(imported topic written by tscott91)
I am currently demoing BigFix and have a question… One of my servers shows it needs KB973917: http://support.microsoft.com/kb/973917 when I go to Windows Update on it… However, BigFix doesn’t show it needs this update…
So, then I went into “All Fixlet Messages” and searched for this specific update to see if it’s even listed and it’s not… Am I doing something wrong?
Thanks
(imported comment written by tscott91)
Also, KB973685, KB973686, KB973687, KB963707. and KB961118 to name a few others are listed as needed via a server on Windows Update but not showing at all via search in BigFix.
(imported comment written by tscott91)
Thanks for the reply… According to Windows Updates they are. They were in the “High Priority” section on their site after it scanned this PC. I should have taken a screen shot…
Here is a slightly different issue and maybe I should make another thread… A Nessus scan shows this PC needs these updates while BigFIx says it does not.
(imported comment written by SystemAdmin)
Off Topic:
Our web filter says the site below has a bad reputation. As web filters are known to be wrong 
this may be a chicken little scenario, but I thought I’d let you and others know that there may be a problem with site.
tscott
http://shup.com/Shup/341646/11041782247snagitcaptur.jpg
John
(imported comment written by tscott91)
How’s this: http://img37.imageshack.us/img37/4469/11041782247snagitcaptur.jpg
(imported comment written by BenKus)
I believe these aren’t security related and not major updates and so they are not considered in our normal patches sites…
For your Nessus report, many of those patches are superseded… BigFix only shows you the latest needed patch and not the superseded patch (in my opinion, it is very annoying to see the superseded patches)…
You can check on Microsoft’s site for the superseded Fixlets or we have a useful post here:
http://forum.bigfix.com/viewtopic.php?id=3617
Ben
(imported comment written by tscott91)
OK. So I think that’s what it is with the updates not showing. For example in this screen shot… The first 3 updates under W2K3 aren’t security related so BigFix doesn’t publish them?
However, the Office 2003 ones are for vulerabilities but BigFix is not displaying them for this PC.
http://img62.imageshack.us/img62/3393/110418122319iis10051223.jpg
http://img293.imageshack.us/img293/4279/110418122522bigfixenter.jpg
(imported comment written by JackCoates91)
MSRT is in BigFix Patches for Windows, as "Windows Security: Microsoft Windows Malicious Software Removal Tool -
Uninstall
" – we don’t reference the KB article number.
KB976382 is MS10-031, and KB973705 is MS09-060. The way to troubleshoot non-relevance of a patch that you suspect is necessary is to look at the fixlet message’s details tab. Extract this (http://software.bigfix.com/download/bes/72/FixletDebugger-7.5.0.933.zip) on the machine you suspect, run fixletdebugger.exe and click New QnA tab. Then copy and paste the relevance from the fixlet into the window, put "q: " in front of each line, and press F5. It will then execute the code and tell you what didn’t match.
KB978551 is not security related.
(imported comment written by tscott91)
So whenever a “False” is returned in the debugging tool that is telling me that the patch isn’t relevant? Even if Nessus or Windows Update tells me it’s missing?
This sucks (not BigFix, just the situation in general)… We had an internal audit done and had found a lot of machines supposedly missing patches… Granted, most actually were, but some via BigFix are saying they aren’t while Nessus audit report says they are! ARGH!!
(imported comment written by JackCoates91)
No dig on Tenable, they do amazing stuff without an agent… but having an agent lets you be a lot more picky about what is truly there. Unfortunately there is often disagreement between tools because of their differing technological approaches. We try to minimize the impact of this disagreement by making it easy to see where our decisions are coming from, but I have to agree that the overall situation leaves something to be desired.
EDIT to add another thought:
Another way to sort the two different models is vulnerabilities versus patches. A patch can cover a lot of vulnerabilities, so looking at an unpatched system with a vulnerability scanner will often come up with a lot more issues than the list of missing patches that we provide. Two different approaches to the same goal.
