Video Screencast Help

Patch management - Office? / Office Viewers?

Created: 01 Oct 2010 | 6 comments

Is Patch management supposed to detect out of date Office products?

 

I have PCs that have had the 2007 viewers installed, yet not receive any of the updates for the MS office products at all.

 

They show up as being out of compliance using Nessus, so something is up!

 

My initial thought is that maybe the PC is required to have Microsoft Update before it can detect the Microsoft products?  (Windows update being the default unless you go out of your way and install Microsoft update on the PCs from the link at windows update)

 

Comments 6 CommentsJump to latest comment

jharings's picture

Update in order to use Altiris Patch Management. Rather than group all your issues into a big lump, and say that office updates aren't working, take a look at what you do have, what Nessus says is not installed, and see if there are actual matching patches from Microsoft.

It does also matter what patches you are installing via Altiris (at least for compliance purposes).

Give use some info\examples of what you have, what you think needs to be on the systems, and what Altiris says.

Jim Harings
HP Enterprise Services
1st Rule of Connect Club: Mark the post that helped you the most as a 'solution'. 2nd Rule of Connect Club:You must talk about Connect club.

Thomas Baird's picture

Do you know in what way they are out of compliance?  I'm assuming they have the SMP and Patch agents, right?  Have they received other patches?  Have you staged the patches you feel they are out of compliance with?  Have you made policies for those patches?  Are they simply missing some systems or all systems?  Have you checked to see if they show up in their policy configuration to be in the filters that should receive those patches?

I think there are some general patch troubleshooting guides in the KB - you might start there.  Basically, as you can see from the questions I just posed, there are actually a wide variety of reasons for what you are seeing.

There is another 2 possible reasons not listed above, but until you rule out the ones above, the next too are, generally, moot.  One, Nessus may be wrong (yes, it does happen) and two, we may be wrong (also happens).  In the former of the two, there's little we can do about it.  In the latter, you'll have to rule out the above options first, and then show us how our rules were incorrect compared to Nessus, or something like that.  I know there are KB's about looking at the evaluation rules.

Anyway, that's a start.  Let us know what you need from here.

Thanks!

Thomas Baird
Private Consultant & open to full-time opportunities.
That means I CAN help beyond the forum (directly).

 

chris.vanderlinden's picture

I'm working on getting the data, but this is what I have experienced:

PC gets a job deployed that installs the base MS Visio / Excel /powerpoint /word viewers.

I've let the PC sit there for a few days to get patch management, and it has no problem seeing the patch policies that are already applied (has about 20 that show as "installed by user" for example).

However I will go to the windows update page, and click on the link at the right to "Upgrade to using Microsoft Update" (which scans not only the OS but also the MS office products).

It will then list about 15-20 patches missing for all of the viewers.  Most are visio viewer 2007 SP2, Powerpoint viewer 2007 SP2, maybe a few office2007 KBs as well that are needed too.

 

None of these show up when taking a look at the compliance reports for those station(s).

 

Again, I will try to get some screenshots of everything I am seeing.

jharings's picture

 are not considered security patches, and as such won't be available in Altiris. If you had a list of patches you expected to be applied and can see that they are available in Altiris, but aren't being applied or considered for these clients, then you might have either an inventory rule problem, or a reporting problem from the client.

To reiterate just because one tool marks a system as vulnerable, and another does not, doesn't make one tool wrong or smarter than the other. You need to find an 'apple' and compare it to an 'apple'. I mean, Nessus says MS10-055 (kbxxxxx) is missing, but Altiris says it's applied.

Jim Harings
HP Enterprise Services
1st Rule of Connect Club: Mark the post that helped you the most as a 'solution'. 2nd Rule of Connect Club:You must talk about Connect club.

Thomas Baird's picture

Before you post up screen shots of the two products, tell us specifically what patches are missing per Nessus. 

Thomas Baird
Private Consultant & open to full-time opportunities.
That means I CAN help beyond the forum (directly).