We do the same as Ryan. http://cca.georgiasouthern.edu/wuxp2k.php#crits.
It would be nice for the Agent to report back which update it's failing,
similar to the AV/AS rules, however I understand that due to the
construction of the rule (&, | statements) this would be quite
difficult. I've not ever seen where express vs. custom makes a
difference, but I don't really deal too much with end user support.

Simon

>>> 
From: 	Ryan Dorman <[log in to unmask]>
To:	<[log in to unmask]>
Date: 	8/1/2006 3:01:29 pm
Subject: 	Re: Microsoft Windows Update Website is uncool

In our case here's what we do.. Tedious tho it is

When a new hotfix comes out, I download it and put it on a server that
is accessable from temp.  There is a standard naming convention that I
use that has been communicated to the help desk so that they can login
to CCA with a read-only account and check the report to see what they
are failing. 99% of the time applying the hotfix individually seems to
deal with the problem.

Like I said.. Kinda tedious, but it seemed the best 80/20 solution
rather then trying to forgo the patch rules. 


Ryan Dorman, CCNP
Network Engineering Specialist
Millersville University
717.871.5883 
-----Original Message-----
From: Perfigo SecureSmart and CleanMachines Discussion List
[mailto:[log in to unmask]] On Behalf Of Hague, Jeff
Sent: Tuesday, August 01, 2006 2:54 PM
To: [log in to unmask] 
Subject: Re: [PERFIGO] Microsoft Windows Update Website is uncool

Now that the excitement of release 4.0.x has died down a bit...
Back to the issue where Windows Update says a machine is fully patched
but CCA says it is not (as discussed below). The expectation of our
End
User Services department here is that this is a Clean Access rule set
definition problem (hopefully fixed in 4.0.x). I also saw a thread
earlier that says if Users do an Express Install instead of a Custom
Install, then these issues will crop up. I tend to agree with many of
the posts here that indicate that it is a machine related problem -
malware, a bad download of the patch for some reason, etc. In any
case,
I need to define our course of action for this problem and wanted to
post these questions to the group;

Does anyone have any reason to believe that this is a CCA issue and
that
it being worked on?

Has anyone seen any decrease in incidence since moving to 4.0.x - We
have 1 reported case since moving to 4 but it is not yet "confirmed".
We
have only been on 4 for a few days and only have a handful of
residents
on campus as well.

I need to be able to the the powers that be that we either need to get
ready to manually patch some machines or forgo the patch rules. Any
help
is appreciated.
Thanks!

Jeff

-----Original Message-----
From: Perfigo SecureSmart and CleanMachines Discussion List
[mailto:[log in to unmask]] On Behalf Of Bob Black
Sent: Thursday, July 06, 2006 8:56 PM
To: [log in to unmask] 
Subject: Re: [PERFIGO] Microsoft Windows Update Website is uncool

We observed a small percentage of machines that reported no updates
missing at Windows updates site but yet failing the CCA ruleset.

In many cases, we found that CCA was more accurate. The updates failed
to install fully for some reason or another. Manual installation of
individual updates would typically resolve.

So, in some regards it's a managerial decision about what risk you are
willing to take -- that auto-updates fails to work proerly and you
have
unpatched computers or that CCA incorrectly reports a fully patched
machine and you have to provide additional support.

All-in-all, the incidence of this problem was a small percentage for
us
and we believe the benefits of fully patched machines outweigh the
costs
of providng additional support in these instances.

The only change we've made the canned ruleset is to copy the rule (1
for
each OS) just before patch Tuesday and allow either the copy or the
updated version to serve as a "pass" for a few weeks. This gave time
for
the ruleset to be right and for auto-updates to work.

I wish I had exact numbers for you and I'll see what I can find.

-Bob Black
Miami University
 

> -----Original Message-----
> From: Perfigo SecureSmart and CleanMachines Discussion List 
> [mailto:[log in to unmask]] On Behalf Of Aaron Rothberg
> Sent: Thursday, July 06, 2006 6:27 PM
> To: [log in to unmask] 
> Subject: Microsoft Windows Update Website is uncool
> 
> In Aug/Sep 2005, Northeastern State University, Micheal King from 
> Bridgewater State College, and Scott Weitzenhoffer from Kent State 
> University were discussing the issue where Microsoft's Windows Update

> website would claim a computer had all of the Critical Updates, yet 
> Cisco Clean Access would identify missing patches. From that thread I

> inferred that Microsoft's site may be looking at DLL versions only 
> whereas CCA is looking at Registry entries. The solution offered was

> to use customized rules to circumvent the issue since Microsoft's 
> method isn't always trustworthy.
> 
> Here at Keene State we use he canned rule set only since our network

> team is not prepared to take on the overhead of managing a customized

> rule set. That being said in the test group of 40 students we have 
> on-campus, two were caught in this scenario. If 5% is what we're 
> looking at, I could have as many as 112 students calling our Helpdesk

> in August and we don't have the resources to help each student 
> identify which patch CCA states is missing and walk them through the

> remediation process.
> 
> Can anyone that's also running the canned rules offer some insight
and

> perhaps someone might throw out some numbers about how many students

> they saw in this situation? We're not sure if this is something we 
> should really be concerned about and if so, what direction we should

> head to resolve it knowing customized rules are not an option for
us.
> 
> Regards-
> Aaron
> 
> Aaron Rothberg
> Computer Tech
> Keene State College