(imported comment written by tscott91)
OK… Nessus reports a PC needing MS10-023… The plugin for Nessus says:
Plugin Output
Product : Publisher 2007
Path : C:\Program Files\Microsoft Office\Office12\Mspub.exe
Installed version : 12.0.6308.5000
Fixed version : 12.0.6527.5000
When I run the debugger it returns below… So if the file version is truly 12.0.6308.5000 (verified) then why wouldn’t BigFix think it needs patched? Thanks
q:if( name of operating system starts with “Win” ) then platform id of operating system != 3 else false
A: True
q:(language of version block of file “kernel32.dll” of system folder contains “English”) OR (exists key “HKLM\System\CurrentControlSet\Control\Nls\MUILanguages” whose (exists value of it) of registry)
A: True
q:not exists values “PROCESSOR_ARCHITECTURE” whose (it as string as lowercase = “ia64”) of keys “HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment” of registry
A: True
q:if (exists regapp “mspub.exe” whose (version of it = “12” AND version of it >= “12.0.6211.1000”)) then (((exists file “MORPH9.DLL” whose (version of it < ") of it) OR (exists file “MSPUB.EXE” whose (version of it < “12.0.6527.5000”) of it) OR (exists file “PRTF9.DLL” whose (version of it < “12.0.6500.5000”) of it) OR (exists file “PTXT9.DLL” whose (version of it < “12.0.6500.5000”) of it) OR (exists file “PUBCONV.DLL” whose (version of it < “12.0.6501.5000”) of it) OR (exists file “PUBTRAP.DLL” whose (version of it < “12.0.6500.5000”) of it)) of folder (pathname of parent folder of regapp “mspub.exe”) AND (exists key whose ((it >= “12.0.6215.1000” AND it <= “12.0.6425.1000”) of (value “DisplayVersion” of it as string as version) AND exists value “DisplayName” of it AND (((length of it = 38) AND (it contains “000000FF1CE%7D”) AND ((it = “0000” OR (hexadecimal integer it = 1033)) of last 4 of (first 19 of it)) AND ((it = “0011” OR it = “0014” OR it = “002E” OR it = “0030” OR it = “0031” OR it = “0035” OR it = “00CA”) of last 4 of (first 14 of it))) of (name of it))) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of registry)) else (exists key whose ((it >= “12.0.6215.1000” AND it <= “12.0.6425.1000”) of (value “DisplayVersion” of it as string as version) AND exists value “DisplayName” of it AND (((length of it = 38) AND (it contains “000000FF1CE%7D”) AND ((it = “0000” OR (hexadecimal integer it = 1033)) of last 4 of (first 19 of it)) AND ((it = “0011” OR it = “0014” OR it = “002E” OR it = “0030” OR it = “0031” OR it = “0035” OR it = “00CA”) of last 4 of (first 14 of it))) of (name of it))) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of registry)
A: False
q:not exists keys whose (value “DisplayName” of it as string contains “KB980470”) of keys “Patches” of keys of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products” of registry
A: True
(imported comment written by JackCoates91)
I don’t have a machine with Microsoft Publisher on it handy, but that looks like it’s seeking a very specific version of Office and the mspub.exe. I’ll ask to be sure, but after reading http://www.microsoft.com/technet/security/bulletin/ms10-023.mspx I think that what you’re seeing is understandable. In the security advisory, the second FAQ notes that Microsoft’s test will trigger if your Office Suite version includes Publisher, whether you’ve installed it or not. Because the logic in that fixlet looks for the actual file, I suspect we’re not applying the patch because Publisher isn’t installed. Does your test machine actually have Publisher installed?
(imported comment written by tscott91)
Yes, it does have Publisher installed and I did confirm it has the version Nessus detected.
(imported comment written by liuhoting91)
Do you know what version of Office 2007 you have installed on that system?
(imported comment written by tscott91)
According to a Spiceworks scan:
Microsoft Office 2003 Standard Microsoft Office 2003 Standard 11.0.8173.0
Microsoft Office 2007 Proof (English) Microsoft Office 2007 Proof (English) 12.0.4518.1014
Microsoft Office 2007 Proof (French) Microsoft Office 2007 Proof (French) 12.0.4518.1014
Microsoft Office 2007 Proof (Spanish) Microsoft Office 2007 Proof (Spanish) 12.0.4518.1014
Microsoft Office 2007 Proofing (English) Microsoft Office 2007 Proofing (English) 12.0.4518.1014
Microsoft Office 2007 Publisher Microsoft Office 2007 Publisher 12.0.4518.1014
Microsoft Office 2007 Publisher MUI (English) 12.0.4518.1014
Microsoft Office 2007 Shared Setup Metadata MUI (English)
(imported comment written by SirFixAlot91)
Any update on this tscott? I am curious to know more about this thread . . .
(imported comment written by tscott91)
Not really an update… I honestly can’t even remember which specific PC had this issue. You seen my last reply to this thread so nothing further from BigFix support on here…
I will say that on a different PC I had the following:
BigFix shows 1 Microsoft Updates Needed
Microsoft Update shows shows 0 Microsoft Updates Needed
Nessus shows 13 Microsoft Updates Needed
Shavlik NetChk shows 105 Updates Needed !?
So, I have 4 different solutions showing 4 different things! I’ve also had it where Microsoft Update shows numerous updates that BigFix doesn’t etc etc…
So frustrating!
(imported comment written by SirFixAlot91)
Yea, I have run into this myself and I have 99% faith in BF so far but it’s hard to blindly trust something when it comes to patching. I think the main reason for the discrepancy between BF and MS is that if BigFix is indeed only showing the newest patch solution (i.e. Patch “A” Ver. 1.3) then MS is saying you still need Patch “A” Ver. 1.1 and Patch “A” Ver. 1.2 even though you are fully "covered with 1.3 . . . This seems to be most apparent in our systems that had a long hiatus in patching before we got BF so MS is griping about the older patch versions missing.
One thing I also wonder is if there is an easy way to search information in the list of all fixlets? I would really like to be able to take the KB# from windows update and trace the lineage of the specific update in BF. Also, does anyone know if there is an easy way to derive the Bulletin # for a given update? I would want take KB# from windows update and find the corresponding Bulletin # and then find the corresponding fixlet in BF . . .
(I am still fairly new to BigFix and system patching in general so anyone please feel free to step on my foot if I am not understanding/explaining any of this correctly)
(imported comment written by Kevitivity91)
You have a vulnerability on your system, it’s called MICROSOFT OUTLOOK!!!
Seriously though, I have little faith in this BigFix junk. I know that the Tie Guys like it, but in practice, it’s far less effective than a real life Admin.
