Hey all, new to both BigFix administration and the forum so please let me know if I’m not doing something right.
We’re seeing thousands of machines without Microsoft Visio installed, reporting as relevant for MS15-116 fixlets that according the the MS bulletin, should not be relevant, i.e: “To apply this security update, you must have the release version of Service Pack 1 for Visio 2013 installed on the computer.”
Anyone else seeing this or know why we may be seeing it? Any help would be appreciated.
Sounds like a relevance error somewhere in that fixlet.
You can run each relevance statement separately in the Fixlet Debugger on an affected system to try to determine which relevance is TRUE that should not be.
Sorry to hear that you are having problem with this content. Could you please open an PMR with problem descriptions so that the content team can look into the problem here?
In case its of interest, my machine only has Office 2013 but KB3101365 has been installed successfully using Microsoft patch tools.
When I check into possible false positives I start by running an MBSA scan. I favour the command line mbsacli.exe with the output to XML as I then send this if I open a PMR to show what Microsoft own detection tools detect. If the patch is seen as missing by MBSA then it isn’t a false positive so no need to open a PMR
If the patch is not seen as required nor install by MBSA then it could well be a false positive and the more info you can send to IBM in the PMR, the better it will be. The fixlet relevance for Office family checks are typically looking at registry data to ascertain if a product the patch pertain to is present, and it then look in the patches hive for the product for the patch GUID. I would take the fixlet relevance for the registry checks and break it down into individual checks to see what product may be trigger the fixlet to be seen as relevant. Whichever line evaluates as True is the one that is probably causing the fixlet to be seen as relevant. I would then try to manually install the update from the EXE from Microsoft. The EXE contains a mini WUA scan to check if the patch is required so if the EXE runs and throws back a message stating that no products affected by the update were detected or that the patch does not apply, I would take a screen grab. Then for the PMR send IBM the XML of the MBSA scan, the evaluated results of the attached QNA file, the screen grab of the manually patch install attempt and finally export and send IBM the entire HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products hive.
I understand, but as Rob suggested, I’m afraid there won’t be a simple and straightforward solution to this. Maybe the content team can save you some trouble of going through the analysis.
Thanks for all the suggestions. After searching for the files listed in the relevance expression, only the following two (Visio Shell Extension) DLLs can be found present (although not necessarily requiring updating) on a machine returning as relevant fro this update:
In RELEVANCE 4, after changing “not exists” to “exists” (i.e. making this relevant only to machines with Visio 2013 SP1 installed) as highlighted here:
(exists keys (“00005109450001400000000000F01FEC”;“00005119330000000000000000F01FEC”;“000051094500F1400000000000F01FEC”;“000051094500D1400000000000F01FEC”;“00005109450042400000000000F01FEC”;“000051094500B1400000000000F01FEC”;“00005109450090400000000000F01FEC”;“000051094500D0400000000000F01FEC”;“00005109450022400000000000F01FEC”;“00005109450080400000000000F01FEC”;“00005109450040800000000000F01FEC”;“000051094500C0400000000000F01FEC”;“000051094500E0400000000000F01FEC”;“00005109450060400000000000F01FEC”;“000051094500B0400000000000F01FEC”;“00005109450070400000000000F01FEC”;“00005119110000000000000000F01FEC”;“00005119310000000000000000F01FEC”;“00005109110000000000000000F01FEC”;“00005119F20000000000000000F01FEC”;“00005119350000000000000000F01FEC”;“00005109450050400000000000F01FEC”;“00005109450061800000000000F01FEC”;“00005119150000000000000000F01FEC”;“00005109450091400000000000F01FEC”;“00005109450040400000000000F01FEC”;“00005109450010400000000000F01FEC”;“00005109350000000000000000F01FEC”;“00005109150000000000000000F01FEC”;“00005109450061400000000000F01FEC”;“00005109450051400000000000F01FEC”;“00005109450041400000000000F01FEC”;“00005109450081400000000000F01FEC”;“00005109450021400000000000F01FEC”;“00005109450031400000000000F01FEC”;“00005109450011400000000000F01FEC”;“000051094500A0C00000000000F01FEC”;“00005119410000000000000000F01FEC”) whose (exists key “InstallProperties” whose ((it = “15.0.4569.1506”) of (value “DisplayVersion” of it as string as version)) of it AND exists key “5A522C912A7AE75478BDD4D2CA992EE3” of key “Patches” of it) of it OR exists keys (“00005159B50090400000000000F01FEC”) whose (exists key “InstallProperties” whose ((it = “15.0.4454.1509”) of (value “DisplayVersion” of it as string as version)) of it AND exists key “5A522C912A7AE75478BDD4D2CA992EE3” of key “Patches” of it) of it) of key “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products” of native registry
After this change, the number of relevant machines drops from approx. 1,500 to 350 (all of which obviously have Visio actually installed). This number makes way more sense to me…I don’t see why the update is required on any machine that doesn’t have Visio installed.
Was hoping maybe someone else had seen this.