Hello everyone, This is my first post, so please forgive me if what I say below is common knowledge. But just in case - I wanted to point out that a number of the Failed Checks are red herrings. I was confused by the "syswow64" check failing on 32-bit XP machines, thinking that the machine was failing because it didn't pass a 64-bit machine check! until I compared the results to XP machines that had *passed* and saw that they, too, had failed this check. As Mary-Ellen points out, the check is a complicated set of OR statements (for both Vista and XP) - including version checks in with the hot fixes. Therefore, there are a number of "failed" checks that merely indicate that the machine in question doesn't have that version of the OS and which are just noise to be ignored. Looking at Mary-Ellen's example: Passed: pc_Windows-XP-SP3 Failed: pc_XP64, File Check [c:\windows\syswow64\kernel32.dll exists ] pc_Windows-XP-SP2-int, Registry Check pc_Windows-XP-SP2, Registry Check etc. So this indicates the person has XP [32-bit] SP3, *not* XP 64-bit, *not* XP SP2-int and *not* XP SP2. There are similar checks for Vista machines. Both OS checks indicate the version of the OS (32- or 64-bit, SP level) and also the version of IE (and of course, specify which patches you need for which version of everything.) SO. You have to ignore all those "failures" to find the actual thing the machine isn't passing. It's confusing. Again, please forgive me if this is common knowledge and I'm just being annoying. Karla B ps If you put that looooonnnnng statement into a programming editor, which can show you pairs of parens, it's easier to see how these things are grouped. >>>
The following is what I noticed with our XP Media users. Maybe someone else can shed some light on this. I am thinking of creating a custom rule for the SP 2 issue as that seems to be the problem. Also, the XP Media users were all passing the checks fine until about 5 days ago. I noticed that the " pr_XP_MCE_Hotfixes" requirement for XP Media Center machines contains some checks that have "or" statements. For example, user reports show the user as failing pc_XP64 but the user passes pc_Windows-XP-SP3. It gets past this point (I think) because the "pr_XP_MCE_Hotfixes" requirement contains: (pc_XP64)|((pc_Windows-XP-SP3|pc_Windows-XP-SP3-int) So in order to pass this part, the pc must meet any of those 3 checks. The part that all XP Media clients are failing appears to be the SP2 checks. The pc's all have SP3 installed. There are two "or" checks and both fail. pc_Windows-XP-SP2, Registry Check \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDVersion contains Service Pack 2 It shows as Service Pack 3 and not 2. pc_Windows-XP-SP2-int, Registry Check \HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\windows\CSDVersion equals 512 The 512 shows as 300 on the machines. Here is the full list of checks with the "and" "or" expressions, etc. (pc_XP64)|((pc_Windows-XP-SP3|pc_Windows-XP-SP3-int)&((!pc_Windows-JScri pt-ver5_6|pc_Windows-JScript-ver5_9)|(pc_XP_KB971961_MS09-045_JS58|pc_XP _KB971961_MS09-045_JS57|pc_XP_KB971961_MS09-045_JS56))&pc_XP_KB956844_MS 09-046&(!pc_Windows_ehkeyctl|pc_XP_MCE_KB973768_MS09-037)&pc_XP_KB971557 _MS09-038&pc_XP_KB973507_MS09-037&pc_XP_KB973869_MS09-037&pc_KB973346_MS 09-032_XP&(pc_KB961371_MS09-029_XP|pc_KB961371_v2_MS09-029_XP)&pc_KB9716 33_MS09-028_XP&pc_KB960803_MS09-013_XP&pc_KB958687_MS09-001_XP&pc_KB9568 02_MS08-071_XP&pc_KB958644_MS08-067_XP_SP3&(pc_KB954593_MS08-052_XP|pc_K B954593_MS08-052_XP_V2)&pc_KB952954_MS08-046_XP_SP3&(pc_MSXML3_MS08-069_ XP)&(((pc_IE8_0&pc_XP_KB972260_MS09-034_IE8)|(pc_IE7_0&pc_XP_KB972260_MS 09-034_IE7)|(pc_IE6_0&pc_XP_KB972260_MS09-034_IE6))&(!(pc_Flash_6_0_79&( pc_Flash_6r79_Registered_LC|pc_Flash_6r79_Registered_UC))|pc_KB923789_MS 06-069_XP_SP2)))|((pc_Windows-XP-SP2|pc_Windows-XP-SP2-int)&((!pc_Window s-JScript-ver5_6|pc_Windows-JScript-ver5_9)|(pc_XP_KB971961_MS09-045_JS5 8|pc_XP_KB971961_MS09-045_JS57|pc_XP_KB971961_MS09-045_JS56))&pc_XP_KB95 6844_MS09-046&(!pc_Windows_ehkeyctl|pc_XP_MCE_KB973768_MS09-037)&pc_XP_K B971557_MS09-038&pc_XP_KB973507_MS09-037&pc_XP_KB973869_MS09-037&pc_KB97 3346_MS09-032_XP&(pc_KB961371_MS09-029_XP|pc_KB961371_v2_MS09-029_XP)&pc _KB971633_MS09-028_XP&pc_KB960803_MS09-013_XP&pc_KB958687_MS09-001_XP&pc _KB956802_MS08-071_XP&pc_KB958644_MS08-067_XP_SP2&(pc_KB954593_MS08-052_ XP|pc_KB954593_MS08-052_XP_V2)&pc_KB952954_MS08-046_XP_SP2&(pc_MSXML3_MS 08-069_XP)&((pc_IE6_0&pc_XP_KB972260_MS09-034_IE6)|(pc_IE7_0&pc_XP_KB972 260_MS09-034_IE7&(pc_KB938127_MS07-050_XP_SP2_IE7|pc_KB938127_MS07-050_X P_SP2_IE7_V2))|(pc_IE8_0&pc_XP_KB972260_MS09-034_IE8))&(!