Re: DLL checksum errors in shavlik's mssecure.xml?
From: Eric Schultze (eric.schultze_at_SHAVLIK.COM)
Date: 09/18/03
- Previous message: Vladimir Markovic: "Re: W2K SP4 bug on DCs"
- Maybe in reply to: Marc DeBonis: "DLL checksum errors in shavlik's mssecure.xml?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 18 Sep 2003 10:33:33 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
About 03-011:
--------------
03-011 can be tricky.
There are two separate patches available:
Patch1: for Win9x, NT4, Windows XP, and Windows 2000 SP4.
Patch2: for Windows 2000 SP2 and SP3
Patch2 is built specifically to handle file updates to Windows 2000 SP2
and SP3 because the JVM files are system file protected. NT4, WinXP,
and Win2K SP4 machines do not system file protect JVM files, so they can
use a different installer.
Both patches include the same files, however, the files themselves are
slightly different. For example:
Patch1: javart.dll 2003/02/28 5.0.3810.0 419536
Patch2: javart.dll 2003/03/17 5.0.3810.0 408612
Note the different file dates and file checksums of the javart.dll file.
If you have installed this patch on an SP3 machine, and later upgraded
to SP4, the SP3 checksum and file date would remain on the SP4 machine,
this causing a checksum error when scanning the SP4 machine. To
accomodate these situations, the HF engine will need to understand how
to accept multiple acceptable checksums. This will be available in a
future HF engine, it is not part of the 3.86 engine.
Can you please check to see what file date this file has on your system?
Did you perhaps install this patch on SP3 and later updated to SP4.
It's also possible that perhaps you obtained the javart.dll from from
yet another source, built on another day and having a different
checksum. ===============
About 03-037
-------------
Shavlik did not enter a checksum for the vbe files for 03-037. IOW, the
XML file has a null value for this checksum. The hfnetchk.exe 3.86
interprets a null checksum as a zero length checksum and thus results in
an error when it finds any checksum value. The hfnetchk4pro.exe engine
understands what to do with a null checksum value and will not present
the same error msg. The checksum was left blank as there are multiple
files of the same version that have different PE checksums. The HF
engine and XML file do not allow for multiple checksums to be entered.
This feature will be in the next XML file - allowing us to enter
multiple acceptable checksums to the file.
The same issue relates to multi-proc machines - since the XML file only
contains one checksum value, it contains the value for the single proc
machines, not the multi-proc. Multi-proc customers will need to disable
checksums to ignore these msgs. A future HF engine will include ability
to report on multiproc machines.
Date: Fri, 12 Sep 2003 10:21:28 -0400
From: Marc DeBonis <Marc.DeBonis@VT.EDU>
Subject: DLL checksum errors in shavlik's mssecure.xml?
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
I believe with the latest version of Shavlik's mssecure.xml file:
(BulletinDatastore DataVersion="1.1.1.847" LastDataUpdate="9/10/2003"
SchemaVersion="1.0.0.11" LastSchemaUpdate="3/8/2003" ToolVersion="3.86"
MBSAToolVer="1.1.1")
the freeware tool hfnetchk is misidentifying systems that correctly have
the java and vba patch installed:
The java hotfix MS03-011 (816093) is being misidentified as not being
installed with this explanation:
C:\winnt\system32\javart.dll has an invalid checksum and its file
version [5.0.3810.] is equal to what is expected
Installing the hotfix as denoted and restarting does not alleviate this
error from hfnetchk. You get an error on restart saying "Java package
Manager Unable to install Java packages. The command line is
invalid.". This using the msjavawu.exe from Windows Update catalog as
noted in KB articles.
The vba hotfix MS03-37 (822715) is in the same class of error as the
java one:
c:\program files\common files\microsoft shared\vba\vba6\vbe6.dll has an
invalid checksum and its file version [6.4.99.69] is equal to what is
expected
Installing the hotfix as denoted and restarting does not alleviate this
error from hfnetchk.
I've recorded the md5 checksums as:
MD5 (javart.dll) = 2322bcf818fa2df937f17f67a057a237
MD5 (vbe6.dll) = 50ea3ebaac8d47cbfc2c7a88a51979d4
respectively
I've attempted to contact shavlik multiple times via email, but with no
response
I've also noted that hotfixes that have different versions of a dll
depending on the system architecture (single processor or multiple
processor) are incorrectly noted as missing in multi-processor systems.
Both shavlik and MS have responded to my queries concerning this issues
and say that it is a limitation of the current technology because they
only check for the single processor version of the hotfixed dlls.
Shavlik also said that I might just want to turn off checksum matching
to stop this error from happening... something I'm not comfortable with.
Thanks.
- M
---- Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER! With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. And now, for a limited time, you can save 33% off of the TICSA certification exam! To learn more about the TICSA certification, and to register as a TICSA candidate online, just go to http://www.trusecure.com/offer/s0100/ ----
- Previous message: Vladimir Markovic: "Re: W2K SP4 bug on DCs"
- Maybe in reply to: Marc DeBonis: "DLL checksum errors in shavlik's mssecure.xml?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
