It will "fail" those checks because it is not detecting x64 or SP2 because the computer has SP3 and is not x64. The logic is kind of weird and I am not sure why they include that information because it is a little confusing. It does not mean that it is not going to pass remediation, just letting you know that it failed those checks.
-----Original Message----- From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of Mary-Ellen Ide Sent: Tuesday, September 15, 2009 4:44 PM To: [email protected] Subject: Re: XP Media Center Checks The following is what I noticed with our XP Media users. Maybe someone else can shed some light on this. I am thinking of creating a custom rule for the SP 2 issue as that seems to be the problem. Also, the XP Media users were all passing the checks fine until about 5 days ago. I noticed that the " pr_XP_MCE_Hotfixes" requirement for XP Media Center machines contains some checks that have "or" statements. For example, user reports show the user as failing pc_XP64 but the user passes pc_Windows-XP-SP3. It gets past this point (I think) because the "pr_XP_MCE_Hotfixes" requirement contains: (pc_XP64)|((pc_Windows-XP-SP3|pc_Windows-XP-SP3-int) So in order to pass this part, the pc must meet any of those 3 checks. The part that all XP Media clients are failing appears to be the SP2 checks. The pc's all have SP3 installed. There are two "or" checks and both fail. pc_Windows-XP-SP2, Registry Check \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDVersion contains Service Pack 2 It shows as Service Pack 3 and not 2. pc_Windows-XP-SP2-int, Registry Check \HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\windows\CSDVersion equals 512 The 512 shows as 300 on the machines. Here is the full list of checks with the "and" "or" expressions, etc. (pc_XP64)|((pc_Windows-XP-SP3|pc_Windows-XP-SP3-int)&((!pc_Windows-JScri pt-ver5_6|pc_Windows-JScript-ver5_9)|(pc_XP_KB971961_MS09-045_JS58|pc_XP _KB971961_MS09-045_JS57|pc_XP_KB971961_MS09-045_JS56))&pc_XP_KB956844_MS 09-046&(!pc_Windows_ehkeyctl|pc_XP_MCE_KB973768_MS09-037)&pc_XP_KB971557 _MS09-038&pc_XP_KB973507_MS09-037&pc_XP_KB973869_MS09-037&pc_KB973346_MS 09-032_XP&(pc_KB961371_MS09-029_XP|pc_KB961371_v2_MS09-029_XP)&pc_KB9716 33_MS09-028_XP&pc_KB960803_MS09-013_XP&pc_KB958687_MS09-001_XP&pc_KB9568 02_MS08-071_XP&pc_KB958644_MS08-067_XP_SP3&(pc_KB954593_MS08-052_XP|pc_K B954593_MS08-052_XP_V2)&pc_KB952954_MS08-046_XP_SP3&(pc_MSXML3_MS08-069_ XP)&(((pc_IE8_0&pc_XP_KB972260_MS09-034_IE8)|(pc_IE7_0&pc_XP_KB972260_MS 09-034_IE7)|(pc_IE6_0&pc_XP_KB972260_MS09-034_IE6))&(!(pc_Flash_6_0_79&( pc_Flash_6r79_Registered_LC|pc_Flash_6r79_Registered_UC))|pc_KB923789_MS 06-069_XP_SP2)))|((pc_Windows-XP-SP2|pc_Windows-XP-SP2-int)&((!pc_Window s-JScript-ver5_6|pc_Windows-JScript-ver5_9)|(pc_XP_KB971961_MS09-045_JS5 8|pc_XP_KB971961_MS09-045_JS57|pc_XP_KB971961_MS09-045_JS56))&pc_XP_KB95 6844_MS09-046&(!pc_Windows_ehkeyctl|pc_XP_MCE_KB973768_MS09-037)&pc_XP_K B971557_MS09-038&pc_XP_KB973507_MS09-037&pc_XP_KB973869_MS09-037&pc_KB97 3346_MS09-032_XP&(pc_KB961371_MS09-029_XP|pc_KB961371_v2_MS09-029_XP)&pc _KB971633_MS09-028_XP&pc_KB960803_MS09-013_XP&pc_KB958687_MS09-001_XP&pc _KB956802_MS08-071_XP&pc_KB958644_MS08-067_XP_SP2&(pc_KB954593_MS08-052_ XP|pc_KB954593_MS08-052_XP_V2)&pc_KB952954_MS08-046_XP_SP2&(pc_MSXML3_MS 08-069_XP)&((pc_IE6_0&pc_XP_KB972260_MS09-034_IE6)|(pc_IE7_0&pc_XP_KB972 260_MS09-034_IE7&(pc_KB938127_MS07-050_XP_SP2_IE7|pc_KB938127_MS07-050_X P_SP2_IE7_V2))|(pc_IE8_0&pc_XP_KB972260_MS09-034_IE8))&(!