6 Replies Latest reply on Jan 27, 2017 3:08 AM by michael.odriscoll

    Patches not detected

    Rookie

      IT Security just ran a Nessus scan and gave me a list of missing patches. I scanned the servers for the missing patches, but they don't show as missing. When I run the Patch Status Detail report for the patches, they don't show the patches as installed or missing. The report does show the patches installed on other servers though. These are Server 2008 Standard with SP2. They were all recently upgraded from Server 2003, scanned for patches immediately after the upgrade, and all pertinent patches installed - except for the ones that won't detect. One of those missing patches is MS09-022  Q961501. I've searched the registry for entries - nothing found.

       

      I have Shavlik Protect Standard 9.1.0 Build 4511 running on Server 2008 R2 with a SQL Server 2008 R2 database. The database is backed up nightly. Scans are all agent-less. I created a new scan template and made sure everything was selected for detection. I cleaned out the Shavlik server's log files. I removed scans over 1 year old.

       

      I ran Windows Update and noticed this entry in the log. I'm not sure what it means, but there were several entries like this for other updates as well. Maybe this has something to do with it?

       

      2015-11-03    13:11:53:168    1176    11c0    DtaStor    WARNING: Attempted to add URL http://download.windowsupdate.com/msdownload/update/software/secu/2009/05/windows6.0-kb961501-x86_341b84c9992dea97b9d82d684d6725863f45b0e7.msu for file NBuEyZkt6pe52C1oTWclhj9FsOc= when file has not been previously added to the datastore

       

      I shut down Windows Update and deleted C:\Windows\SoftwareDistribution, which is usually the solution to clear Windows Update problems. Re-scanned with Shavlik - no change. Re-scanned with Windows Update and got the same error as above.

       

      It's starting to sound like a Windows problem, but I can't tell for sure. Any help is appreciated.

        • 1. Re: Patches not detected
          Jonathan.JANVIER SupportEmployee

          Hello Dan

           

          When you are facing detection issues, if it is affecting more than one or two patches, it is problably because your Scan Template is not set up to look after these patches. Patches are falling under different "types" and in you scan template you configure what type of patches you want to scan against, Security patches, Non-Security patches, Security Tools..etc.


          The first thing to do would be to identify one KB not detected and search for it in Protect (View > Patches) and see what is the patch type of this specific KB and it may lead you to the root cause of this.


          Also, if the scan template is configured properly you may want to verify that these KBs has not been replaced/superseded as we will scan only for the patch that supersedes the other patches and not for the old ones (by default but can be changed if you are scanning against a specific patch group).

           

          Regards,

          Jonathan

          • 2. Re: Patches not detected
            Rookie

            As I stated in my post, I already created a new scan template with it configured to detect everything, and it still misses some patches.

             

            "I have Shavlik Protect Standard 9.1.0 Build 4511 running on Server 2008 R2 with a SQL Server 2008 R2 database. The database is backed up nightly. Scans are all agent-less. I created a new scan template and made sure everything was selected for detection. I cleaned out the Shavlik server's log files. I removed scans over 1 year old."

             

            The KBs have been verified as still being relevant. The KBs were detected and installed on other servers. I'm not sure why they are not detecting on these. They are older KBs (2009) and installed on these servers when they were Server 2003. Something isn't quite right either with the Shavlik detection, Nessus detection, or with the server. I'm not sure which at this point.

            • 3. Re: Patches not detected
              Jonathan.JANVIER SupportEmployee

              Hello

               

              Can you give me one or two KBs number so I can look them up for you ?

               

              Regards,

              Jonathan

              • 4. Re: Patches not detected
                Rookie

                These are the main ones:

                 

                MS09-022: Vulnerabilities in Windows Print Spooler Could Allow Remote Code Execution

                MS09-032: Cumulative Security Update of ActiveX Kill Bits

                 

                Creating a new scan template in my original troubleshooting helped find some of the others, but these are the two I've been concentrating on because Security listed them as priorities.

                • 5. Re: Patches not detected
                  Jonathan.JANVIER SupportEmployee

                  Hello

                   

                  As stated in my first comment it was likely this patches had been replaced. I have looked up the MS09-022 and it has been replaced by MS12-054, so with a scan by default we will not scan for MS09-022 but only the latest one (please note that the MS12-074 may have been replaced down the line as it is an old patch).


                  Here are more information on how is handled the superseded/replaced patches in Shavlik Protect : https://community.shavlik.com/docs/DOC-2156

                   

                  If you need to scan and deploy for old patches that has been replaced, create a patch group, include the patches needed and then scan against this patch group.

                   

                  Regards,

                  Jonathan

                  • 6. Re: Patches not detected
                    michael.odriscoll CommunityTeam

                    Discussion moved from Site Help to Shavlik Protect.