navigation bar left navigation bar right

Secunia CSI7
navigation left tab Advisories navigation right tab
navigation left tab Research navigation right tab
navigation left tab Forums navigation right tab
navigation left tab Create Profile navigation right tab
navigation left tab Our Commitment navigation right tab
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: [Beta] Secunia integrated with Microsoft WSUS

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
CSI

This thread has been marked as locked.
J.Balle [Beta] Secunia integrated with Microsoft WSUS
Secunia Official 18th Jan, 2010 14:49
Ranking: 10
Posts: 31
User Since: 25th Nov, 2008
System Score: N/A
Location: Copenhagen, DK
Last edited on 18th Jan, 2010 21:35

Today the first customers are invited to beta test the:

Secunia Corporate Software Inspector (CSI)
- integrated with Microsoft WSUS for 3rd party Patch Management

Initially we are running a closed, by invitation only, beta testing, in February we will open the beta testing and invite everybody to try out the new awesome Patch Management features, which we believe will make it a breeze to patch the majority of all 3rd party programs.

You can request to become a beta tester by filling out this form:
http://secunia.com/vulnerability_scanning/corporat...

I'm looking forward to getting your feedback.

Read the full blog:
http://secunia.com/blog/71/

MTGAlberts RE: [Beta] Secunia integrated with Microsoft WSUS
Member 20th Jan, 2010 10:14
Score: 0
Posts: 8
User Since: 20th Jan 2010
System Score: N/A
Location: N/A
Hi.
I today integrated it into our WSUS 3.2.7600.226 (latest version).
None of the basics do work. None, well most.

What is working:
-I can scan localhost and do an agent scan to a remote computer and it finds vulnerable softwares
-It can locate downloads to be converted to patches and "seems" to do something if you tell it to "create" an update

What is not working
-After you just scanned a computer, it will report the very same computer as "This host has never been scanned" - this is no refresh problem
-the updates you just created will never appear in the "available"-section.

So I was not able to even approve updates nor deploy those. Did you test your beta? ;)
Was this reply relevant?
+0
-0
J.Balle RE: [Beta] Secunia integrated with Microsoft WSUS
Secunia Official 20th Jan, 2010 10:32
Score: 10
Posts: 31
User Since: 25th Nov 2008
System Score: N/A
Location: Copenhagen, DK
Hi MTGAlberts

Thanks for the feedback.


on 20th Jan, 2010 10:14, MTGAlberts wrote:
-After you just scanned a computer, it will report the very same computer as "This host has never been scanned" - this is no refresh problem


From what page did you try to access the Host Report from?


on 20th Jan, 2010 10:14, MTGAlberts wrote:
-the updates you just created will never appear in the "available"-section


1)
Have you created a signing certificate on your WSUS server through the 'Patch -> Configuration' page (at the bottom left)?

2)
After creating the signing certificate on the WSUS server, this certificate must also be distributed to your hosts (enabling them to accept the new 3rd party packages that you have created).

You can distribute the signing certificate through the "Patch -> Deployment" page by right-clicking a host and selecting "Verify and Install Certificate".

I'm looking forward to hear if this solves your problem.

Best regards,

Jakob
MTGAlberts RE: [Beta] Secunia integrated with Microsoft WSUS
Member 20th Jan, 2010 13:06
Score: 0
Posts: 8
User Since: 20th Jan 2010
System Score: N/A
Location: N/A
> From what page did you try to access the Host Report from?
Right after scanning localhost, one can click on "completed scans" and find the host ->"has never been scanned"
> Have you created a signing certificate on your WSUS server through the 'Patch -> Configuration' page (at the bottom left)?
Now I have and I am able to create updates from downloads. I just wonder why it would tell me it wqas succesful without a certificate and then show no updates. My mistake.
> After creating the signing certificate on the WSUS server, this certificate must also be distributed to your hosts
Yes, I did deploy it succesfully at the host and at the wsus. I am still not able to deploy that patch I created. Here's the warning message from c:\windows\windowsupdate.log:
WARNING: Digital Signatures on file C:\WINDOWS\SoftwareDistribution\Download\38d73c895 e7fc648316789006bc0b8a2\a01acb1d4655147bd92724eea3 511ee9fd24c75f are not trusted: Error 0x800b0109
Please note: it does not work on the wsus itself, either although the certificate was installed succesfully. I could also verify, that the package a01acb... was the patch I am trying to distribute.
Thanks for your help.
Was this reply relevant?
+0
-0
J.Balle RE: [Beta] Secunia integrated with Microsoft WSUS
Secunia Official 20th Jan, 2010 13:27
Score: 10
Posts: 31
User Since: 25th Nov 2008
System Score: N/A
Location: Copenhagen, DK
on 20th Jan, 2010 13:06, MTGAlberts wrote:
Right after scanning localhost, one can click on "completed scans" and find the host ->"has never been scanned"


Could I ask you to click another host and see if the problem persists, or if it only relates to some specific entries on your "Completed Scans" page?


on 20th Jan, 2010 13:06, MTGAlberts wrote:
Now I have and I am able to create updates from downloads. I just wonder why it would tell me it wqas succesful without a certificate and then show no updates. My mistake.


Agreed, the CSI should not report "success" unless the action was indeed successful. We have, based on your report, already internally implemented some improved error handling, which will produce proper error messages if the package creation fails.

Thanks for the input.


on 20th Jan, 2010 13:06, MTGAlberts wrote:
Yes, I did deploy it succesfully at the host and at the wsus. I am still not able to deploy that patch I created. Here's the warning message from c:\windows\windowsupdate.log:
WARNING: Digital Signatures on file C:\WINDOWS\SoftwareDistribution\Download\38d73c895 e7fc648316789006bc0b8a2\a01acb1d4655147bd92724eea3 511ee9fd24c75f are not trusted: Error 0x800b0109
Please note: it does not work on the wsus itself, either although the certificate was installed succesfully. I could also verify, that the package a01acb... was the patch I am trying to distribute.
Thanks for your help.


Could you try the following:

1) Go to "Patch -> Deployment", double-click the host in the interface, where the deployment fails, and go to the "Patch Information" tab. The value called "WSUS Signing Certificate" does it say "Correctly installed"?

2)
If the above is correct, could you please verify that your GPO is configured to enable the following:
'Allow signed content from intranet Microsoft update service location' set to 'Enabled'

This step, is very important, otherwise, the client Microsoft Update Service won't accept the new packages since they are signed with your own certificate.