(pc_Flash_6_0_7 9&(pc_Flash_6r79_Registered_LC|pc_Flash_6r79_Registered_UC))|pc_KB923789 _MS06-069_XP_SP2)) An example of one of the reports: Windows Critical Updates (Mandatory) Passed Checks: pc_Windows-XP-SP3 pc_Windows_ehkeyctl pc_XP_KB956844_MS09-046 pc_Windows-JScript-ver5_6 pc_XP_KB971961_MS09-045_JS57 Failed Checks: pc_XP64, File Check [c:\windows\syswow64\kernel32.dll exists ] pc_Windows-XP-SP2-int, Registry Check [\HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\windows\CSDVersion equals 512] pc_Windows-XP-SP2, Registry Check [\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDVersion contains Service Pack 2] pc_Windows-JScript-ver5_9, File Check [$SYSTEM_32\Jscript.dll later than 5.9.0.0] pc_XP_MCE_KB973768_MS09-037, Registry Check [\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB973768\ exists ] pc_XP_KB971961_MS09-045_JS58, Registry Check [\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP0\KB971961-IE8\Filelist\ exists ] Not executed Checks: pc_KB952954_MS08-046_XP_SP3 pc_KB952954_MS08-046_XP_SP2 pc_XP_KB971557_MS09-038 KB958644_MS08-067_XP_ pc_KB958644_MS08-067_XP_SP3 pc_KB958644_MS08-067_XP_SP2 pc_MSXML3_MS08-069_XP pc_KB971633_MS09-028_XP pc_XP_KB973507_MS09-037 pc_KB923789_MS06-069_XP_SP2 pc_IE8_0 pc_KB938127_MS07-050_XP_SP2_IE7_V2 pc_KB973346_MS09-032_XP pc_KB956802_MS08-071_XP pc_IE7_0 pc_KB958687_MS09-001_XP pc_KB961371_MS09-029_XP Windows-XP-SP3 pc_KB961371_v2_MS09-029_XP pc_IE6_0 pc_KB954593_MS08-052_XP_V2 pc_Flash_6r79_Registered_LC pc_Flash_6_0_79 pc_Flash_6r79_Registered_UC pc_KB938127_MS07-050_XP_SP2_IE7 pc_KB960803_MS09-013_XP pc_Windows-XP-SP3-int pc_XP_KB971961_MS09-045_JS56 pc_XP_KB972260_MS09-034_IE8 pc_XP_KB972260_MS09-034_IE7 pc_KB954593_MS08-052_XP pc_XP_KB973869_MS09-037 pc_XP_KB972260_MS09-034_IE6 Mary Ide Internet Security Engineer Johnson & Wales University SANS GPEN #1514 SANS GCIH #1794 SANS GWAS #1728 [email protected] -----Original Message----- From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of Biddle, Rob Sent: Tuesday, September 15, 2009 2:37 PM To: [email protected] Subject: Re: XP Media Center Checks We just had a student come to the help desk with this issue. Looks like the most recent Cisco checks have not changed. Does Cisco already have an open ticket for this issue? - Rob -----Original Message----- From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of CARSON, MICHAEL Sent: Monday, September 14, 2009 3:03 PM To: [email protected] Subject: Re: XP Media Center Checks Looking into more problematic machines, I noticed that even MCE 2005 machines were failing the check. 973768 installs correctly but still fails the check. I looked around the registry and the key that CCA looks for (HKLM/Software/Microsoft/Updates/Windows XP/SP4/KB973768) is not present but the update puts the key in HKLM/Software/Microsoft/Updates/Windows XP/SP3/KB973768 I have not had to create that fake file so I am wondering why our situation is different. We are running 4.1.3.2 agent. -----Original Message----- From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of Mike Hanson Sent: Monday, September 14, 2009 2:50 PM To: [email protected] Subject: Re: XP Media Center Checks Tom, We have had around 5 Media Center machines fail Clean Access checks. All of them were looking for this file " c:\windows\syswow64\kernel32.dll exists" . To get around the failure we manually add that fake file and it passes the check. I agree, there is a problem with the Clean Access OS fingerprint. Mike Hanson Network Security Manager The College of St. Scholastica Duluth, MN 55811 (218)-723-7097 [email protected] >>> Tom Stachowiak<[email protected]> 9/14/2009 1:37 PM >>> I have seen three machines just today suffering from this. First one I tried manually installing the kb hotfix but it did not fix the issue. The original media center 2002 does not need it any newer 2003 and 4 get upgraded to media center 2005 when you install XP sp 2. They need to update the os fingerprint?
