Symantec Management Platform (Notification Server)

Dear All,

We have an issue with Patch management solution. There is a bulletin MS10-046. According to the Compliance list the patch only applies to 2 clients, which almost for sure is wrong!

I have deleted the software package and all the patch files on the NS server. I staged again the bulletin and created the software package. I was hoping it will fix it, but it didn't.

Well I have distributed the patch using the deployment Win32 console in the meantime. But I'm wondering how can I fix the issue in NS patch management solution. The solution is at latest release 7.0.4409.

Any thought why this bulletion doesn't distribute properly?

Thank you

Edy

What OS are your clients? Can you verify that at least one client you feel should be vulnerable is indeed patched?

Client OS is Windowx XP SP3 and no there were not patched using the Patch management solution for this bulletin. We läter patched them using Deployment console

Thanks

what I meant was - are there systems, if you ran something like MBSA or Windows Update that show at vulnerable to the patch, and Altiris does not?

Sorry about my late reply.

We have found out since we had a WORM incident in April and MS10-046 was not deploye to some computers.

The compliance reports shows that this patch only applies to 2 computers, which were patched. We have checked some computers manually and discovered that the patch was deployed back in August when the bulletin was released. We never used any other deployment method than Altiris. So I assume the patches were deployed with Altiris.

It appears that it is a reporting issue of the patch management solution. False reporting. I don't know how can I fix the issue.

Thanks

Edy

If Altiris is saying it only applies to 2 systems, it sounds like applicability rules aren't firing properly for MS10-046.  Do you really mean applies to, or do you mean vulnerable?

I mean the reports says

Applicable to 3 systems

Installed to 3 systems

Vulnerable to 0 systems

Compliance 100%

Thanks

And how does this differ from what you expect to see?  For example, do you have 12,000 nodes and 11,000 of those are Windows and 10,500 of those are running Patch Management?  I'm not sure how large the environment is -- if this is a test or eval environment this could be normal.

No, we are a shop of 200 users,

I would expect to see a report that the patch is applicable to 180 computers as I do for other patch bulletins.

I believe there is indeed a reporting issue. We have checked some computer manually and the patch was deployed in August 2010, wihich means when it come out. Since we don't use any other method to deploy patches it must have been installed by Altiris.

I just don't know how to fix the reporting issue.

Thank you

Edy

Could you please provide a screenshot (with Grid and report menu bar shown) of the report?

Hi Robert,

Attached is a screenshot you were requesting. I hope it is what you were looking for.

Thanks,

Yes, that was the screen shot i was looking for. Just one more thing, could you please attach similar screen shot of the "Software Update Delivery Summary" report, with required update shown?

Thanks.

Here is the requested report.  I don't understand the low number for targeted computers.

Thanks,

Edy

Is the issue:

A) You have PCs missing MS10-046 (e.g. WSUS, windowsupdate.microsoft.com), but Altiris says they have MS10-046 already installed and are not vulnerable

B) You have PCs with MS10-046 (e.g. WSUS shows as patched or windowsupdate.microsoft.com does not offer update), but Altiris says they need MS10-046

C) Something else entirely?

No, I believe the issue is that reports show that the patch is only for two computers applicable. I think report pull the data wrong from the SQL database.

1. All the policies you have created for MS10-046 contain expected computers in their targets.

2. All the expected computers have SWU Plug-in installed and of valid version (in case upgrade was performed).

Seems that these are all WinXP computers...are they on SP3?  Most of the patches from late last year will not apply unless the target PCs are on XP SP3 as XP SP2 support was dropped mid-summer I think (if not earlier).  If the patch requires XP SP3 (which it does) but the machine is on XP SP2, then they will not appear as applicable as they don't meet the system/OS-level requirements for the patch, even though they are technically vulnerable.

This would actually be a nice improvement to Patch Management, to report machines as vulnerable due to down-level service packs, etc.