Best regards,

Jakob
MTGAlberts RE: [Beta] Secunia integrated with Microsoft WSUS
Member 20th Jan, 2010 14:59
Score: 0
Posts: 8
User Since: 20th Jan 2010
System Score: N/A
Location: N/A
Last edited on 20th Jan, 2010 14:59
1) yes, it says "Correctly installed"
2) after setting this gpo and restarting wuauserv the update is accepted, downloaded and installed alright. Thanks!

I guess, you mention this step somewhere in your documentation?

Kind regards
Was this reply relevant?
+0
-0
J.Balle RE: [Beta] Secunia integrated with Microsoft WSUS
Secunia Official 20th Jan, 2010 15:02
Score: 10
Posts: 31
User Since: 25th Nov 2008
System Score: N/A
Location: Copenhagen, DK
on 20th Jan, 2010 14:59, MTGAlberts wrote:
1) yes, it says "Correctly installed"
2) after setting this gpo and restarting wuauserv the update is accepted, downloaded and installed alright. Thanks!

I guess, you mention this step somewhere in your documentation?

Kind regards


Perfect. I'm glad to hear that!

We will adjust the documentation accordingly to include some further information on these steps.

Thanks for the input and happy patching! :-)

Jakob
MTGAlberts RE: [Beta] Secunia integrated with Microsoft WSUS
Member 20th Jan, 2010 15:20
Score: 0
Posts: 8
User Since: 20th Jan 2010
System Score: N/A
Location: N/A
Another possible pitfall:
If a tester installs the agent (csia.exe) manually at his test workstation, he will be granted the user privilege "logon as a service" (SeServiceLogonRight). However, this privilege will usually get removed after the next gpo background refresh - because domain policies will not allow it. The agent will stop working afterwards.
Was this reply relevant?
+0
-0
rjohansson RE: [Beta] Secunia integrated with Microsoft WSUS
Secunia Official 26th Jan, 2010 15:19
Score: 15
Posts: 61
User Since: 5th Oct 2009
System Score: N/A
Location: Copenhagen, DK
Hi

The agent should always be installed with local admin right with access to the internet. This solves the problem.

/Rickard

--
Rickard
Secunia Support
MTGAlberts RE: [Beta] Secunia integrated with Microsoft WSUS
Member 26th Jan, 2010 16:01
Score: 0
Posts: 8
User Since: 20th Jan 2010
System Score: N/A
Location: N/A
Last edited on 27th Jan, 2010 16:46
No it doesn't. The default settings of the default domain policy dictate which users are granted the required privilege. A background refresh will remove it and the service will no longer start (on next reboot). Steps to reproduce
1) use a domain joined computer
2) install the agent
3) open secpol.msc, navigate to local policies - user rights assigment - "logon as a service" and confirm that your own username has been added.
4) close secpol.msc
5) [edit - syntax corrected] execute the following command:
gpupdate /force /target:computer
6) reopen secpol.msc and confirm that your username has vanished
7) try to restart the agent service - it will fail because the user now lacks the right.
Was this reply relevant?
+0
-0
BBSecunia RE: [Beta] Secunia integrated with Microsoft WSUS
Member 27th Jan, 2010 02:13
Score: 0
Posts: 23
User Since: 28th Sep 2008
System Score: N/A
Location: US
on 18th Jan, 2010 14:49, J.Balle wrote:
Today the first customers are invited to beta test the:

Secunia Corporate Software Inspector (CSI)
- integrated with Microsoft WSUS for 3rd party Patch Management

Initially we are running a closed, by invitation only, beta testing, in February we will open the beta testing and invite everybody to try out the new awesome Patch Management features, which we believe will make it a breeze to patch the majority of all 3rd party programs.

You can request to become a beta tester by filling out this form:
http://secunia.com/vulnerability_scanning/corporat...

I'm looking forward to getting your feedback.

Read the full blog:
http://secunia.com/blog/71/[/quote]
Was this reply relevant?
+0
-0
BBSecunia RE: [Beta] Secunia integrated with Microsoft WSUS
Member 27th Jan, 2010 02:14
Score: 0
Posts: 23
User Since: 28th Sep 2008
System Score: N/A
Location: US
Hello,

Registered users aren't in this program by default are they? I don't want anything to do with any Beta programs.

I ask because I have been unable to access the forums pages from the Secunia site that comes up when I run my scans.

Thank you.
Was this reply relevant?
+0
-0
rjohansson RE: [Beta] Secunia integrated with Microsoft WSUS
Secunia Official 27th Jan, 2010 08:26
Score: 15
Posts: 61
User Since: 5th Oct 2009
System Score: N/A
Location: Copenhagen, DK
Hi

Well since it fails to install it with the setting you have provided would it be possible to just login with the domain admin that also has local admin right on the machine and see if it's possible to install it using that security level?

Thank you.

/Rickard


--
Rickard
Secunia Support
MTGAlberts RE: [Beta] Secunia integrated with Microsoft WSUS
Member 27th Jan, 2010 09:16
Score: 0
Posts: 8
User Since: 20th Jan 2010
System Score: N/A
Location: N/A
Hi Rickard.
Please be aware of this GPO: http://technet.microsoft.com/en-us/library/cc95714...
Quote: "By default, no accounts have the privilege to log on as a service."
This excludes the domain admins as well.

So to circumvent the problem, the corresponding GPO (normally the default domain policy) has to be changed (not locally, but at domain level). So I don't say, your agent does not work initially - I am telling you to make people aware of that policy change that is definitely required in any domain - otherwise the agent service won't be able to start after the next reboot or after the next GPO background refresh.
Was this reply relevant?
+0
-0
rjohansson RE: [Beta] Secunia integrated with Microsoft WSUS
Secunia Official 27th Jan, 2010 13:48
Score: 15
Posts: 61
User Since: 5th Oct 2009
System Score: N/A
Location: Copenhagen, DK
Hi

Good point. But if you login with the local admin right it still should work so please try that option then.

Of course the local admin should have access to the internet since it's with that user the agent will try to connect to Secunia to download the latest file signature.

/Rickard

--
Rickard
Secunia Support
MTGAlberts RE: [Beta] Secunia integrated with Microsoft WSUS
Member 27th Jan, 2010 16:11
Score: 0
Posts: 8
User Since: 20th Jan 2010
System Score: N/A
Location: N/A
Rickard...
do you know what you are talking about? If yes, please try to reproduce the given steps - you will see. I don't want to sound unkind, but I can only repeat myself once more. And no - the local admin does not make a difference. After a reboot, when the GPO gets refreshed, the privilege is taken away from that user.
Was this reply relevant?
+0
-0
iivarsson RE: [Beta] Secunia integrated with Microsoft WSUS
Secunia Official 27th Jan, 2010 16:33
Score: 11
Posts: 41
User Since: 6th Oct 2009
System Score: N/A
Location: Copenhagen, DK
Last edited on 27th Jan, 2010 16:33
on 27th Jan, 2010 02:14, BBSecunia wrote:
Hello,

Registered users aren't in this program by default are they? I don't want anything to do with any Beta programs.

