Video Screencast Help

Can you blacklist a patch in PM?

Created: 18 Dec 2013 • Updated: 19 Dec 2013 | 3 comments
This issue has been solved. See solution.

I've been looking and havent seemed to find a way to blacklist an update so it never gets installed... Is there a built-in way or has anyone done anything like this?

Our company's custom application has specific .Net requirements and usually takes a month or so for Development and A&T to fully test any and all .Net updates. A SysAdmin accidently included a .Net update in a policy and patched prod this past weekend which caused tons of issues and loss of revenue.

Questions:
1. Is there a way to "blacklist" an update in PM to ensure it never gets included in a policy? Then whitelist the patch once fully tested...
2. Once a PMImport is done is there a way to delete an update and the update metadata so it doesn' t even show up as available for download, distribution, or compliant/not compliant. Then re-run the PMImport once the update is fully tested... This could be set up as a SQL script to run once a month after the scheduled PMImport is done, or weekly to remove the update.
3. Is there a way to modify the detection rule of an update so it shows "not applicable" when creating policies? Then could be put back once the update has been tested and approved to show as applicable and "not compliant"...

Seems that once a patch is downloaded you can "disable" the patch then purge to delete it, but it still shows up in the PM compliance reports and can easily / accidently downloaded and distributed in a policy again.

I know you can blacklist software, would like to see the same feature for Patch Management. I have been tasked by management to remove the 'human error' factor when creating patch policies, thats almost impossible but I'm just looking to mitigate it at least.

I understand all these scenarios i mentioned would skew the overall Altiris PM compliance reports, but we have our own compliance, risk assessment and acceptance of risk to never install certain updates. The built-in compliance reports are pretty useless to us anyway since to us, a server can be fully patched 100% with all "approved" updates, yet they all show 96% complaint in Altiris because there will always be those 6 updates that we can NEVER install...

Thanks in advance,

Operating Systems:

Comments 3 CommentsJump to latest comment

Johnnie Brambora's picture

Patch does not have anything that allows you to blacklist updates, or edit detection rules. Our development team will edit detection rules if need be, but it cannot be done manually.

One method of removing a patch from the Patch Remediation Center is unchecking the vendor from the vendor list, and leaving "delete previous..." checked when running a PMImport. This will remove them out of the patch remediation center, but will also remove the entire piece of software from patching, so it's not an option for software you're planning on patching. 

SOLUTION
andrew.novak's picture

Thanks Johnnie,
Thats what I assumed, just needed a verification. I may just have to set up some SQL hoodoo.

Query all policies, for each policy if update 'xyz' exists, alert. Today I already started looking into a custom compliance report, i cloned the PM SPROC, cant remember the SPROC name off the top of my head, and did some editing to get results that are more applicable and tailored to our company. If & when i get it fully working, ill post for anyone else that may want to do something similar in 7.5. I saw there are similar ones already posted for 7.1 but don't work in 7.5.

Thanks again.

HighTower's picture

While it's not a blacklist I do use a custom severity to flag bulletins we can't/won't deploy.