CLEANACCESS Archives

September 2009

CLEANACCESS@LISTSERV.MIAMIOH.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: XP Media Center Checks
From:
Mary-Ellen Ide <[log in to unmask]>
Reply To:
Cisco Clean Access Users and Administrators <[log in to unmask]>
Date:
Tue, 15 Sep 2009 16:44:02 -0400
Content-Type:
text/plain
Parts/Attachments:
text/plain (196 lines) 
The following is what I noticed with our XP Media users.  Maybe someone
else can shed some light on this.  I am thinking of creating a custom
rule for the SP 2 issue as that seems to be the problem.   Also, the XP
Media users were all passing the checks fine until about 5 days ago.

I noticed that the " pr_XP_MCE_Hotfixes" requirement for XP Media Center
machines contains some checks that have "or" statements.  For example,
user reports show the user as failing pc_XP64 but the user passes
pc_Windows-XP-SP3.  It gets past this point (I think) because the
"pr_XP_MCE_Hotfixes" requirement contains:
(pc_XP64)|((pc_Windows-XP-SP3|pc_Windows-XP-SP3-int)   So in order to
pass this part, the pc must meet any of those 3 checks.

The part that all XP Media clients are failing appears to be the SP2
checks.  The pc's all have SP3 installed.  There are two "or" checks and
both fail.

pc_Windows-XP-SP2, Registry Check
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\CSDVersion contains Service Pack 2
It shows as Service Pack 3 and not 2.
pc_Windows-XP-SP2-int, Registry Check
\HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\windows\CSDVersion
equals 512
The 512 shows as 300 on the machines.


Here is the full list of checks with the "and" "or" expressions, etc.
(pc_XP64)|((pc_Windows-XP-SP3|pc_Windows-XP-SP3-int)&((!pc_Windows-JScri
pt-ver5_6|pc_Windows-JScript-ver5_9)|(pc_XP_KB971961_MS09-045_JS58|pc_XP
_KB971961_MS09-045_JS57|pc_XP_KB971961_MS09-045_JS56))&pc_XP_KB956844_MS
09-046&(!pc_Windows_ehkeyctl|pc_XP_MCE_KB973768_MS09-037)&pc_XP_KB971557
_MS09-038&pc_XP_KB973507_MS09-037&pc_XP_KB973869_MS09-037&pc_KB973346_MS
09-032_XP&(pc_KB961371_MS09-029_XP|pc_KB961371_v2_MS09-029_XP)&pc_KB9716
33_MS09-028_XP&pc_KB960803_MS09-013_XP&pc_KB958687_MS09-001_XP&pc_KB9568
02_MS08-071_XP&pc_KB958644_MS08-067_XP_SP3&(pc_KB954593_MS08-052_XP|pc_K
B954593_MS08-052_XP_V2)&pc_KB952954_MS08-046_XP_SP3&(pc_MSXML3_MS08-069_
XP)&(((pc_IE8_0&pc_XP_KB972260_MS09-034_IE8)|(pc_IE7_0&pc_XP_KB972260_MS
09-034_IE7)|(pc_IE6_0&pc_XP_KB972260_MS09-034_IE6))&(!(pc_Flash_6_0_79&(
pc_Flash_6r79_Registered_LC|pc_Flash_6r79_Registered_UC))|pc_KB923789_MS
06-069_XP_SP2)))|((pc_Windows-XP-SP2|pc_Windows-XP-SP2-int)&((!pc_Window
s-JScript-ver5_6|pc_Windows-JScript-ver5_9)|(pc_XP_KB971961_MS09-045_JS5
8|pc_XP_KB971961_MS09-045_JS57|pc_XP_KB971961_MS09-045_JS56))&pc_XP_KB95
6844_MS09-046&(!pc_Windows_ehkeyctl|pc_XP_MCE_KB973768_MS09-037)&pc_XP_K
B971557_MS09-038&pc_XP_KB973507_MS09-037&pc_XP_KB973869_MS09-037&pc_KB97
3346_MS09-032_XP&(pc_KB961371_MS09-029_XP|pc_KB961371_v2_MS09-029_XP)&pc
_KB971633_MS09-028_XP&pc_KB960803_MS09-013_XP&pc_KB958687_MS09-001_XP&pc
_KB956802_MS08-071_XP&pc_KB958644_MS08-067_XP_SP2&(pc_KB954593_MS08-052_
XP|pc_KB954593_MS08-052_XP_V2)&pc_KB952954_MS08-046_XP_SP2&(pc_MSXML3_MS
08-069_XP)&((pc_IE6_0&pc_XP_KB972260_MS09-034_IE6)|(pc_IE7_0&pc_XP_KB972
260_MS09-034_IE7&(pc_KB938127_MS07-050_XP_SP2_IE7|pc_KB938127_MS07-050_X
P_SP2_IE7_V2))|(pc_IE8_0&pc_XP_KB972260_MS09-034_IE8))&(!(pc_Flash_6_0_7
9&(pc_Flash_6r79_Registered_LC|pc_Flash_6r79_Registered_UC))|pc_KB923789
_MS06-069_XP_SP2))