I ask because I have been unable to access the forums pages from the Secunia site that comes up when I run my scans.

Thank you.


Hello,
No need to worry, this is a closed/private beta by invitation only.


Best regards
Isak
rjohansson RE: [Beta] Secunia integrated with Microsoft WSUS
Secunia Official 27th Jan, 2010 17:00
Score: 15
Posts: 61
User Since: 5th Oct 2009
System Score: N/A
Location: Copenhagen, DK
on 20th Jan, 2010 15:20, MTGAlberts wrote:
Another possible pitfall:
If a tester installs the agent (csia.exe) manually at his test workstation, he will be granted the user privilege "logon as a service" (SeServiceLogonRight). However, this privilege will usually get removed after the next gpo background refresh - because domain policies will not allow it. The agent will stop working afterwards.


My mistake, you are right, I assumed too much. What you describe is expected behaviour and is a potential pitfall, though one we don't see very often.

/Rickard

--
Rickard
Secunia Support
MTGAlberts RE: [Beta] Secunia integrated with Microsoft WSUS
Member 27th Jan, 2010 17:22
Score: 0
Posts: 8
User Since: 20th Jan 2010
System Score: N/A
Location: N/A
Rickard,

you will see this not only very often but in every domain where the user installing that agent is not granted the privilege. As you can read in the MS article, default setting is noone is granted that privilege. Definitely people will run into this all the time.
Was this reply relevant?
+0
-0
lcorreia RE: [Beta] Secunia integrated with Microsoft WSUS
Secunia Official 29th Jan, 2010 12:55
Score: 0
Posts: 50
User Since: 6th Oct 2009
System Score: N/A
Location: Copenhagen, DK
Hi MGTAlberts,

It is very useful information and we will include details about this in our documentation.
Thank you for pointing it out!
/Luis
rolltidega RE: [Beta] Secunia integrated with Microsoft WSUS
Member 2nd Feb, 2010 13:29
Score: 0
Posts: 6
User Since: 2nd Feb 2010
System Score: N/A
Location: N/A
I cannot get anything to happen when I double-click on computers that show up under deployment. Any ideas?
Was this reply relevant?
+0
-0
rjohansson RE: [Beta] Secunia integrated with Microsoft WSUS
Secunia Official 2nd Feb, 2010 13:35
Score: 15
Posts: 61
User Since: 5th Oct 2009
System Score: N/A
Location: Copenhagen, DK
on 2nd Feb, 2010 13:29, rolltidega wrote:
I cannot get anything to happen when I double-click on computers that show up under deployment. Any ideas?


Hi

Is the pop-up window empty under "Scan Result" or does not the pop-up window appear at all?

Is it the same scenario if you right click and choose "Information"?

/Rickard

--
Rickard
Secunia Support
rolltidega RE: [Beta] Secunia integrated with Microsoft WSUS
Member 2nd Feb, 2010 13:37
Score: 0
Posts: 6
User Since: 2nd Feb 2010
System Score: N/A
Location: N/A
The pop up window does not appear at all. If I right click and choose Information that does nothing as well.

on 2nd Feb, 2010 13:35, rjohansson wrote:
Hi

Is the pop-up window empty under "Scan Result" or does not the pop-up window appear at all?

Is it the same scenario if you right click and choose "Information"?

/Rickard

Was this reply relevant?
+0
-0
rjohansson RE: [Beta] Secunia integrated with Microsoft WSUS
Secunia Official 2nd Feb, 2010 13:47
Score: 15
Posts: 61
User Since: 5th Oct 2009
System Score: N/A
Location: Copenhagen, DK
on 2nd Feb, 2010 13:37, rolltidega wrote:
The pop up window does not appear at all. If I right click and choose Information that does nothing as well.


When you double click a host under the "Hosts" view does a window appear then or do we have the same scenario here?

/Rickard

--
Rickard
Secunia Support
rolltidega RE: [Beta] Secunia integrated with Microsoft WSUS
Member 2nd Feb, 2010 13:48
Score: 0
Posts: 6
User Since: 2nd Feb 2010
System Score: N/A
Location: N/A
Same scenario.

on 2nd Feb, 2010 13:47, rjohansson wrote:
When you double click a host under the "Hosts" view does a window appear then or do we have the same scenario here?

/Rickard

Was this reply relevant?
+0
-0
rjohansson RE: [Beta] Secunia integrated with Microsoft WSUS
Secunia Official 2nd Feb, 2010 14:04
Score: 15
Posts: 61
User Since: 5th Oct 2009
System Score: N/A
Location: Copenhagen, DK
on 2nd Feb, 2010 13:48, rolltidega wrote:
Same scenario.


Could you please provide us with a debug file?

Do the following:
* Exit the application by right clicking it and choose exit.
* Start the command prompt.
* Go to the CSI folder.
Start the CSI: csi.exe --debug file1.txt --verbose

Try to double click and right click the computers under hosts and deployment.

Exit the CSI and then mail us the file1.txt to csbeta@secunia.com

Thank you.

/Rickard

--
Rickard
Secunia Support
rolltidega RE: [Beta] Secunia integrated with Microsoft WSUS
Member 2nd Feb, 2010 14:09
Score: 0
Posts: 6
User Since: 2nd Feb 2010
System Score: N/A
Location: N/A
Of course a double click works this time... but when I click on Scan Result I never get any results. It appears to be trying to gather the info but never completes. Also on the Overview tab it tells me that the host has never been scanned but I see the host under Completed Scans. I will send you this debug file anyway.

on 2nd Feb, 2010 14:04, rjohansson wrote:
Could you please provide us with a debug file?

Do the following:
* Exit the application by right clicking it and choose exit.
* Start the command prompt.
* Go to the CSI folder.
Start the CSI: csi.exe --debug file1.txt --verbose

Try to double click and right click the computers under hosts and deployment.

Exit the CSI and then mail us the file1.txt to csbeta@secunia.com

Thank you.

/Rickard

Was this reply relevant?
+0
-0
rjohansson RE: [Beta] Secunia integrated with Microsoft WSUS
Secunia Official 2nd Feb, 2010 14:22
Score: 15
Posts: 61
User Since: 5th Oct 2009
System Score: N/A
Location: Copenhagen, DK
on 2nd Feb, 2010 14:09, rolltidega wrote:
Of course a double click works this time... but when I click on Scan Result I never get any results. It appears to be trying to gather the info but never completes. Also on the Overview tab it tells me that the host has never been scanned but I see the host under Completed Scans. I will send you this debug file anyway.


