Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance

511

512

513

514

515

516

517

518

519

520

11-41

Cisco NAC Appliance - Clean Access Manager Configuration Guide

OL-28003-01

Chapter 11 Monitoring and Troubleshooting Agent Sessions

Agent Troubleshooting

Known Issue for Windows Script 5.6

Windows Script 5.6 is required for proper functioning of the Agent. Most older operating systems come

with Windows Script 5.1 components. Microsoft automatically installs the new 5.6 component on

performing Windows updates. Windows installer components 2.0 and 3.0 also require Windows Script

5.6. However, PC machines with a fresh install of Windows 2000 that have never performed Windows

updates will not have the Windows Script 5.6 component. Cisco NAC Appliance cannot redistribute this

component as it is not provided by Microsoft as a merge module/redistributable.

In this case, administrators will have to access the MSDN website to get this component and upgrade to

Windows Script 5.6. For convenience, links to the component from MSDN are listed below:

Filename: scripten.exe

URL:

http://www.microsoft.com/downloads/en/details.aspx?FamilyId=01592C48-207D-4BE1-8A76-1C4099

D7BBB9&displaylang=en

If these links change on MSDN, try a search for the file names provided above or search for the phrase

“Windows Script 5.6.”

Known Issue for MS Update Scanning Tool (KB873333)

Background

KB873333 is a critical update that is required for Windows XP Professional and Home for SP1 and SP2.

It fixes an OS vulnerability that can allow remote code to run. However, Microsoft had a bug in this

hotfix which caused problems on SP2 editions (home/pro). This bug required another fix (KB894391),

because KB873333 on SP2 caused a problem with displaying Double Byte Character Sets (DBCS).

However, KB894391 does not replace KB873333, it only fixes the DBCS display issue.

Ideally, KB894391 should not be installed or shown in updates unless the user machine has KB873333.

However, the MS Update Scanning Tool tool shows it irrespective of whether or not KB873333 is

installed. In addition, if due to ordering of the updates, KB894391 is installed, the MS Update Scanning

Tool does not show KB873333 as being installed, thereby leaving the vulnerability open. This could

happen if the user does not install KB873333 and only selects KB894391 to install from the updates list

shown or manually installs KB894391 without installing KB873333 first. In this case, the next time

updates are run, the user will not be shown KB873333 as a required update, because the MS Update

Scanning Tool (including MS Baseline Analyzer) will assume KB873333 is installed if KB894391 is

installed, even if this is not true and the machine is still vulnerable.

Workaround

Because of this potential vulnerability, Cisco does not intend to remove the update check for KB87333

from the Clean Access ruleset and users should manually download and install KB873333 to protect

their machines. This can be done in one of two ways: