[Dshield] MS SUS (formerly Mydoom (A, B) and Doomjuice.A WormRemoval Tool (KB836528), 2/13/2004)

Al Reust areust at comcast.net
Wed Feb 18 05:57:41 GMT 2004

Hello All

SUS and more

I am in the process of reconfiguring a SUS server. My first original look 
was disappointing in the Lack of Service packs/NT 4.0 support. I saw win2k 
service packs come in but could not deploy them. I had the opportunity to 
speak with some of the developers and Yes that was on everyone wish list. 
It was promised in the delayed SUS 2.0 along with Office fixes. Initially 
SUS was designed to support a 200 machine environment (single server) 
larger was "go to SMS." MS created the SUS plugin to allow an SUS server to 
bring the hotfixes and services packs to where SMS could deal with them. 
This was a big deal as everyone started disabling Active X (inside the 
firewall) which was required for WindowsUpdate.

During the 2003 Microsoft Security Symposium, I spoke with MS SUS folks and 
Shavlik Representatives. I and a friend installed two separate 
installations of the Lite Version (reporting is disabled). We noted right 
off that there were severe problems with Wireless.. That has been fixed. I 
noted that in my Lab environment, (20 machines, mixed NT 4.0 [workstation 
and server], Win2K [Pro and various Server flavors], and XP [Pro or RC-2003 
Server] Problems in an AD Domain. These problems as I deduced were related 
to how RPC functions to log into the XP environment.. The error that it 
gave was very lame (admin rights required) even attempting to use the 
Domain Admin account.. It Failed! I could hook into the machine using

"net use \\machine\ipc$ /u:domain\admin password"

with no problem, that was proof that RPC was not having a problem. The 
"same" error was reported for various other errors that had separate other 
solutions. Only an undefined/undertrapped error.  It came to a point that 
they did not want to hear it anymore.. They stopped responding. So for 
that, I will advertise for Shavlik! I Will Not spend money there! They 
received several hundred hours of advanced Beta testing without so much as 
a "Thank You." We all contribute many hours of testing and "professional" 
troubleshooting that are in some cases "unrewarded." Some companies will 
acknowledge "professional" help and provide "Not for Resale" (Free or at 
Reduced cost) software that help you recommend/sell their product.. It 
allows you to play and learn, or find the correct product for your 
individual situation. It now seems that is a dying thing.

I look at the footprint it leaves (HFNetchk Pro), and what software update 
services leaves on the machines - it is comparable. With the pre 4.x 
version I do not see a way to uninstall a bad hotfix, or a way to define a 
bad install of a hotfix. It goes back to testing the odd machine with 
QFECheck, the attempting to reapply the broken hotfix.

Put together 20 mixed machines and go test.. Oops I forgot the Lite version 
now only allows ten machines, beside the lack of reporting. It was sad 
because I thought that they had a solution to account for the lack of MS NT 
4.0 support. No SUS does not support NT 4.0!

If you have 5 machines and do not care about reporting, go grab the Lite 
version. It will take care of what you need.. Then you do not have to pay 
anything, However it is a Resource Hog!

Yes Shavlik created the slim model HFNetchk, this is not the first time 
that MS has purchased services. In the Win 9.x era "Defrag" carried 
Symantec's Copyright (Speedisk) and others. So in this case it easier to 
license a version of software (built to specifications) than build it or 
buy the company. But then we all know that MS has a 10+ billion operating 

If you have money go to http://www.stbernard.com/ they have one that works.


At 12:31 PM 2/16/2004 -0500, you wrote:
>  Sorry about that, the caffeine had not set in yet.
>  The problem with SUS is exactly that the limitations stated my MS.
>  Back when I was testing it you could not push SP's, only hot fixes.
>  I don't know if they have fixed this limitation or not? Why go halfway
>and need
>  another tool when you could go all the way with one tool HFNetChk.
>  SUS was designed and created by Shavlik for MS, MS just chooses to use
>  a watered down version.  Don't get me wrong, it's a good tool but it
>  has a way too go. I just don't feel comfortable waiting.
>  SMS is a good product but very cumbersome and pricy.
>Again IMO
>Thanx, Paul
> > -----Original Message-----
> > From: John Holmblad [mailto:jholmblad at aol.com]
> > Sent: Monday, February 16, 2004 11:30 AM
> > To: General DShield Discussion List
> > Subject: Re: [Dshield] MS SUS (formerly Mydoom (A, B) and
> > Doomjuice.A WormRemoval Tool (KB836528), 2/13/2004)
> >
> > Paul,
> >
> > I assume the missing word in your post is "waste". I have not
> > used either product to date but I am familiar with both. Can
> > you elaborate on why you think SUS is worthless, especially
> > since it is also free? I know that Microsoft is reasonably up
> > front about the limitations of SUS and positions it for the
> > small to medium enterprise to ease the management of
> > Microsoft OS security patches.  As you are probably aware
> > Microsoft also has Systems Management Server (SMS)  for
> > managing large deployments of Microsoft systems. I don't know
> > very much about that product but I know that it is NOT free.
> >
> > --
> >
> > Best Regards,
> >
> >
> >
> > John Holmblad
> >
> >
> >
> > Televerage International
> >
> >
> >
> > (H) 703 620 0672
> >
> > (M) 703 407 2278
> >
> > (F) 703 620 5388
> >
> >
> >
> > www page:                      www.vtext.com/users/jholmblad
> >
> > primary email address: jholmblad at aol.com
> >
> > backup email address:  jholmblad at verizon.net
> >
> >
> >
> > text email address:         jholmblad at vtext.com
> >
> > _______________________________________________
> > list mailing list
> > list at dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> >
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 

More information about the list mailing list