Hi

Just checked you debug file and I think this is the problem:
Caught exception when updating headings in Agent Management : -2147352567 , no such table: tmp_agent_overview

If you can delete the local DB file. Should be located under:
C;\Documents and Settings\%Loggedin%\Application Data\Secunia CSI
Remember to exit CSI first.

Delete the files under the Secunia CSI folder.

Note, you can only view scan result under Completed Scans if the Host is present under Hots. You for some reason have deleted it it will still show under Competed Scans but you cant edit it.

What you also can try is to disable the connection to your WSUS server and check if this enables you to view your scan result.

/Rickard


--
Rickard
Secunia Support
rolltidega RE: [Beta] Secunia integrated with Microsoft WSUS
Member 2nd Feb, 2010 14:31
Score: 0
Posts: 6
User Since: 2nd Feb 2010
System Score: N/A
Location: N/A
OK I deleted that file. I am having the same issue with Overview reporting that the host has never been scanned even though I just scanned it. I also see no scan results as it continues to retry.

So, I disabled my connection to WSUS and now it is working. I want the WSUS integration so what do we need to do to correct this?

on 2nd Feb, 2010 14:22, rjohansson wrote:
Hi

Just checked you debug file and I think this is the problem:
Caught exception when updating headings in Agent Management : -2147352567 , no such table: tmp_agent_overview

If you can delete the local DB file. Should be located under:
C;\Documents and Settings\%Loggedin%\Application Data\Secunia CSI
Remember to exit CSI first.

Delete the files under the Secunia CSI folder.

Note, you can only view scan result under Completed Scans if the Host is present under Hots. You for some reason have deleted it it will still show under Competed Scans but you cant edit it.

What you also can try is to disable the connection to your WSUS server and check if this enables you to view your scan result.

/Rickard

Was this reply relevant?
+0
-0
rjohansson RE: [Beta] Secunia integrated with Microsoft WSUS
Secunia Official 2nd Feb, 2010 14:37
Score: 15
Posts: 61
User Since: 5th Oct 2009
System Score: N/A
Location: Copenhagen, DK
on 2nd Feb, 2010 14:31, rolltidega wrote:
OK I deleted that file. I am having the same issue with Overview reporting that the host has never been scanned even though I just scanned it. I also see no scan results as it continues to retry.

So, I disabled my connection to WSUS and now it is working. I want the WSUS integration so what do we need to do to correct this?


Oki, We will look into this.

Just to make sure do you have the latest WSUS version installed on you WSUS server? Since when you install the Administrative Console on CSI you use the latest version.

/Rickard

--
Rickard
Secunia Support
rolltidega RE: [Beta] Secunia integrated with Microsoft WSUS
Member 2nd Feb, 2010 18:21
Score: 0
Posts: 6
User Since: 2nd Feb 2010
System Score: N/A
Location: N/A
I did determine that I did not have the same version on the WSUS server as the console had. So I updated it but the same problem exists stating the server has not been scanned and the results never load.

on 2nd Feb, 2010 14:37, rjohansson wrote:
Oki, We will look into this.

Just to make sure do you have the latest WSUS version installed on you WSUS server? Since when you install the Administrative Console on CSI you use the latest version.

/Rickard

Was this reply relevant?
+0
-0
rjohansson RE: [Beta] Secunia integrated with Microsoft WSUS
Secunia Official 8th Feb, 2010 09:06
Score: 15
Posts: 61
User Since: 5th Oct 2009
System Score: N/A
Location: Copenhagen, DK
on 2nd Feb, 2010 18:21, rolltidega wrote:
I did determine that I did not have the same version on the WSUS server as the console had. So I updated it but the same problem exists stating the server has not been scanned and the results never load.


We are currently working on solving this issue since we have now been able to reproduce this scenario. Hope to have a solution for you soon.

/Rickard

--
Rickard
Secunia Support
jsweeny RE: [Beta] Secunia integrated with Microsoft WSUS
Member 11th Feb, 2010 00:50
Score: 0
Posts: 8
User Since: 21st Oct 2009
System Score: N/A
Location: N/A
on 27th Jan, 2010 17:22, MTGAlberts wrote:
Rickard,

you will see this not only very often but in every domain where the user installing that agent is not granted the privilege. As you can read in the MS article, default setting is noone is granted that privilege. Definitely people will run into this all the time.


Did you try installing the agent with these parameters: -i -L

When I do, my CSI agent seems to be working just fine
Was this reply relevant?
+0
-0
jsweeny RE: [Beta] Secunia integrated with Microsoft WSUS
Member 11th Feb, 2010 00:51
Score: 0
Posts: 8
User Since: 21st Oct 2009
System Score: N/A
Location: N/A
My CSI console is talking to my WSUS server just fine, but I'm having issues with the signing certificate. Here is the text on the Patch->Configuration screen:

Signing Certificate
Exists. Checking whether the certificate is installed in all appropriate certificate stores failed.

Any ideas? Thanks, ~Jonny
Was this reply relevant?
+0
-0
rjohansson RE: [Beta] Secunia integrated with Microsoft WSUS
Secunia Official 11th Feb, 2010 08:09
Score: 15
Posts: 61
User Since: 5th Oct 2009
System Score: N/A
Location: Copenhagen, DK
on 11th Feb, 2010 00:51, jsweeny wrote:
My CSI console is talking to my WSUS server just fine, but I'm having issues with the signing certificate. Here is the text on the Patch->Configuration screen:

Signing Certificate
Exists. Checking whether the certificate is installed in all appropriate certificate stores failed.

Any ideas? Thanks, ~Jonny


Hi Jonny

Have you made sure that remote registry is enabled on the hosts. In Vista and Win7 this service is disabled by default.

/Rickard

--
Rickard
Secunia Support
jsweeny RE: [Beta] Secunia integrated with Microsoft WSUS
Member 11th Feb, 2010 15:56
Score: 0
Posts: 8
User Since: 21st Oct 2009
System Score: N/A
Location: N/A
on 11th Feb, 2010 08:09, rjohansson wrote:
Hi Jonny

Have you made sure that remote registry is enabled on the hosts. In Vista and Win7 this service is disabled by default.

/Rickard



So is the system/account that runs the CSI console supposed to have admin privileges on the machines running the CSI agent, to push remote registry changes? Or are these pushed by the WSUS server?

This is the first I've heard of the need for CSI to require remote registry access.

