2 Replies Latest reply on Nov 7, 2016 9:25 AM by RalfK

    How do I force a scan for patch 3192321_msu

    Rookie

      I am trying to deploy 3192321_MSU Turkey ends DST observance (3192321) to computers and servers in Turkey.  While machines are being scanned, only about 60 machines out of 15,000 are scanning for this vulnerability. I have made sure it is in the scan folder and forced scans again. The scans come back as successful, but they did not scan for this vulnerability.

      Can any tell me how to force this patch to scan?

       

      I am using LDMS 9.5 SP3

        • 1. Re: How do I force a scan for patch 3192321_msu
          phoffmann SupportEmployee

          So a few things.

           

          (1) - LANDesk Management Suite 9.5 is / has been end of life'd about a year ago. I'd strongly suggest / recommend that you look at upgrading - for platform support (Windows 10) and security improvements alone.

           

          (2) - if you know of a device that "should scan against this but doesn't" - try running the following 2 commands on the device (from the LDCLIENT directory):

          vulscan /clear

          vulscan /reset

           

          Calling "vulscan" with the "/clear" command-line parameter tells the client to send a message to the Core to "delete all results / vulnerability data" for this client.

           

          Calling "vulscan" with the "/clear" command-line parameter tells the client to delete all local vulnerability data definitions (forcing a full re-download & synch).

           

          Sometimes devices CAN get into a weird state, and this will force a "full synch" scan equivalent. See how that goes.

           

          (3) Examine the vulscan.log after you've done an OS scan. Search for the vulnerability name

           

          Also check out this article, that covers how to read vulscan logs -- About the security and compliance scan (vulscan) log files

           

          (4) As a quick crash course, here's an example of vulscan detecting MS15-005_MSU on one of my boxes...

          Tue, 01 Nov 2016 20:10:03 Current Definition ID: MS15-005_MSU

          -- The above line is the "starting point" for the current vulnerability definition

          Tue, 01 Nov 2016 20:10:03 Checking vulnerability MS15-005_MSU, rule index 0 ('Windows6.0-KB3022777-x64.msU')

          Tue, 01 Nov 2016 20:10:03      No affected platforms were found.

          Tue, 01 Nov 2016 20:10:03 Checking vulnerability MS15-005_MSU, rule index 1 ('Windows6.0-KB3022777-x86.msu')

          Tue, 01 Nov 2016 20:10:03      No affected platforms were found.

          Tue, 01 Nov 2016 20:10:03 Checking vulnerability MS15-005_MSU, rule index 2 ('Windows6.1-KB3022777-x64.mSU')

          Tue, 01 Nov 2016 20:10:03      No affected platforms were found.

          Tue, 01 Nov 2016 20:10:03 Checking vulnerability MS15-005_MSU, rule index 3 ('Windows6.1-KB3022777-x86.mSu')

          Tue, 01 Nov 2016 20:10:03      No affected platforms were found.

          -- The above lines show a couple of "nope - no affected application platform" found - so since that doesn't apply, the relevant rule is skipped.

          Tue, 01 Nov 2016 20:10:03 Checking vulnerability MS15-005_MSU, rule index 4 ('Windows8.1-KB3022777-x64.MSU')

          Tue, 01 Nov 2016 20:10:03 Running detection script

          Tue, 01 Nov 2016 20:10:03 Checking this file: C:\Windows\System32\ncsi.dll

          Tue, 01 Nov 2016 20:10:03      C:\Windows\System32\ncsi.dll : 6.3.9600.16384

          Tue, 01 Nov 2016 20:10:03 MS15-005_MSU detected

          Tue, 01 Nov 2016 20:10:03 VUL: 'MS15-005_MSU' (windows8.1-kb3022777-x64.msu) DETECTED.  Reason 'File C:\Windows\System32\ncsi.dll  version is less than the minimum version specified.'Expected '6.3.9600.17550'Found '6.3.9600.16384'.  Patch required 'windows8.1-kb3022777-x64.msu'.

          -- This is the "I found something" line. We tell you why that is (based on the detection logic). In this case, it's down to the version of a certain file (ncsi.dll) being lower than it should be.

          Tue, 01 Nov 2016 20:10:03    Patch is NOT installed

          Tue, 01 Nov 2016 20:10:03 Checking vulnerability MS15-005_MSU, rule index 5 ('Windows8.1-KB3022777-x86.MSu')

          Tue, 01 Nov 2016 20:10:03      No affected platforms were found.

          Tue, 01 Nov 2016 20:10:03 Checking vulnerability MS15-005_MSU, rule index 6 ('Windows8-RT-KB3022777-x64.MsU')

          Tue, 01 Nov 2016 20:10:03      No affected platforms were found.

          Tue, 01 Nov 2016 20:10:03 Checking vulnerability MS15-005_MSU, rule index 7 ('Windows8-RT-KB3022777-x86.Msu')

          Tue, 01 Nov 2016 20:10:03      No affected platforms were found.

           

          Hope that helps you get a little bit further .

          • 2. Re: How do I force a scan for patch 3192321_msu
            RalfK Rookie

            We have exactly the same issue. It was scanned only on 1 of our 11'000 computers... And that one was the only Windows 2008 server we have in our company.

            I checked the "Detection Rules" and I think this is the reason: it only scans for Windows 6.0 (Vista and Server 2008), but not for all other OS. So that was confusing a little bit first.

                

            But when reading https://support.microsoft.com/en-us/kb/3192321, you can see that the way to install this update it to run a different patch (an "Update Rollup").

            We finally implemented 3192403 (for our Windows 7 clients) and just tested it successfully.

            1 of 1 people found this helpful