Client Management Suite

 View Only
Expand all | Collapse all

Patch (NS7) sees vulnerabilities from hundreds of old bulletins

Migration User

Migration UserNov 19, 2010 11:16 AM

  • 1.  Patch (NS7) sees vulnerabilities from hundreds of old bulletins

    Posted Nov 15, 2010 11:32 AM

    I am running Patch Management in a NS 7 environment.  It is pretty much an out of box setup.  Patch Management sees almost 100,000 vulnerabilities from 800 bulletins.  The bulletins range in age from 1999-present.  Most of the bulletins have not been staged.

    When I run windows update from a sampling of workstations, they are up to date.  Yet, Patch shows that those workstations are vulnerable.  The workstations have the software update agent installed.

    The superseded bulletin report show over 300 superseded bulletins.  How do I resolve this and get accurate vulnerability reports?  Thanks for your input.



  • 2.  RE: Patch (NS7) sees vulnerabilities from hundreds of old bulletins

    Posted Nov 15, 2010 12:47 PM

     

    Can you please attach a screenshot from one of the reports where you see almost 100 000 vulnerabilities (preferably compliance report)? And another screenshot from Superseded bulletins report with "Superseded" filter applied?

     

    Thanks,

    Robert



  • 3.  RE: Patch (NS7) sees vulnerabilities from hundreds of old bulletins

    Posted Nov 15, 2010 02:23 PM

    I see the same thing.  I know we are not patched very well but this is way beyond accurate.  We have a few hundred computers with agents so far and all are running Inventory from what I can tell

     



  • 4.  RE: Patch (NS7) sees vulnerabilities from hundreds of old bulletins

    Posted Nov 16, 2010 02:10 AM

    This screenshot shows vulnerabilities by Updates from 1999 till this days. Please see Microsoft Compliance report by Bulletin (Update) to view vulnerability in limit date from one year ago till now. If you need you can choose correct date to start from. Also Compliance report doesn't show superseded bulletins.
     



  • 5.  RE: Patch (NS7) sees vulnerabilities from hundreds of old bulletins

    Posted Nov 16, 2010 09:52 AM

    Ok, I attached some screen shots to this post.

    You will see that most of the bulletins and related vulnerabilities are old.  However, simply changing the report dates is not a solution.  Shouldn't Altiris know if updates are required and then installed or not?  Also, why does Altiris differ from Windows updates?

    Thanks for your help!



  • 6.  RE: Patch (NS7) sees vulnerabilities from hundreds of old bulletins

    Posted Nov 17, 2010 03:53 AM

    I see that all the attached screenshots look correct.

    When the update is installed then the event is sent from the Altiris agent on client to Notification server and the next vulnerability policy is trigger (by default it is 4 hours) to verify the vulnerability of each client and the report will be updated accordingly. Triggering the rule of vulnerability occurs at different times on each clients as SWU agent was installed.

    The information of Altiris Patch Data showing Security vulnerabilities for the software of each client.



  • 7.  RE: Patch (NS7) sees vulnerabilities from hundreds of old bulletins

    Posted Nov 17, 2010 01:04 PM

    The screenshots can not be correct.  They may reflect the Altiris data correctly but then the Altirs data is inaccurate.  How can XP clients require updates from prior to the release of windows XP?  How can my machines previously patched through BigFix/Windows Update not have bulletins/udpates installed?  The screenshots below show that Altiris sees required updates that do not agree with windows updates.

    I agree that the vulnerabilities are being updated by the SWU agent.  But it doesn't look like the agent is detecting required/installed/not installed updates correctly on the clients.



  • 8.  RE: Patch (NS7) sees vulnerabilities from hundreds of old bulletins

    Posted Nov 17, 2010 01:21 PM

    On the first screen you have some x86 updates, but on the second screen you have vulnerable updates for the x64 system... What's shown in the compliance by computer report for the proper client from the screen 2?

    Thanks,

    Robert



  • 9.  RE: Patch (NS7) sees vulnerabilities from hundreds of old bulletins

    Posted Nov 17, 2010 02:15 PM

    This particular client is vista 64 bit; however, some applications were installed as an x86 based application.

    Requested screen shots are attached.  Thanks again!