~Jonny
Was this reply relevant?
+0
-0
rjohansson RE: [Beta] Secunia integrated with Microsoft WSUS
Secunia Official 12th Feb, 2010 08:00
Score: 15
Posts: 61
User Since: 5th Oct 2009
System Score: N/A
Location: Copenhagen, DK
on 11th Feb, 2010 15:56, jsweeny wrote:
So is the system/account that runs the CSI console supposed to have admin privileges on the machines running the CSI agent, to push remote registry changes? Or are these pushed by the WSUS server?

This is the first I've heard of the need for CSI to require remote registry access.

~Jonny


Hi Jonny

In The Secunia CSI we have always (since the start in 2007) we have always had remote registry as a system requirement. We don't push registry key but we do however read it to make sure that OS is installed on the target host.

http://secunia.com/vulnerability_scanning/corporat...

When running the agent you don't need to have the remote registry service enabled. Only when doing remote scanning from the GUI. This is also one of the reasons why Secunia always recommend using the agent for scanning purposes.

/Rickard

--
Rickard
Secunia Support
al_bundy99 [Beta] Secunia integrated with Microsoft WSUS
Member 12th Feb, 2010 11:52
Score: 0
Posts: 3
User Since: 12th Feb 2010
System Score: N/A
Location: AT
Last edited on 12th Feb, 2010 12:00
Hi,

1.) Can't install certificate on any hosts. I installed certificate for the server, managed in the GPO the rules, nothing happens unable to install. There is no firewall in our net, clients are running with XP SP3, Vista Business SP2 64-bit and WIN7 Pro 64bit . The Server is an W2K8-64-bit, and our WSUS is 3.0 SP2

Any ideas?

2.) I've got problems with an scanned host on the "Patch Information" tab. The last line says "Error when connecting to host certificate store"

Same question: Any ideas?

Thanks

--
E=mc˛
Was this reply relevant?
+0
-0
lcorreia RE: [Beta] Secunia integrated with Microsoft WSUS
Secunia Official 12th Feb, 2010 13:12
Score: 0
Posts: 50
User Since: 6th Oct 2009
System Score: N/A
Location: Copenhagen, DK
Hi,

In order to be able to install the certificate on the hosts, please consider the following:

i) Remember to start the Secunia CSI with Admin rights.
You need to right click the CSI icon and choose "Run as administrator".

ii) Also check that the hosts have the service Remote Registry started, if not
you will not able to push out the certificate.

Let us know if the issue persists.
Thanks!
/Luis
al_bundy99 Secunia integrated with Microsoft WSUS
Member 15th Feb, 2010 16:37
Score: 0
Posts: 3
User Since: 12th Feb 2010
System Score: N/A
Location: AT
@ luis

Thanks for the solution. Certificates are deployed perfect, but now on my WSUS there are many updates & patches incomplete downloaded they have a "red callsign" Status: not downloaded completly. The clients may not be able to use these patches if they are not downloaded completly. Try to download again.

I've tried to download again these patches, the red callsign changed to yellow for about 3-5 Minutes an rechanged to red --> download uncomplete --> try to download again.

Now i scanned a client in the overview it seems perfect but on the last line there is a statement: "Unable to retrieve patch information from your Microsoft WSUS Server."

Tab "Scan result" perfect!

Tab "Patch Information" : No data on this computer

Tab "Patches available" : No Updates found

Thanks
Wolfgang

--
E=mc˛
Was this reply relevant?
+0
-0
jsweeny RE: Secunia integrated with Microsoft WSUS
Member 15th Feb, 2010 17:39
Score: 0
Posts: 8
User Since: 21st Oct 2009
System Score: N/A
Location: N/A
when i try to create a patch, i am able to select the file for upload but then i get this error:

Failed to create update
An error occurred when creating the update.

Please contact Secunia support with the following information:
In 'Invoke'
Code: -2147467259
Exception has been thrown by the target of an invocation.
--> System.ComponentModel.Win32Exception: CreateDirectory failed
at Microsoft.UpdateServices.Internal.FileSystemUtilit ies.CreateDirectory(String path)
at Microsoft.UpdateServices.Internal.BaseApi.Publishe r.CreatePackageDirectory(String customDirectoryName)
at Microsoft.UpdateServices.Internal.BaseApi.Publishe r.PublishPackage(String sourcePath, String additionalSourcePath, String packageDirectoryName)
at Microsoft.UpdateServices.Internal.BaseApi.Publishe r.PublishPackage(String sourcePath, String packageDirectoryName)
Was this reply relevant?
+0
-0
jsweeny RE: Secunia integrated with Microsoft WSUS
Member 15th Feb, 2010 19:26
Score: 0
Posts: 8
User Since: 21st Oct 2009
System Score: N/A
Location: N/A
I wonder if my error is related to this error I get on the Patch->Configuration page:

Configure WSUS for working with the CSI
The Secunia CSI could not check whether the WSUS Signing Certificate is installed in all appropriate certificate stores.
A WSUS Signing Certificate is required to create and install local packages.
Without it, only packages from Microsoft Update will be installed.
Click 'OK' to try again.
Was this reply relevant?
+0
-0
lcorreia RE: Secunia integrated with Microsoft WSUS
Secunia Official 16th Feb, 2010 09:26
Score: 0
Posts: 50
User Since: 6th Oct 2009
System Score: N/A
Location: Copenhagen, DK
Hi Wolfgang,

Glad to hear that you managed the certificates installation.

With regards to "Unable to retrieve patch information from your Microsoft WSUS server" this can happen if:
1. the scanned host is not checking with the WSUS server, verify that the scanned host is configured to download updates from the WSUS server (section 4.1.5 of the setup guide).

2. verify that your CSI is able to connect to the WSUS. On the CSI go to Patch->Configuration and verify that you are connected to the WSUS, if connection is successful several information is retrieved and populated in the "WSUS Server Information" area (section 8.4 of the setup guide)

Let us know if you're able to get information from your WSUS.

Thanks!
/Luis
lcorreia RE: Secunia integrated with Microsoft WSUS
Secunia Official 16th Feb, 2010 09:37
Score: 0
Posts: 50
User Since: 6th Oct 2009
System Score: N/A
Location: Copenhagen, DK
Hi jsweeny,

A WSUS Signing Certificate is required for you to be able to publish/upload packages to the WSUS server. Please refer to section "8.4.1. Create / Install Certificate" from the Setup guide.

Let us know if the issue persists.

