How do I find the IsApplicable / IsInstalled Rules for Windows / Adobe Updates in Patch Management 7.0?

book

Article ID: 180000

calendar_today

Updated On:

Products

Patch Management Solution for Windows

Issue/Introduction

 

Resolution

For Microsoft Updates, run the following scripts against the Symantec_CMDB Database.

--Script #1
--If the issue is an IsInstalled Rule problem; use this script, open the XML and checked the listed registry entry in the rule. Ensure this is correct, or run the debug rule evaluator (HOWTO9837) to be sure.

SELECT i3.[Name] AS 'Bulletin', i.[Name] AS 'Inventory Rule',
 CASE ir.ResultsDataClassGuid
  WHEN '75DA0CCA-0095-44E7-8FBE-960FA0D72075' THEN 'Applicable'
  WHEN '9D326BB4-75D4-4DB9-9946-59141BD1D44E' THEN 'Installed'
 END AS 'Rule Type',
 CAST (ir.InventoryRuleXML AS XML) AS 'Rules XML', ra.ParentResourceGuid,
 'http://www.microsoft.com/technet/security/bulletin/' + i3.name + '.mspx' AS 'Microsoft bulletin link',
 ir._ResourceGuid AS 'Rule Guid'
FROM Inv_Inventory_Rule ir
JOIN vItem i ON i.Guid = ir._ResourceGuid
LEFT JOIN ResourceAssociation ra ON ra.ChildResourceGuid = ir._ResourceGuid
AND ra.ResourceAssociationTypeGuid = 'D528BCE5-8911-4762-90D9-72CA0AB87D86'
left JOIN vSoftwareUpdateInventoryRuleAssociations sura ON sura.ApplicableGuid = ir._ResourceGuid
OR sura.InstalledGuid = ir._ResourceGuid
left JOIN vItem i3 ON i3.Guid = sura.SWBGuid
WHERE i.Name like '%KBHERE!%' ORDER BY i.Name

 

--Script #2 
--If the issue is an IsApplicable Rule problem: use the above script, pull the 'ParentResourceGuid' from the IsInstalled SQL for the update, and plug it into the following script.
--This will show what the vulnerability is checking for in the resource column.
--Here decipher if the rule is accurate or if there are unecessary checks.

SELECT DISTINCT
      vi2.Name AS ResourceAssociationTypeName,
      vrt.Name AS ResourceTypeName,
      vi1.Name,
      vi1.Description, ra.*
FROM vItem vi1
JOIN ResourceAssociation ra ON vi1.Guid = ra.ChildResourceGuid
AND ra.ResourceAssociationTypeGuid NOT IN ('F35C6627-F70C-44A0-AFB8-490CE4D3ECAF', '6CCB60F8-E88D-4BA2-959F-4B531C8C5FCD',
'D528BCE5-8911-4762-90D9-72CA0AB87D86', 'A19CED33-9E1F-4E97-98CF-0F8B339739C3', '4D33D29B-DC9F-4E72-9A80-C5FB7CEC0FB6', '34F2B0FE-E63E-4B8E-B359-FF73A026FE51')
JOIN vResourceItem vri ON ra.ChildResourceGuid = vri.Guid
JOIN vResourceType vrt ON vri.ResourceTypeGuid = vrt.Guid
JOIN vItem vi2 ON ra.ResourceAssociationTypeGuid = vi2.Guid
WHERE ra.ParentResourceGuid = 'GUIDHERE!'
 

 

To find Adobe Update Rules, enter the following into the SQL Query and run against the Symantec_CMDB:

SELECT
      ir._ResourceGuid AS 'Rule Guid',
      i.Name AS 'Inventory Rule',
      CASE ir.ResultsDataClassGuid
            WHEN '75DA0CCA-0095-44E7-8FBE-960FA0D72075' THEN 'Applicable'
            WHEN '9D326BB4-75D4-4DB9-9946-59141BD1D44E' THEN 'Installed'
      END AS 'Rule Type',
      CAST (ir.InventoryRuleXML AS XML),
      ra.ParentResourceGuid
FROM Inv_Inventory_Rule ir
JOIN vItem i ON i.Guid = ir._ResourceGuid
JOIN Inv_Windows_Inventory_Rule_Provider i2 ON i2.RuleEngineCLSID = ir.RuleEngineCLSID
LEFT JOIN ResourceAssociation ra ON ra.ChildResourceGuid = ir._ResourceGuid
AND ra.ResourceAssociationTypeGuid = 'D528BCE5-8911-4762-90D9-72CA0AB87D86'
 
--Uncomment the next line and Paste Desired guid below
--WHERE ir._ResourceGuid like 'db59990e-9085-4d7e-a5e1-3a16337b0072%'

--Or uncomment the next line and enter the name of the KB below
WHERE i.Name like '%ADOBE UPDATE HERE (Example: AcrobatUpd825_all_incr.msp)%'
ORDER BY i.Name