Feature Pack: Security Patch Incorrectly Reported as Installed (817759)


The information in this article applies to:

  • Microsoft Systems Management Server 2.0

SYMPTOMS

The Security Update Inventory Tool in the Systems Management Server (SMS) Software Update Services (SUS) Feature Pack may incorrectly report that a security patch (hotfix) is installed. This problem occurs only with a small number of security patches, for example security vulnerability MS03-007 (Microsoft Knowledge Base article 815021).

CAUSE

When the Security Update Inventory Tool uses the Microsoft Baseline Security Analyzer tool (MBSA) to determine if a particular security patch is installed, it instructs MBSA not to perform registry checks. A very small number of security patches can only be detected by means of registry checks. MBSA may report those patches as installed when they are not.

RESOLUTION

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article.

To resolve this problem, contact Microsoft Product Support Services to obtain the fix or download it directly from the Microsoft Feature Pack download site. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

All customers who downloaded and installed this tool before April 11, 2003, and who installed the update that is described in Microsoft Knowledge Base article 837722 must download and install this version because it includes an additional fix for the issue described in Microsoft Knowledge Base article 817759. These Microsoft Knowledge Base articles include the file details that you can use to determine the version that you currently have installed.

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. 

   Date         Time   Version            Size    File name              Platform
   ------------------------------------------------------------------------------
   03-Apr-2003  02:26  1.0.200.111     2,564,096  Securitypatch_enu.exe  X86
   03-Apr-2003  02:26  1.0.200.111       172,869  S_scan.exe             X86
Note : Because of file dependencies, the most recent hotfix or feature that contains these files may also contain additional files.

How to Install the Hotfix

To install the update, download and install the updated SMSSUSFP_XXX self-extracting download for the appropriate language, and then run the updated setup program, SecurityPatch_xxx.exe, from the SMSSUSFP_XXX folder (where xxx is the three-digit language code).

Note: Setup detects and removes previous installations of the tool, however you may permit Setup to skip the removal of the collections, packages, programs, and advertisements that a previous installation of the tool created. If you keep the existing SMS objects that you used during a previous deployment, Setup reuses these objects. If a previous deployment used customized settings, review the settings for the package, program, collections and advertisements to make sure that they are appropriate for your environment. The settings that Setup uses are reasonable default settings, but they may not suit all environments.

MORE INFORMATION

The MBSA determines the status of a security patch by evaluating the presence of specific registry keys, file versions, and file checksums that are associated with a specific security update. By default, MBSA receives the patch detection information from the Mssecure.xlm file. In some cases, to detect a patch MBSA can only search for specific registry keys. Microsoft has now updated S_scan.exe so that it no longer uses the -z command-line switch when it runs Mbsacli.exe. As a result, Mbsacli.exe can also correctly detect the installation state of a security patch when the patch detection information only includes a registry detection rule. For additional information about MBSA and the command line switches it supports, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer (MBSA) Version 1.1 Is Available

For additional information about Hfnetchk, click the following article number to view the article in the Microsoft Knowledge Base:

306460 Hfnetchk Returns Note Messages for Installed Patches

The update for Microsoft Knowledge Base article 817759 also includes the changes documented in the Microsoft Knowledge Base article 814906. With 814906, Microsoft updated the Security Update Inventory Tool feature in the SMS SUS Feature Pack to use MBSA version 1.1 as its scan tool.
Modification Type:MinorLast Reviewed:10/18/2005
Keywords:kbHotfixServer kbQFE KB817759
©2004 Microsoft Corporation. All rights reserved.