No one is going to manually touch 2000+ machines (unless you're a consultant and you get paid by the hour). That's why there're tools to check whether the file properties are correct for a particular hot fix.
For example, Microsoft Baseline Security Analyzer (free), GFI Languard Network Security Scanner (inexpensive), Shavlik HFNetcheckPro (expensive), and Microsoft SMS (with SU feature pack) (very expensive) will all do file version and/or checksum calculations to verify that a particular file is what should be there to consider a patch to be installed. Some of these will even automatically deploy the patches to machines that are missing them. Many other tools do the same thing. (let's not get into a flame war about the pros and cons of any particular tool). While we have other decent tools available to check whether a patch has been correctly applied to this particular vulnerability that don't depend on file versions, for most patches the only reliable way to confirm if a patch has been applied is to check the physical files. If you're not going to verify that a patch is correctly installed through _some_ method, you're being negligent. To answer your question, yes, if you're a responsible professional. Jerry -----Original Message----- From: Schmehl, Paul L [mailto:[EMAIL PROTECTED] Sent: Friday, September 26, 2003 9:33 AM To: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] RE: Probable new MS DCOM RPC worm for Windo ws > -----Original Message----- > From: Gary Flynn [mailto:[EMAIL PROTECTED] > Sent: Friday, September 26, 2003 8:06 AM > To: '[EMAIL PROTECTED]' > Subject: Re: [Full-Disclosure] RE: Probable new MS DCOM RPC > worm for Windo ws > > > I would think a better way of determining if a patch is > actually installed on a system is by examining the files on > the system rather than to depend upon symptoms (scanners) or > installation logs (registry entries). True, but *I'm* not going to physically touch (or even virtually touch) 2000+ machines looking at file properties. Are you? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