An example of one of the reports:

Windows Critical Updates (Mandatory)
Passed Checks:
pc_Windows-XP-SP3
pc_Windows_ehkeyctl
pc_XP_KB956844_MS09-046
pc_Windows-JScript-ver5_6
pc_XP_KB971961_MS09-045_JS57
Failed Checks:
pc_XP64, File Check [c:\windows\syswow64\kernel32.dll exists ]
pc_Windows-XP-SP2-int, Registry Check
[\HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\windows\CSDVersion
equals 512]
pc_Windows-XP-SP2, Registry Check
[\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\CSDVersion contains Service Pack 2]
pc_Windows-JScript-ver5_9, File Check [$SYSTEM_32\Jscript.dll later than
5.9.0.0]
pc_XP_MCE_KB973768_MS09-037, Registry Check
[\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB973768\
exists ]
pc_XP_KB971961_MS09-045_JS58, Registry Check
[\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows
XP\SP0\KB971961-IE8\Filelist\ exists ]
Not executed Checks:
pc_KB952954_MS08-046_XP_SP3
pc_KB952954_MS08-046_XP_SP2
pc_XP_KB971557_MS09-038
KB958644_MS08-067_XP_
pc_KB958644_MS08-067_XP_SP3
pc_KB958644_MS08-067_XP_SP2
pc_MSXML3_MS08-069_XP
pc_KB971633_MS09-028_XP
pc_XP_KB973507_MS09-037
pc_KB923789_MS06-069_XP_SP2
pc_IE8_0
pc_KB938127_MS07-050_XP_SP2_IE7_V2
pc_KB973346_MS09-032_XP
pc_KB956802_MS08-071_XP
pc_IE7_0
pc_KB958687_MS09-001_XP
pc_KB961371_MS09-029_XP
Windows-XP-SP3
pc_KB961371_v2_MS09-029_XP
pc_IE6_0
pc_KB954593_MS08-052_XP_V2
pc_Flash_6r79_Registered_LC
pc_Flash_6_0_79
pc_Flash_6r79_Registered_UC
pc_KB938127_MS07-050_XP_SP2_IE7
pc_KB960803_MS09-013_XP
pc_Windows-XP-SP3-int
pc_XP_KB971961_MS09-045_JS56
pc_XP_KB972260_MS09-034_IE8
pc_XP_KB972260_MS09-034_IE7
pc_KB954593_MS08-052_XP
pc_XP_KB973869_MS09-037
pc_XP_KB972260_MS09-034_IE6


Mary Ide
Internet Security Engineer
Johnson & Wales University
SANS GPEN #1514
SANS GCIH #1794
SANS GWAS #1728
[log in to unmask]


-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Biddle, Rob
Sent: Tuesday, September 15, 2009 2:37 PM
To: [log in to unmask]
Subject: Re: XP Media Center Checks

We just had a student come to the help desk with this issue.  Looks like
the most recent Cisco checks have not changed.  Does Cisco already have
an open ticket for this issue?

- Rob

-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of CARSON, MICHAEL
Sent: Monday, September 14, 2009 3:03 PM
To: [log in to unmask]
Subject: Re: XP Media Center Checks

Looking into more problematic machines, I noticed that even MCE 2005
machines were failing the check.  973768 installs correctly but still
fails the check.  I looked around the registry and the key that CCA
looks for (HKLM/Software/Microsoft/Updates/Windows XP/SP4/KB973768) is
not present but the update puts the key in
HKLM/Software/Microsoft/Updates/Windows XP/SP3/KB973768    I have not
had to create that fake file so I am wondering why our situation is
different.  We are running 4.1.3.2 agent. 

-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Mike Hanson
Sent: Monday, September 14, 2009 2:50 PM
To: [log in to unmask]
Subject: Re: XP Media Center Checks

Tom,

We have had around 5 Media Center machines fail Clean Access checks.
All of them were looking for this file   "
c:\windows\syswow64\kernel32.dll exists" . To get around the failure we
manually add that fake file and it passes the check. 

I agree, there is a problem with the Clean Access OS fingerprint.










Mike Hanson
Network Security Manager
The College of St. Scholastica
Duluth, MN 55811
 
(218)-723-7097
[log in to unmask]
>>> Tom Stachowiak<[log in to unmask]> 9/14/2009 1:37 PM >>>
I have seen three machines just today suffering from this. First one I

tried manually installing the kb hotfix but it did not fix the issue.
The 
original media center 2002 does not need it any newer 2003 and 4 get 
upgraded to media center 2005 when you install XP sp 2. They need to 
update the os fingerprint?

ATOM RSS1 RSS2