Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

How does the detection rules work?

Created: 23 Jan 2013 | 10 comments
nessaja's picture

Hi,

how can I check the detection rule and the applicability rule for patchmanagement.

I would like to know how patchmanagement can determine if a patch is applicable or not.
If have some trouble with firefox updates.

Thanks

Comments 10 CommentsJump to latest comment

andykn101's picture

Since Patch Management 7.1 SP Symanted moved to an external rule rpovider and stopped using built in Inventory Rules. AFAIK the new rules can't be examined easily.

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

Roman Vassiljev's picture

Hello nessaja,

Do you use Patch Management 7.1SP1 or newer? If yes, there are no applicability rules as it was before.

But you may check assessment scan’s detailed log directly on affected client. Log is usually stored at "C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{6D417916-467C-46A7-A870-6D86D9345B61}\cache\STPatchAssessment.xml"
This log shows applicable updates and sometimes may clarify why update is detected as missing.

Thanks,
Roman

nessaja's picture

Good Morning everybody,
I've already reviewed the STPatchAssessment.xml and the STPatchAssessment.log file. There are only some poor informations about the detection. And it's take a long time to figure out whats the reason and so on.
what a mess.
Is there no easier way to find out how the detection / applicability rules are working?

Roman Vassiljev's picture

Hi,

Unfortunately not. Rules information is not visible in UI or database, so we can see only output log and XML.
What kind of issue are you observing with Firefox updates?

Thanks,
Roman

nessaja's picture

Hi Roman,

we've the problem with the update FFE13-10012.

That's the Update for the FireFox ESR 10.0.12.

Most of our computers have the ESR 10.0.11 or 10.0.10 Version installed. But in the compliance report for FFE13-10012 all of this clienst are not applicable for this patch.
Thats the reason why im looking for the detection and applicability rules.

 

Roman Vassiljev's picture

Hi nessaja,

STPatchAssessment.xml shows list of supported products, that are detected as installed during last assessment scan.
Does assessment scan detect that Firefox 10.0.10 or 10.0.11 is installed on those machines?

Could you please attach STPatchAssessment.xml and STPatchAssessment.log from any of affected machine?

Thanks,
Roman 

nessaja's picture

Hi Roman,

I've tested the FireFox (with an Testclient) and it works for now. I try to find another computer with the firefox issue.
Another problem is the APSB13-01 patch. (flash player)
The installlog.csv shows "Succeeded". In the STPatchAssessment.xml file, the patch is missing.
In the update agent the policy is turned red and shows "failed" because the updateagent tried to install the flash player 4 times.

Do you have an idea whats the problem? I think it depends on the detection rules.
The STPatchAssessment.log file shows now detection rule.

Thanks

AttachmentSize
Desktop.7z 58.24 KB
Roman Vassiljev's picture

Hi nessaja,

I have not managed to reproduce issue Adobe Flash Player from APSB13-01...
Could you please check what version of Adobe Flash Player is actually installed on affected machine(from Add/Remove Programs).
Is it working correctly?

Thanks,
Roman

nessaja's picture

HI,
yes, the Adobe Flash Player 10 Active X is installed with the Version 10.3.183.48.

Roman Vassiljev's picture

Hi nessaja,

Could you please check installation package for Adobe Flash Player 10 Active X (install_flash_player_10_active_x.msi)  from APSB13-01:
1. Open SWU policy that includes install_flash_player_10_active_x.msi from APSB13-01
2. Open Advance tab and click on Package for update 'install_flash_player_active_x10318350.msi'.(please see attached screenshot)
3. Navigate to Package tab and open package location folder.(please see attached screenshot)
4. Check properties of install_flash_player_10_active_x.msi
If ‘Content created’ field in Details tab of file Properties is 11/27/2012, then installation file is obsolete and installs Adobe Flash Player 10.3.183.48(instead of 10.3.183.50)
This is known issue that occurs in case if download URL, update name and file size are identical to previously downloaded update. Probably this issue will be resolved in the future releases.

If installation file is obsolete in your case, please try the following workaround (similar to workaround described in https://www-secure.symantec.com/connect/forums/patch-management-flash-update-apsb12-05):

1. Physically delete this update file in APSB13-01 bulletin: ...\updates location\APSB13-01\{7562a82a-8c80-4ec1-bfd2-8f2c73907762}\install_flash_player_10_active_x.msi

2. Physically delete update file in APSB12-27 bulletin: ...\updates location\APSB12-27\{0de399c5-3e54-4c32-b5ad-b97298845155}\install_flash_player_10_active_x.msi

3. Recreate Packages for APSB13-01 and APSB12-27 bulletins. (Go to Patch Remediation Center, locate APSB12-27 & APSB13-01 bulletins, select Right Click -> Recreate Packages)

4. Check that file is updated in ...\updates location\APSB13-01\{7562a82a-8c80-4ec1-bfd2-8f2c73907762}\ directory. Content created field should be 12/11/2012

5. Re-Run Installation Cycle on Clients.

Thanks,
Roman