  • 10.  RE: Patch (NS7) sees vulnerabilities from hundreds of old bulletins

    Posted Nov 17, 2010 02:35 PM

    Do you have "Provide Microsoft updates..." option enabled for Windows Update utility on vista client? Because updates that are marked as vulnerable for that client are mostly office updates which are not shown in Windows Update by default:

    While Windows Update provides you with updates specifically for Windows, Microsoft Update expands the service to download and install updates for other Microsoft software, such as Microsoft Office and Windows Live. Automatic updating is a feature that allows you to set your PC to automatically download and install updates using either service, making it easy and convenient for you to keep your Windows PC current.

    http://www.microsoft.com/windows/downloads/windowsupdate/faq.mspx

     

    Thanks,

    Robert



  • 11.  RE: Patch (NS7) sees vulnerabilities from hundreds of old bulletins

    Posted Nov 17, 2010 03:05 PM

    No it is not enable on this client.  Only windows updates are being installed.



  • 12.  RE: Patch (NS7) sees vulnerabilities from hundreds of old bulletins

    Posted Nov 17, 2010 03:17 PM

    Is an XP showing applicable to almost all updates?

     

    IE: server OS's



  • 13.  RE: Patch (NS7) sees vulnerabilities from hundreds of old bulletins

    Posted Nov 17, 2010 04:16 PM

    and then compare the output, patch management solution provides some office security updates as well, while windows update (by default) only provides updates for the OS itself.

     

    Regards,

    Robert



  • 14.  RE: Patch (NS7) sees vulnerabilities from hundreds of old bulletins

    Posted Nov 18, 2010 10:57 AM

    Ok, enabling the Microsoft Update option helped with a very small amount of updates.  However, Microsoft Update still states that my clients are up to date and Altiris disagrees.  Altiris is looking at older updates.  They are older but still newer than the latest service pack released.  The attached image shows several updates that Altiris wants to roll out to Windows 2003 servers.  Also notice that these are OS related updates.

    Another note...if we look at KB940349 for example, it updates many dll files.  One for example is eventcls.dll.  It updates to version 5.2.3790.3002, see attached image.  But when I look at that dll on the server, it is version 5.2.3790.3959 and I believe was part of SP2. 



  • 15.  RE: Patch (NS7) sees vulnerabilities from hundreds of old bulletins

    Posted Nov 19, 2010 11:16 AM

    This may be normal Altiris behavior.



  • 16.  RE: Patch (NS7) sees vulnerabilities from hundreds of old bulletins
    Best Answer

    Posted Nov 24, 2010 04:03 PM

    Symantec case confirms that this is the design of Altiris.  This behavior changes in 7.1 due to customer complaints.



  • 17.  RE: Patch (NS7) sees vulnerabilities from hundreds of old bulletins

    Posted Dec 02, 2010 07:36 AM

    Regarding KB940349:- Patch Solution is correctly showing the update KB940349  as required on the concerned box. Box in concern is win2k3 Sp2 so concerned file (eventcls.dll) should be at version 5.2.3790.4143 whereas customer box is at version 5.2.3790.3959. ( customer is wrongly looking for the version 5.2.3790.3002 which is required version of Patched box of Win2k3Sp1 http://support.microsoft.com/?kbid=940349 ) [ In our inventory rule, we are using both version which needed to tested separately on the box SP1/SP2].



  • 18.  RE: Patch (NS7) sees vulnerabilities from hundreds of old bulletins

    Posted Dec 02, 2010 07:39 AM

    We have analyzed the issue found that the concern box is patched with all the Windows/OS update through the “Windows Update” enabled. The update which are showing applicable are mostly Office update which are not provided by “Windows Update”(Windows Update provide only Windows/OS Update by default).The OS updates which are shown as applicable are released by Microsoft through KB article which are also not supported by Windows Update.



  • 19.  RE: Patch (NS7) sees vulnerabilities from hundreds of old bulletins

    Posted Dec 02, 2010 07:40 AM

     Altiris Solution vulnerability reports are detecting the customer box as vulnerable for Office updates and Windows/OS Update which are provided by Microsoft through KB articles.Reports “Microsoft Compliance by Computer” shows that how many updates Applicable, Installed, and Vulnerable count for the client machine even if we have not stage, distributed applicable bulletin/update for that machine. This is the expected behavior of reports (It is up to customer to distribute the Applicable bulletin/update or not). Report “Microsoft Vulnerabilities (Graph)” shows all the Vulnerabilities of machines which are connected to distributed server.