as string as lowercase starts with “d” AND value “CachePrimaryDomain” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” of registry as string as lowercase = “csdev”)
This relevance takes 1.5ms to evaluate
We’re running 7.0.7.96 server and clients
Is 10 minutes to be expected you think?
Cheers
Steve