3 Replies Latest reply on May 5, 2017 6:33 AM by cwinning

    Up to date patches vs what actually needs to be deployed

    FNB Rookie

      A couple of questions:

      1. In the Shavlik Protect console I am showing that the patches needed on my network are under 200 that need to be installed but I have found over 500 that still need to be installed in the patch listing. Why am I not seeing the same results in both locations?

      2. How long does Shavlik Protect keep patches in the database before they fall off so they do not show up as needing to be installed?

        • 1. Re: Up to date patches vs what actually needs to be deployed
          cwinning CommunityTeam

          Hello,

           

          1. The first question is difficult to answer without knowing your Protect console configurations.  What I can tell you, by default, Protect will show patches required on the target to be considered fully patches.  Many patches and service patches are replaced by newer patches.  Protect typically shows the latest in the supersedence chain.
            • Is Patch Supersedence enabled, check this in Tools > Options > Scans > Use replacement patches (should be enabled)
            • Are the target machines at the same service pack and patch level?
            • Are you scanning the same machines?  The same number of machines? The same OS's?
            • Are you using the same Scan Template and possibly Patch Group settings?

           

               2. Removing patches from our content data is never done and is never needed.

            • There are some instance where patches released 5+ years ago have never been replace by newer patches or service packs.
            • For patches replaced by newer patches, the old patches would never show as missing since our detection logic only shows the latest patches required on the machine.
            • There are many other logic rule and caveats here.

           

          Let me know if you have more questions.

           

          Thanks,

          Charles

          • 2. Re: Up to date patches vs what actually needs to be deployed
            FNB Rookie
            • Is Patch Supersedence enabled, check this in Tools > Options > Scans > Use replacement patches (should be enabled)
              • Yes
            • Are the target machines at the same service pack and patch level?
              • According to the reports in Shavlik they are but if I select each machine individually they are not.
            • Are you scanning the same machines?  The same number of machines? The same OS's?
              • Yes, yes and yes.
            • Are you using the same Scan Template and possibly Patch Group settings?
              • Yes, the default patch scan template.

             

             

            • For patches replaced by newer patches, the old patches would never show as missing since our detection logic only shows the latest patches required on the machine.
              • Then how can I be 100% sure that all my machines are fully patched if Shavlik does not show a security patch that should be applied?
            • 3. Re: Up to date patches vs what actually needs to be deployed
              cwinning CommunityTeam

              Hello,

               

              "Then how can I be 100% sure that all my machines are fully patched if Shavlik does not show a security patch that should be applied?"

              I obviously didn't explain this very well, sorry.  The point is Protect only shows patches that are required based on the current state of the target. You scan, patches that need to be (and can be) installed are detected missing.  Our detection logic is quite good at this.

               

              Are you using the same content data for both Protect consoles?  Help > About will tell you what version of the Windows Patch Definitions you are using.

              If the answer is yes, then I would suggest opening a case with Support so you can provide logs showing the difference between 2 specific machines.  They could even initiate a WebEx to take a look at your Protect consoles.

               

              To save time, you may want to provide this when opening the case:  Perform this on both Protect consoles, we will need logs from both Protect consoles.

               

              • Locate a specific machine, the same machine, on both Protect consoles that show different results. 
              • Enable All logging and Diagnostic Patch Scanning logging in Tools > Options > Logging.
              • Setup a new Machine Group and include this machine.
              • Close Protect and stop the Shavlik Protect console server.
              • Delete the logs from C:\ProgramData\LANDESK\Shavlik Protect\Logs  (skip the logs you cannot delete)
              • Start the service and open Protect.
              • Perform a scan against the machine from the new Machine Group using the Security Patch Scan.
              • Wait for the scan to complete and then view the scan results (click the number 6 link in the operations monitor)
                • Take a screen of the results like this:

               

              • Wait for it to complete and then zip the C:\ProgramData\LANDESK\Shavlik Protect\Logs folder.

               

              We will need logs and screenshots from both Protect consoles.  This can also be performed live over a WebEx with support.

               

              Let me know if you have any questions.

               

              Thanks,

              Charles