4 Replies Latest reply on Oct 7, 2014 12:37 PM by travisschuur

    Do you guys apply "Non-Security Patches and "Security Tools"?


      We just had a security audit.


      Auditing company told us we were at risk because we were missing a bunch of "patches."


      Upon inspection of the patches we are missing and they all seem to be considered Non-Security Patches or Security Tools. This makes sense because we only apply Security Patches (as categorized by Shalivk) right now.


      So, what do you guys do right now? Are you patching just for Security Patches or doing Non-Security Patches and Security Tools as well? Did you pass an audit like that?

        • 1. Re: Do you guys apply "Non-Security Patches and "Security Tools"?
          travisschuur SupportEmployee

          Shavlik does scan for "Non-Security Patches and "Security Tools",  the default WUScan includes security and non-security patches. If you would like to also scan for Security Tools you will need to create a scan template and include Security Tools in the filtering options of that scan. Here is also a link to an article that may help.


          Best Practice & Q/A - Using Security Tools




          • 2. Re: Do you guys apply "Non-Security Patches and "Security Tools"?

            While I appreciate the response from Shavlik on this, my goal was to get real world feedback from other admins who are handling patching for their organizations. I was wondering what they were doing in terms of patching strategy. Were they sticking with just Security Patches or applying anything (non-security and tools) that show up and are supported by Shavlik. I guess I didn't clarify that well enough.

            • 3. Re: Do you guys apply "Non-Security Patches and "Security Tools"?
              mpendleton Rookie

              This is how I install Full Updates in my environment. I first run one scan that does software deployment, Which insures I have Adobe Reader, Flash, Java, 7Zip, IE 10 and a few other programs on my systems. Software deployment only insures that at least the version I have selected is installed. If it is a newer version installed it doesn't care. Then later I run the Full Updates scan to install all patches to all of my programs across the board. The one thing you have to watch out for is that sometimes, Shavlik misses patches. Its best practice especially before an audit or once every quarter to go out to Microsoft Updates on each operating system in your environment and see if you have any missing patches.  If you find any, pass those along to Shavlik support and let them fix there XML data to detect for them across the board on your computers.


              In the template below you can see I have a patch group called skip updates...  It is very important to understand when installing Security tools that Shavlik goes above and beyond and throws in an uninstall for that security tool. You can see in the second screen shot that each Q number has a U after it indicating it is the uninstall version of that patch. If you do not set these uninstall patches to skip, Shavlik will scan once for them and find the security tool missing and install it, And in the second scan it will see it as installed and uninstall it. It is a vicious cycle and I'm not fond of how Shavlik does this but I do applaud them for giving us the option to uninstall some patches. Your Skip list may vary as you may have other patches that don't agree with your software. You will have to tweak that yourself but in my business which is a bank, we install all patches across the board as soon as they are released.



              Full Updates.jpgSkip Updates.jpg

              1 of 1 people found this helpful