Question about MSRT

I’m working on a patching strategy for our company and we are transitioning from Microsoft WSUS to Bigfix.

Currently, I have moved around 650 machines into a WSUS container that has all WSUS patches declined so as not to interfere with Bigfix patching on those machines and to still get WSUS reporting data in case any patches fail to install or are needed.

One patch in particular always shows up as needed for these machines and that is the current months release of the Microsoft Malicious Software Removal Tool (MSRT).

In Bigfix, I have a baseline created that contains both MSRT - Deploy and MSRT - Upgrade, but was notified that the MSRT - Run tool would degrade performance pretty heavily if its action was taken so it was left out. However, I believe that, since it is not being run in BigFix, this is the reason the machine reports it not installed to WSUS.

I’m curious to know how others utilize this tool (if at all) and how they target and schedule the “Run” fixlet so as to only run after a new version of MSRT is installed on a machine.

Thanks in advance!

Hi Ryan,

The MSRT - Deploy is only needed once to deploy the tool to the machine, and after that we can use MSRT - Upgrade to upgrade the tool to current month’s latest.

MSRT is used to remove Malicious Software, as its name implies. Thus the MSRT - Run will only be necessary when we want to remove Malicious Software on a particular machine. Not running it may not be the reason that it being reported ‘not installed’ on WSUS, but you may want to logon to one of those machines and make sure.

If you have any issue using these Fixlets, it’s better to open a PMR and send in more details so support can help you further.

Thank you!

Thank you for your response. The research that I’ve done on MSRT from Microsoft says that every time a new version is installed on a machine (monthly) it is also run on the machine to check for anything that may be infecting it. “Microsoft releases a new version of the Microsoft Malicious Software Removal Tool every month. After you download the tool, the tool runs one time to check your computer for infection by specific prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps remove any infection it finds. (https://support.microsoft.com/en-us/kb/890830)” If this is already happening from our WSUS environment, I’m not as worried about performance as it should be the same. Obviously, this is not our primary means of protection but its something we still want to use in our environment.

My concern is, if a PCI audit is run on our enterprise, we may be popped for not having it, even though it may actually be installed. Are there any thoughts on running it and only targeting the machines that have updated to the current months release?

Thanks!

It looks like the MSRT tasks in BigFix don’t actually install MSRT, they just put a copy of MSRT onto the endpoint, and then run it from that location. This is not actually the same as installing MSRT through Windows Update and it will not automatically get run every time it is deployed.

You can use both Windows Update or WSUS with BigFix. BigFix will only apply a patch that has not already been installed, so there shouldn’t be conflicts.

Ideally you would both install MSRT using BigFix in a similar way as Windows Update, but the existing MSRT tasks allow you to schedule runs of MSRT that are more frequent.