5 Replies Latest reply on Sep 1, 2011 1:28 PM by Charlie Sullivan

    Patch Analysis Accuracy Issues

    Charlie Sullivan

      Is there anything that can be done to make a Windows Patch Analysis more accurate?  We are using Server Automation


      As an example of a common problem I have, on a Windows 2008 R2 SP1 server that has been recently fully patched, the analysis shows 13 updates missing, yet I can account for at least 11 of those being installed according to Windows.  When I try to do a manual update, no updates are needed.  (I am using MS Update, as opposed to just Windows Update, so I know all componets such as SQL are covered.)  Also MBSA reports that none are missing.


      I'm not sure if I should open a case with BMC, or if this is just something I have to live with.



        • 1. Re: Patch Analysis Accuracy Issues

          Actually, I have seen many customers make the same assumption. The issue is that our patch analysis is more accurate than Microsoft’s. You might have verified the patches are installed, but that doesn’t mean they are applied. Most likely, your server needs to be rebooted. Our patch engine checks to make sure the system isn’t vulnerable anymore. If the patch updates DLL files, then our engine checks to make sure the DLL’s are no longer in use by the OS. That usually means that the Windows server needs to be rebooted. I would reboot the server and run analysis again to be sure this isn’t the issue.

          • 2. Re: Patch Analysis Accuracy Issues
            Charlie Sullivan

            Thanks for the reply.


            Looking at some of the patches that are listed as missing, most were installed on 7-15, others on 8-12 and 5-4.  Looking at the System Log, the server has been rebooted four times since 8-12, so there's no need to reboot it yet again.  (I did the analysis yesterday, 8-30.)  I spot checked some DLL versions and all were either at the same revision number or newer than the ones listed in the KB articles.


            Is there something I can check that the engine checks?

            • 3. Re: Patch Analysis Accuracy Issues
              Charlie Sullivan

              Just in case patch supercedence plays a part in this, I would like to get rid of superceded patches if that is possible. 


              I am not entirely sure that the option to remove "Irrelevant Patches" does.  According to the Help files, Irrelevant Patches are ones that "do not match the specified filters and require removal."  However, there are Patches listed in the Irrelevant Patches smart group, which are for products included in our catalog, for example Windows 2008R2 English. 


              Can anyone confirm the definition of Irrelevant Patches?  I would like to remove patches that are filtered out in our catalog as well as ones that are no longer needed for some other reason, even if they don't solve my problem.

              • 4. Re: Patch Analysis Accuracy Issues

                I think that should be a separate thread. Did you get the patch accuracy resolved? I got an email from someone at your location that suggested you were still having issues.



                • 5. Re: Patch Analysis Accuracy Issues
                  Charlie Sullivan

                  No, I haven't resolved the issue, but I posted about the Irrelevant Patches because I'm thinking that could help.