Patch Management does not provide an update that is listed vulnerable by a 3rd party tool.

book

Article ID: 157240

calendar_today

Updated On:

Products

Patch Management Solution for Windows

Issue/Introduction

Patch Management does not coincide with the compliance listed in Windows Update, MBSA, WSUS or other 3rd Party Tool lists as Vulnerable, nor for YUM and other tools used for patching Linux.

Cause

Patch Management 7.5.x through 8.x does not support all Software Updates, and does not support Software Upgrades, for the current logic of the product is mainly directed towards managing Security Updates.

Patch Management Solution is limited to the list provided in the Import Patch Data for Windows > Vendors and Software documented on HOWTO79563, for this list is all of the supported vendors and software provided by the product and is regularly updated.

  • Advisory: This list is populated by the Patch Management Development Team; there is no process that can be utilized to add any Vendor or Software to this list, for the IsApplicable Rule logic is targeted per this list and hard-coded into the Assessment Scan files for targeting. If additional Vendors or Software is needed to be deployed; please utilize the Manage Software Delivery Solution.


The following Software Update types are generally not supported:

  • Advisory / Informational Updates
    • Note: These updates are often provided in 'MSYY-A##' Bulletins (Example: MS12-A05)
      • Highlight the 'MSYY-A##' Bulletin in the Patch Remediation Center (PRC) and select 'List Software Updates' from the menu.
    • Advisory Updates do not necessarily have a KB Update Package, so they are often times listed as their file name on the PRC (Example: rvkroots.exe)
    • Google the Update and review the link from Microsoft (Example: http://support.microsoft.com/kb/)
      • Compare that file download with the listing from any recent 'MSYY-A##' Bulletin
    • Note: sometimes an Advisory is unable to be implemented. Please view KM: HOWTO10433.
       
  • Hot Fix, Fix-IT, or other update types, which require End User License Agreement acceptance prior to download
     
  • Third Party Updates (provided by Microsoft as a courtesy)
     
  • Software Distribution Patches, Language Packs or Software Updates that require special configurations,  user interaction or credentials
    • Example: KB3114403: Only applies to systems running specific configurations of Microsoft Office 2010. These configurations are outside the abilities of targeting for Patch Management Solution.
    • Example: KB2734642
      • This particular update requires an End User License Agreement (EULA) acceptance and an email submittance to Microsoft in order to download the package
      • Software Delivery Solution may be utilized for deploying these updates as they can be specifically scripted for installation within an environment
    • Drivers & Firmware; operating system updates and updates for specific software versions.
       
  • Windows 10 Feature Packs: INFO3298 - Link provides a workaround process to deploy via Software Management.
     
  • Compatibility Updates: Updates for checking OS upgrade compatibility, for they do not have public download access for the Software Update Package

Additionally, the current patching for Linux is currently managed via a Server-side Targeting Resolution on the SMP Server.

Resolution

Advisory: First check the release date of the desired update from the vendor, for it may have only been released within the last day or so, and Patch Management's goal is to have the updates included in the .cab file release within 24 hours for the English versions (Note: These releases generally fall on Wednesday/Friday of each week).

Additionally, if the requested Software Update is not present and it doesn't fall into the realm of unsupported updates as outlined above; review the Software Update Request with Patch Management Backline to have it reviewed for distribution.

Confirm the Software Update is not already managed by reviewing the following steps:

1. Ensure the update is not listed in the Patch Remediation Center

  • Go to the 'Show:' drop down in the upper left
    • Ensure that it is targeting 'All Software Updates' in the drop down.
    • Click on the refresh icon to immediate right of the 'Show' dropdown
    • Search for the update number only, for the search is case sensitive, and it could fail to display if the update was listed in lowercase and the search field is populated with uppercase (e.g. kb or KB).

  • Secondary Method for finding listed updates: 
    • Go to the Patch Remediation Center
      • Highlight any Bulletin
      • Right-click > List Software Updates
      • Click on the 'List Software Updates' link in the section above the title of the page:
      • This will open a listing of ALL software updates
        • Note: this may take a long time to open in slower environments
  • Review the Bulletin acronyms outlined on KM: HOWTO59203
  • Note that updates provided by Patch Management will not be listed by these methods if the necessary vendor, software, operating system, or language categories have been disabled in the Import Patch Data (PMImport) task.

2. Search the Knowledge Management site for that individual update KB number or Bulletin Number will be listed in the release notes for each respective release of Patch Management:

3. If you have access to the Microsoft SQL Server Management Studio; run the following against the Symantec_CMDB (Database default name):

select * from Inv_Software_Update
where FileName like '%UPDATENAME%'
--e.g. KB123456

4. If the Software Update is unmanageable: An alternative solution is to create a custom software delivery package and task to deploy the software update. Do this if you can't wait for the update to be included in the next PMImport or if your update is only needed for your environment and is not appropriate to be included in the PMImport catalog that others will receive.

  • First go to the software provider's website and manually download the desired update's installation files. Then follow http://www.symantec.com/docs/HOWTO30256 to create a software package with the update files and deploy it via a managed software delivery task.

Advisory: the Linux 'Server-side Targeting Resolution' is currently being reviewed for enhancement as outlined on INFO3650. Please subscribe to that article to receive notifications when the product is updated with the 'Client-side Targeting Resolution'

Attachments