Thanks!
/Luis
jsweeny RE: Secunia integrated with Microsoft WSUS
Member 16th Feb, 2010 15:43
Score: 0
Posts: 8
User Since: 21st Oct 2009
System Score: N/A
Location: N/A
I never got a link to the Setup Guide. And it doesn't appear to have come with the CSI install. Can you provide a link?
Was this reply relevant?
+0
-0
lcorreia RE: Secunia integrated with Microsoft WSUS
Secunia Official 16th Feb, 2010 15:51
Score: 0
Posts: 50
User Since: 6th Oct 2009
System Score: N/A
Location: Copenhagen, DK
Hi jsweeny,

apologies for that, I will send you an email with the link to the CSI 4 Beta Setup Guide.

Thanks!
/Luis
Secunia
jsweeny RE: [Beta] Secunia integrated with Microsoft WSUS
Member 16th Feb, 2010 15:58
Score: 0
Posts: 8
User Since: 21st Oct 2009
System Score: N/A
Location: N/A
I noticed that when you create a software package, that it makes you select path(s) where it has detected insecure versions. I assume that it uses this information to know which paths to look in when deciding to upgrade. How will this work for packages like Google Chrome where I foresee two problems:

1. It is installed to a unique path for each user so even if I select all the paths when I create the package, there will be new paths that will exist later. Those will not be upgraded then i suppose.

2. Chrome does not remove old versions when you upgrade (argh!) so these old versions will remain in these paths after upgrading. Will CSI/WSUS then always try to upgrade every time the machine checks in with WSUS?

Thanks,

~Jonny
Was this reply relevant?
+0
-0
obringer RE: [Beta] Secunia integrated with Microsoft WSUS
Member 17th Feb, 2010 15:50
Score: 0
Posts: 16
User Since: 17th Feb 2010
System Score: N/A
Location: US
Last edited on 17th Feb, 2010 15:59
OS: Windows Server 2008 R1 x64
CSI version: 3.9.0.4 (latest 4.0 beta)

Issue: CSI installs, opens, and gets stuck at 'Please wait while network connectivity is verified'.

Troubleshooting:

1. Networking confirmed functional (no firewall enabled)
2. Installed/executed CSI as local admin user
3. Attempted reload of interface - no results. Application only minimizes successfully.
4. Attempted debug run via:
csi.exe --debug file1.txt --verbose (as mentioned in thread)
Results: no debug file output.
5. Completely removed CSI 4.0 beta, installed CSI 3 (current version). The legacy version loads fine, and asks for its proper keys, etc.

My question is this -- what next? Could this be an OS incompatibility? I've seen that this *should* run fine on our server's OS, but nothing specific to x86 versus x64. Any/all help appreciated, as we're trying to at least get a good idea of how this integrates into WSUS, and are extremely interested in getting a working test going.

Thanks!
Was this reply relevant?
+0
-0
lcorreia RE: [Beta] Secunia integrated with Microsoft WSUS
Secunia Official 17th Feb, 2010 16:22
Score: 0
Posts: 50
User Since: 6th Oct 2009
System Score: N/A
Location: Copenhagen, DK
Hello obringer,

Thanks for your post.
To create a debug file please try the following:
csi.exe -d file1.txt -v

With regards to not being able to run CSI4.0, please try the following:
go to Internet Options->Security->Trusted Sites and add https://csi.secunia.com to the Trusted Sites.

Try to lunch the CSI4.0 again, if you don't succeed, kindly send the debug file to cscbeta@secunia.com

Thanks!
/Luis
Secunia Support
obringer RE: [Beta] Secunia integrated with Microsoft WSUS
Member 17th Feb, 2010 16:53
Score: 0
Posts: 16
User Since: 17th Feb 2010
System Score: N/A
Location: US
Last edited on 17th Feb, 2010 17:12
Thanks for the reply, I was able to get the console to at least load up its interface by adding the trusted site.

Now, the issue is connecting to the local WSUS instance. We're running 3.0SP2 (latest) and it is a functional installation, accessible via HTTP. I've removed the IE Security altogether for local admins to resolve any further issues, but now I've hit a licensing issue, having exhausted our number of installations. I've sent a request to csibeta@secunia.com to have this reset.

Hopefully it works out! I'll keep you informed.

-Adam
Was this reply relevant?
+0
-0
obringer RE: [Beta] Secunia integrated with Microsoft WSUS
Member 17th Feb, 2010 17:26
Score: 0
Posts: 16
User Since: 17th Feb 2010
System Score: N/A
Location: US
on 17th Feb, 2010 16:53, obringer wrote:
Thanks for the reply, I was able to get the console to at least load up its interface by adding the trusted site.

Now, the issue is connecting to the local WSUS instance. We're running 3.0SP2 (latest) and it is a functional installation, accessible via HTTP. I've removed the IE Security altogether for local admins to resolve any further issues, but now I've hit a licensing issue, having exhausted our number of installations. I've sent a request to csibeta@secunia.com to have this reset.

Hopefully it works out! I'll keep you informed.

-Adam


Ok, license issue resolved -- The only thing I'm seeing as a problem now:

Configure WSUS for working with the CSI
An error occured while checking the WSUS group policy:
Code: 1
The domain path is not valid: "

Interesting... not so sure what it means though..
Was this reply relevant?
+0
-0
obringer RE: [Beta] Secunia integrated with Microsoft WSUS
Member 18th Feb, 2010 19:18
Score: 0
Posts: 16
User Since: 17th Feb 2010
System Score: N/A
Location: US
Last edited on 18th Feb, 2010 19:30
When attempting to install a certificate to a test host I've created running the CSIa, this is what happens via CSI:

02/18 13:05:28.920] CSI in Focus, fast sync initiated: 5000
[02/18 13:05:28.920] Cleared syncTimerID: 7084928
[02/18 13:05:28.920] Forced sync: undefined
[02/18 13:05:29.013] Connecting to csi.secunia.com:443
[02/18 13:05:29.013] GET /API/3903/?type=client_sync&sync[nsi_table_state]= 1.2||0&sync[categories_content]=1.6||0&sync[catego ries]=1.6||0&sync[nsi_ignore_rules]=1.3||0&sync[ns i_scan_group_agents]=1.0||0&sync[nsi_base_settings ]=1.0|2010-02-17 17:10:08|1&sync[nsi_dashboard_profiles]=1.2|2010-0 2-17 17:16:31|1&sync[nsi_dashboard_profiles_layout]=1.2 |2010-02-17 17:16:31|1&sync[nsi_contact_details]=1.0|2010-02-1 7 17:33:25|1&sync[nsi_scan_groups]=1.2|2010-02-17 17:35:37|1&sync[nsi_devices]=1.6|2010-02-17 18:06:40|1&sync[nsi_groups_v3]=1.0|2010-02-17 18:06:40|1&sync[nsi_device_software]=1.11|2010-02- 17 18:06:40|58&sync[nsi_scan_targets]=1.0|2010-02-17 21:22:39|1&sync[nsi_delete_log]=1.0|2010-02-17 21:23:07|1&sync[nsi_sss_sequences]=1.0|2010-02-18 00:00:05|1&sync[nsi_sss_results]=1.1|2010-02-18 00:11:50|2&sync[nsi_device_agent_conf]=1.3|2010-02 -18 19:04:27|1&uid=7QUZVa05A6FBPplqmqHrIjRsSN2627YywXp uqQLmVv0wW61b2yXchc38DIi9EANo&ui=agent&langroup=XX X &host=WSUS-BOX
[02/18 13:05:29.013] Request : Connect timeout=300000ms, outside allowed boundaries, forcing to 120000
[02/18 13:05:29.013] Request : send timeout=300000ms, outside allowed boundaries, forcing to 120000
[02/18 13:05:29.013] Request : receive timeout=3600000ms, outside allowed boundaries, forcing to 120000
[02/18 13:05:29.013] Request timeouts : 120000ms, 120000ms, 120000ms
[02/18 13:05:35.170] Connecting to csi.secunia.com:443
[02/18 13:05:35.170] GET /API/3903/?type=client_sync&sync[nsi_table_state]= 1.2||0&sync[categories_content]=1.6||0&sync[catego ries]=1.6||0&sync[nsi_ignore_rules]=1.3||0&sync[ns i_scan_group_agents]=1.0||0&sync[nsi_base_settings ]=1.0|2010-02-17 17:10:08|1&sync[nsi_dashboard_profiles]=1.2|2010-0 2-17 17:16:31|1&sync[nsi_dashboard_profiles_layout]=1.2 |2010-02-17 17:16:31|1&sync[nsi_contact_details]=1.0|2010-02-1 7 17:33:25|1&sync[nsi_scan_groups]=1.2|2010-02-17 17:35:37|1&sync[nsi_devices]=1.6|2010-02-17 18:06:40|1&sync[nsi_groups_v3]=1.0|2010-02-17 18:06:40|1&sync[nsi_device_software]=1.11|2010-02- 17 18:06:40|58&sync[nsi_scan_targets]=1.0|2010-02-17 21:22:39|1&sync[nsi_delete_log]=1.0|2010-02-17 21:23:07|1&sync[nsi_sss_sequences]=1.0|2010-02-18 00:00:05|1&sync[nsi_sss_results]=1.1|2010-02-18 00:11:50|2&sync[nsi_device_agent_conf]=1.3|2010-02 -18 19:04:27|1&uid=7QUZVa05A6FBPplqmqHrIjRsSN2627YywXp uqQLmVv0wW61b2yXchc38DIi9EANo&ui=agent&langroup=AD &host=WSUS-DESKTOP
[02/18 13:05:35.186] Request : Connect timeout=300000ms, outside allowed boundaries, forcing to 120000
[02/18 13:05:35.186] Request : send timeout=300000ms, outside allowed boundaries, forcing to 120000
[02/18 13:05:35.186] Request : receive timeout=3600000ms, outside allowed boundaries, forcing to 120000
[02/18 13:05:35.186] Request timeouts : 120000ms, 120000ms, 120000ms
[02/18 13:05:38.076] Looking for WSUS signing certificate
[02/18 13:05:38.092] Found WSUS signing certificate
[02/18 13:05:38.092] Installing WSUS Signing Certificate to host 'whatever.xxx.xxx.xxx'
[02/18 13:06:29.688] Error when adding certificate to store 'whatever.xxx.xxx.xxx\TrustedPublisher' : -2147352567 , In 'Invoke'
Code: -2147024843
Exception has been thrown by the target of an invocation.
--> System.Security.Cryptography.CryptographicExceptio n: The network path was not found.

at System.Security.Cryptography.X509Certificates.X509 Store.Open(OpenFlags flags)



I obviously cannot install the updates that I've created and pushed to WSUS successfully without having the cert installed on the host -- any suggestions as to how to do this? Can I do it manually?

Thanks!

-Adam
Was this reply relevant?
+0
-0
lcorreia RE: [Beta] Secunia integrated with Microsoft WSUS
Secunia Official 19th Feb, 2010 08:51
Score: 0
Posts: 50
User Since: 6th Oct 2009
System Score: N/A
Location: Copenhagen, DK
Hello Adam,

Could you please refer to the following sections of the Setup and Usage Guide:
8.4.1 Create/Install Certificate
8.4.2 Certificate distribution

In these sections you will find information on how to install the certificate on the target hosts.

Let me know if you would like me to send you an email with the links for this documentation.

Thanks!
/Luis
obringer RE: [Beta] Secunia integrated with Microsoft WSUS
Member 19th Feb, 2010 14:47
Score: 0
Posts: 16
User Since: 17th Feb 2010
System Score: N/A
Location: US
on 19th Feb, 2010 08:51, lcorreia wrote:
Hello Adam,

Could you please refer to the following sections of the Setup and Usage Guide:
8.4.1 Create/Install Certificate
8.4.2 Certificate distribution

In these sections you will find information on how to install the certificate on the target hosts.

Let me know if you would like me to send you an email with the links for this documentation.

Thanks!
/Luis


Luis,

Please provide the link to the setup guide as soon as you can.

Thanks!

-Adam
Was this reply relevant?
+0
-0
lcorreia RE: [Beta] Secunia integrated with Microsoft WSUS
Secunia Official 19th Feb, 2010 15:02
Score: 0
Posts: 50
User Since: 6th Oct 2009
System Score: N/A
Location: Copenhagen, DK
Hi Adam,

sent!

Thanks!
/Luis
Secunia
obringer RE: [Beta] Secunia integrated with Microsoft WSUS
Member 19th Feb, 2010 15:22
Score: 0
Posts: 16
User Since: 17th Feb 2010
System Score: N/A
Location: US
Luis,

I've performed both of those steps previously, but have encountered these errors:

1. Cert creation:

Certificate is created; the 'Signing Certificate' section displays 'Exists and is installed in all appropriate cert stores', but under 'Group Policy' it says 'An error occured while checking the WSUS Group Policy' -- not sure what type of impact that will have.

2. Deploying to clients:

When I try to right click a test host and 'verify and install certificate', I get the following error:

'The Wsus Signing Certificate could not be installed to any hosts.'

Along with this is the log output from my previous note.