(pc_Flash_6_0_7 9&(pc_Flash_6r79_Registered_LC|pc_Flash_6r79_Registered_UC))|pc_KB923789 _MS06-069_XP_SP2)) An example of one of the reports: Windows Critical Updates (Mandatory) Passed Checks: pc_Windows-XP-SP3 pc_Windows_ehkeyctl pc_XP_KB956844_MS09-046 pc_Windows-JScript-ver5_6 pc_XP_KB971961_MS09-045_JS57 Failed Checks: pc_XP64, File Check [c:\windows\syswow64\kernel32.dll exists ] pc_Windows-XP-SP2-int, Registry Check [\HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\windows\CSDVersion equals 512] pc_Windows-XP-SP2, Registry Check [\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDVersion contains Service Pack 2] pc_Windows-JScript-ver5_9, File Check [$SYSTEM_32\Jscript.dll later than 5.9.0.0] pc_XP_MCE_KB973768_MS09-037, Registry Check [\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB973768\ exists ] pc_XP_KB971961_MS09-045_JS58, Registry Check [\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP0\KB971961-IE8\Filelist\ exists ] Not executed Checks: pc_KB952954_MS08-046_XP_SP3 pc_KB952954_MS08-046_XP_SP2 pc_XP_KB971557_MS09-038 KB958644_MS08-067_XP_ pc_KB958644_MS08-067_XP_SP3 pc_KB958644_MS08-067_XP_SP2 pc_MSXML3_MS08-069_XP pc_KB971633_MS09-028_XP pc_XP_KB973507_MS09-037 pc_KB923789_MS06-069_XP_SP2 pc_IE8_0 pc_KB938127_MS07-050_XP_SP2_IE7_V2 pc_KB973346_MS09-032_XP pc_KB956802_MS08-071_XP pc_IE7_0 pc_KB958687_MS09-001_XP pc_KB961371_MS09-029_XP Windows-XP-SP3 pc_KB961371_v2_MS09-029_XP pc_IE6_0 pc_KB954593_MS08-052_XP_V2 pc_Flash_6r79_Registered_LC pc_Flash_6_0_79 pc_Flash_6r79_Registered_UC pc_KB938127_MS07-050_XP_SP2_IE7 pc_KB960803_MS09-013_XP pc_Windows-XP-SP3-int pc_XP_KB971961_MS09-045_JS56 pc_XP_KB972260_MS09-034_IE8 pc_XP_KB972260_MS09-034_IE7 pc_KB954593_MS08-052_XP pc_XP_KB973869_MS09-037 pc_XP_KB972260_MS09-034_IE6 Mary Ide Internet Security Engineer Johnson & Wales University SANS GPEN #1514 SANS GCIH #1794 SANS GWAS #1728 [email protected] -----Original Message----- From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of Biddle, Rob Sent: Tuesday, September 15, 2009 2:37 PM To: [email protected] Subject: Re: XP Media Center Checks We just had a student come to the help desk with this issue. Looks like the most recent Cisco checks have not changed. Does Cisco already have an open ticket for this issue? - Rob -----Original Message----- From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of CARSON, MICHAEL Sent: Monday, September 14, 2009 3:03 PM To: [email protected] Subject: Re: XP Media Center Checks Looking into more problematic machines, I noticed that even MCE 2005 machines were failing the check. 973768 installs correctly but still fails the check. I looked around the registry and the key that CCA looks for (HKLM/Software/Microsoft/Updates/Windows XP/SP4/KB973768) is not present but the update puts the key in HKLM/Software/Microsoft/Updates/Windows XP/SP3/KB973768 I have not had to create that fake file so I am wondering why our situation is different. We are running 4.1.3.2 agent. -----Original Message----- From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of Mike Hanson Sent: Monday, September 14, 2009 2:50 PM To: [email protected] Subject: Re: XP Media Center Checks Tom, We have had around 5 Media Center machines fail Clean Access checks. All of them were looking for this file " c:\windows\syswow64\kernel32.dll exists" . To get around the failure we manually add that fake file and it passes the check. I agree, there is a problem with the Clean Access OS fingerprint. Mike Hanson Network Security Manager The College of St. Scholastica Duluth, MN 55811 (218)-723-7097 [email protected] >>> Tom Stachowiak<[email protected]> 9/14/2009 1:37 PM >>> I have seen three machines just today suffering from this. First one I tried manually installing the kb hotfix but it did not fix the issue. The original media center 2002 does not need it any newer 2003 and 4 get upgraded to media center 2005 when you install XP sp 2. They need to update the os fingerprint?
