Solved

MS04-011 and HFNETCHK

Posted on 2004-04-15
9
1,955 Views
Last Modified: 2013-12-04
Hello.  We've patched our machines for the newest round of holes using Shavlik and SUS.  If we scan using Shavlik, everything looks good.  However we also do an automated daily scan using the command line HFNETCHK.  Today's report shows our Windows 2000 machines as not patched (we have 10 still in use, all 10 are unpatched according to HFNETCHK).  Now it might be an error with the command line version, or it might be something else.  I know I am paranoid since Blaster when we had 3 machines scan as patched even with the Blaster scanner, but the command line showed them unpatched and all three had blaster issues (they didn't catch blaster but they blue screened when attacked by it).

So has anyone else had this issue with MS04-11?  I know I just uninstalled it from a W2K server and reinstalled (with appropriate reboots) and it still shows as unpatched.  The system logs say that the patch was successfully installed.  Shavlik and Windows Update believe it to be successfully patched.  It's just a question if the command line is dumber or smarter than the rest.

Btw, one is a multi-processor server, a couple are single servers and a couple are low-end old workstations.  It's just strange to me the PRO version is returning a safe result while the command line is saying unpatched.
0
Comment
Question by:JG_Howard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 32

Expert Comment

by:LucF
ID: 10836992
Hi JG_Howard,

What happens when you download the patch directly instead of using SUS?
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Greetings,

LucF
0
 

Author Comment

by:JG_Howard
ID: 10837428
I tried downloading and installing the patch directly (after doing an uninstall and a reboot), it was the W2K SP4 patch.  The patch "successfully" installed according to the system log, but hfnetchk still returns that the patch was missing (after another reboot).  In fact it was after doing this exact procedure it dawned on me all the machines returning a patch missing were W2K.  The XML file used by the command line is 1.1.1.998 and was last modified 4/14/2004.  This is the same version hfnetchkpro4 claims to be using.

Thanks.
0
 
LVL 32

Expert Comment

by:LucF
ID: 10837445
>>The XML file used by the command line is 1.1.1.998 and was last modified 4/14/2004<<
That's the same as I'm having without problems, so I guess HFNETCHK is a bit buggy...
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 38

Accepted Solution

by:
Rich Rumble earned 125 total points
ID: 10838323
Hfnetchk is also outdated, they are now supporting the M$ Baseline Security Analyzer.
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
From the FAQ   (http://www.microsoft.com/technet/security/tools/mbsaqa.mspx)
Q.      Does MBSA replace HFNetChk?
A.      MBSA V1.2 exposes HFNetChk switches through the MBSA command line interface (mbsacli.exe). The MBSA command line interface can be used to perform both MBSA scans (system configuration and security update checks) via mbsacli.exe as well as HFNetChk scans (security update checks only) via mbsacli.exe /hf.
Q.      How do I use MBSA V1.2 to perform an HFNetChk-style scan?
A.      Users familiar with the standalone HFNetChk tool can use MBSA V1.2 to perform the same type of scan. The MBSA V1.2 command line interface has a flag (/hf) to indicate an HFNetChk-style scan. Users can call "mbsacli.exe /hf" followed by a valid HFNetChk switch after the /hf flag. For those users who have scripts that call "hfnetchk.exe", they can simply replace this with "mbsacli.exe /hf" followed by a valid HFNetChk flag(s).
Q.      What are the advantages of MBSA over HFNetChk?
A.      MBSA is a superset of the HFNetChk technology. Whereas HFNetChk only deals with security updates and service packs, MBSA provides an easy-to-use interface and additional capabilities. These capabilities include examining Windows desktops and servers for common security best practices such as strong passwords, scanning servers running IIS and SQL Server for common security misconfigurations, and checking for misconfigured security zone settings in Microsoft Office and Internet Explorer. Since the release of MBSA V1.1, users can now use one tool versus two separate tools to scan for missing security updates as well as misconfigured system settings.
==========
While not offically a replacement, Shavlik wrote hfnetchk for M$. http://www.shavlik.com/
MBSA is nice an GUI too.
GL!
-rich
0
 
LVL 6

Expert Comment

by:Joseph_Moore
ID: 10839219
I found a post on a newsgroup with this same problem:
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=D14A39B2-2386-43F3-AD3A-4EE1DA13B759%40microsoft.com&rnum=5&prev=/groups%3Fq%3D835732%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26sa%3DN%26tab%3Dwg
(hope that URL comes out OK when I post this)

Anyway, a few people posted on the thread that after installing this hotfix, that WIndows Update did not show it being installed. Very similar to you using hfnetchk. I like richrumble's suggestion on if the latest MBSA detects this installed correctly or not.

And while we are at it, this specific hotfix also has a CPU usage problem. There are a LOT of posts stating how after putting this hotfix on, the CPU usage hits 100% and stays there for the SYSTEM process, making the systems unusable. Uninstalling this hotfix is so far the only fix for that. Here are a couple of newsgroup posts that talk about this problem:
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=%23IOM%23EzIEHA.3476%40TK2MSFTNGP11.phx.gbl&rnum=12&prev=/groups%3Fq%3D835732%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26start%3D10%26sa%3DN
and
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=eejZGujIEHA.3988%40tk2msftngp13.phx.gbl&rnum=18&prev=/groups%3Fq%3D835732%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26start%3D10%26sa%3DN

Remember this ONE patch fixes 14 different problems. From the newsgroups, looks like this approach wasn't the best way to handle this!
0
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 10846379
I agree with richrumble
 
I had used MBSA and found it a great tool because it can scan a Range of IP and has a nice GUI
0
 
LVL 6

Expert Comment

by:Joseph_Moore
ID: 10846801
Just for reference, the CPU spike this patch seems to do has hit Bigtraq:
http://www.securityfocus.com/archive/1/360505/2004-04-13/2004-04-19/2
0
 
LVL 7

Expert Comment

by:rhrowson
ID: 10943399
Use the latest build of HFNETCHK from www.shavlik.com. USe the option -v to see why a patch may not have installed. Often it is only due to the checksum being incorrect, which throws up an error. THis issue can be caused by patch compilation on SMP machines and installation on single processor machines, and vive versa. The machine is patched
0
 
LVL 6

Expert Comment

by:Joseph_Moore
ID: 10961945
Here is a new Technet article on problems with this patch:
http://support.microsoft.com/?kbid=841382
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
OfficeMate Freezes on login or does not load after login credentials are input.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
Suggested Courses

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question