-Adam
Was this reply relevant?
+0
-0
lcorreia RE: [Beta] Secunia integrated with Microsoft WSUS
Secunia Official 19th Feb, 2010 15:36
Score: 0
Posts: 50
User Since: 6th Oct 2009
System Score: N/A
Location: Copenhagen, DK
Hello Adam,

I would like you to try the following:

If running the Secunia CSI 4.0 in Windows Vista, 7 or 2008, please start the Secunia CSI by right clicking in the CSI icon and selecting “Run as administrator“.

It's also worth mentioning that the Remote Registry must be enabled on the target hosts (In Vista and Win7 this service is disabled by default), otherwise the Certificate installation will fail.

Let us know if the issue persists.
Thanks!
/Luis
obringer RE: [Beta] Secunia integrated with Microsoft WSUS
Member 19th Feb, 2010 17:35
Score: 0
Posts: 16
User Since: 17th Feb 2010
System Score: N/A
Location: US
on 19th Feb, 2010 15:36, lcorreia wrote:
Hello Adam,

I would like you to try the following:

If running the Secunia CSI 4.0 in Windows Vista, 7 or 2008, please start the Secunia CSI by right clicking in the CSI icon and selecting “Run as administrator“.

It's also worth mentioning that the Remote Registry must be enabled on the target hosts (In Vista and Win7 this service is disabled by default), otherwise the Certificate installation will fail.

Let us know if the issue persists.
Thanks!
/Luis



Luis,

Unfortunately even with remote registry enabled/started and my firewall completely dropped (Win7 Enterprise x86), the same issue persists. I'm going to setup a different machine that doesn't utilize modified group policies to test again shortly, but it should be working on my test VM in theory...
Was this reply relevant?
+0
-0
al_bundy99 Secunia integrated with Microsoft WSUS
Member 19th Feb, 2010 20:09
Score: 0
Posts: 3
User Since: 12th Feb 2010
System Score: N/A
Location: AT
Last edited on 19th Feb, 2010 20:42
Hi Luis,

since my last post I've done nothing...only your recommendations. Can't check what happens....time problem :-(

Today I checked my clients, the WSUS and CSI.... Great!!

No problems everything is running perfect, all informations are visible, patches are proposed, vulnerabilities are detected. So I made patches, deployed them... perfect!

The systems are really right patched. Only 3 clients should be patched manually, cause there are no automatic patches available.... doesn't matter.

WORKS GREAT!!!- MANY THANKS!

Now I've to make a quote. When will the CSI with WSUS integration be available?

Greetings

Wolfgang

--
E=mc˛
Was this reply relevant?
+0
-0
obringer RE: [Beta] Secunia integrated with Microsoft WSUS
Member 23rd Feb, 2010 14:36
Score: 0
Posts: 16
User Since: 17th Feb 2010
System Score: N/A
Location: US
on 19th Feb, 2010 15:36, lcorreia wrote:
Hello Adam,

I would like you to try the following:

If running the Secunia CSI 4.0 in Windows Vista, 7 or 2008, please start the Secunia CSI by right clicking in the CSI icon and selecting “Run as administrator“.

It's also worth mentioning that the Remote Registry must be enabled on the target hosts (In Vista and Win7 this service is disabled by default), otherwise the Certificate installation will fail.

Let us know if the issue persists.
Thanks!
/Luis


Luis,

Any suggestions at this point? See last post...
Was this reply relevant?
+0
-0
lcorreia RE: [Beta] Secunia integrated with Microsoft WSUS
Secunia Official 23rd Feb, 2010 15:05
Score: 0
Posts: 50
User Since: 6th Oct 2009
System Score: N/A
Location: Copenhagen, DK
Hi Adam,

ok, so something is preventing the installation of the certificates on your client machines.
Is this only affecting Win7 clients or is also happening on other Windows targets?

Could you please verify the following steps, just to make sure I'm not missing anything:
1- Remote Registry must be enabled on the target hosts (is disabled by default on Win7/Vista so you must enable it in these hosts).

2 - Run the CSI4 with administrative privileges. CSI will use the credentials of the user that's running the solution, the user launching the CSI GUI must have Adminitrative priveliges (also, in Win7/Vista/ you must right-click the CSI icon and select "Run as administrator", remember to exit/close the Secunia CSI
first)

If these steps are correctly performed you should have no problem installing the certificates in the target hosts.
If still having the problem, kindly create a log file and send it to cscbeta@secunia.com
To create a log file go to Configuration->Settings->Enable logging, repeat the steps until you get the certificate error and send the log file to the indicated email address.

Thanks!
/Luis
Secunia
obringer RE: [Beta] Secunia integrated with Microsoft WSUS
Member 23rd Feb, 2010 15:21
Score: 0
Posts: 16
User Since: 17th Feb 2010
System Score: N/A
Location: US
comments in-line:

on 23rd Feb, 2010 15:05, lcorreia wrote:
Hi Adam,

ok, so something is preventing the installation of the certificates on your client machines.
Is this only affecting Win7 clients or is also happening on other Windows targets?

we are only testing 1 windows 7 target as of now. there is no interest in any other OS' at this point except for Windows 2008R2 which I do not have available for testing.

Could you please verify the following steps, just to make sure I'm not missing anything:
1- Remote Registry must be enabled on the target hosts (is disabled by default on Win7/Vista so you must enable it in these hosts).

yes, enabled per my last response.

2 - Run the CSI4 with administrative privileges. CSI will use the credentials of the user that's running the solution, the user launching the CSI GUI must have Adminitrative priveliges (also, in Win7/Vista/ you must right-click the CSI icon and select "Run as administrator", remember to exit/close the Secunia CSI
first)

yes, this is run as administrator, and is also reporting back properly -- the issue is that the updates will not install because the cert cannot be deployed to the target host, even with the firewall dropped completely, and remote registry enabled.

If these steps are correctly performed you should have no problem installing the certificates in the target hosts.
If still having the problem, kindly create a log file and send it to cscbeta@secunia.com
To create a log file go to Configuration->Settings->Enable logging, repeat the steps until you get the certificate error and send the log file to the indicated email address.

the logfile included about 4-5 days ago in my previous post details the exact error, but i will do it again in case anything has changed for some reason. i don't anticipate it, but its worth a try.

Thanks!
/Luis
Secunia



thanks -

-adam
Was this reply relevant?
+0
-0
lcorreia RE: [Beta] Secunia integrated with Microsoft WSUS
Secunia Official 4th Mar, 2010 11:18
Score: 0
Posts: 50
User Since: 6th Oct 2009
System Score: N/A
Location: Copenhagen, DK
Hello,

in order for CSI to be able to install the required Certificates, the user running the CSI4.0 must be domain administrator, otherwise if the user is only local administrator, CSI4.0 won't be able to install the Certificates on the target hosts.

Thanks!
/Luis
Stay Secure
Secunia

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+