4 Replies Latest reply on Dec 3, 2014 9:35 AM by mbaney

    Custom patches and Affected platforms

    mbaney Apprentice

      Hi,

       

      I have a host that is scanning for a patch which I believe it should not be scanning for.  It is a Windows 8.1 host.  The Detection Rules for the patch list only for Windows 7 (win7x64, Windows 7 x64, Windows Server 2008 R2 x64, and Windows Server 2008 x64) for the Affected Platforms.  Everything that I see says that LANDesk knows this is a Windows 8.1 host and it is listed as such under 'All Devices'.  The host does have the product (TSM) but I would imagine that the detection logic shouldn't even get this far.  I do see this in the vulscan log:

      Command line: /showui=false /coreserver=<redacted> /group=LANDESK00_76 /norepair "/scanFilter=TSM 6.4 update" "/AgentBehavior=LANDESK00_22"

       

      I'm running 9.50.3.1 and the host has the latest agent.  Any help would be greatly appreciated.

       

      Thanks,

      Brad

        • 1. Re: Custom patches and Affected platforms
          Apprentice

          What is the name of the patch? if you enter the same vulscan commands from the command line are the results the same? Are the logs showing up in C:\ProgramData\Vulscan?

          • 2. Re: Custom patches and Affected platforms
            mbaney Apprentice

            Hi Joe, thanks for your comments.

             

            The name of the patch is "TSM 6.4 update".  Yes, the results are the same regardless of how the scan is initiated.  Yes, the logs are showing up in C:\ProgramData\Vulscan.  You can see some of the log entry above.

             

            Thanks,

            Brad

            • 3. Re: Custom patches and Affected platforms
              Apprentice

              I looked at that patch on my core and it is registered in the vulnerabilities as TSMv6.4.1. It also is showing, in its detection logic (see below) that it triggers on a file path (%regpath(HKLM(x64)\SOFTWARE\IBM\ADSM\CurrentVersion\TSMClientPath)%baclient\dsmc.exe), an affected product (IBM Tivoli Storage Manager Client 6.4.x Windows x64), and has marked as its platforms Win7 x64, Win 8 x64, Win Server 2008 R2 x 64 and X64, and Vista x64. There is also a 32 bit version of this patch, but we do not have it downloaded for our environment since we no longer have 32 bit units.

              So... Based upon the information in our patch iut is supposed to run on Win7 x64 systems. If you do not want it to do so you could modify the detection logic, but I would check with your TAM before customizing any LANDesk created patch logic. In the absence of a TAM I would contact their support line for that OK. But, it looks like it is supposed to run on Win7 x64.

              Capture32.JPG

              • 4. Re: Custom patches and Affected platforms
                mbaney Apprentice

                Hi,

                 

                Thanks again for your response.  It IS supposed to run on Windows 7 x64 (which it does) but NOT Windows 8 (but it does anyway).  This is a CUSTOM patch, not the one provided by LANDesk.  It does NOT have the Windows 8 x64 selected (see below).  It does have a file path trigger.  However, I would think that if it is not one of the affected platforms than it would not trigger on anything else.  What it seems you are suggesting is that affected platforms is ignored if the file exists, which IMHO wouldn't be the way the logic should work.  Indeed, even in the Affected Platforms description it says that "Only computers matching the checked platforms below will attempt to process this rule".

                 

                affected.png