KB824146 Scanning Tool

  • Thread starter Thread starter Mike Frith
  • Start date Start date
M

Mike Frith

Quick Question - Can someone please explain how the 824146 scanning tool
identifies that machines are unpatched? I assume (probably a bad thing) that
it either scans the registry for the keys, or it uses a dummy attack on DCOM
to see if the exploit exisits.

The reason I am asking is that we have some machines that, no matter how
many times we patch them with 823980 and 824146, the tool reports them as
unpatched. Patches are being applied seperately, in chronoligical order,
with a reboot between each patch.

Thanks,

Mike Frith
 
The security verification tools use a dummy attack to see if the get the
appropriate response from DCOM. However it isn't foolproof because a false
positive can be reported back for NT4 machines. (haven't seen 2000/XP/2003
machines give back a false positive.)

You only need to apply 824146 since it includes all the fixes of 823980.
Generally when a reporting tool tells me a patched machine is vulnerable, I
compare the file versions/sizes to what is posted in the Microsoft knowledge
base article.
 
Thanks for the quick response, although this does concern me a little.

The reason being is that we have machines where we have applied the patches
(823980, re-boot, 824146, re-boot) then re-scanned, and the report says that
the patches are still missing. It can take up to 5 installs before the tool
reports the machine as patched. The scan is being run on the machine that
has just been patched, not over the network.

Mike Frith
 
Thanks for the quick response, although this does concern me a little.

The reason being is that we have machines where we have applied the patches
(823980, re-boot, 824146, re-boot) then re-scanned, and the report says that
the patches are still missing. It can take up to 5 installs before the tool
reports the machine as patched. The scan is being run on the machine that
has just been patched, not over the network.
Click to expand...
Are you sure that the acvcount running the patch has admin (or at
least install software rights) on those machines?

Cheers,

Cliff
 
Back
Top