2 Replies Latest reply on Jun 26, 2012 7:35 AM by Jim Campbell

    Security Patch vs Security Tool

    Jim Campbell

      After provisioning a Windows server we run a patching job that uses a catalog with all filters and the 'Group' option with only 'Security patches' selected (i.e. no whitelist).  It was brought to our attention that a recent patch (MS12-A03) was not being applied by this method of patching and we have found that this patch is classified as a 'Security Tool' instead of the standard 'Microsoft Security Patch'.  Is there a way to force the patching job to include only this bulletin in addition to its normal method of operation?  I am not able to add an 'include' smartgroup with this Bulletin but I'm not sure if I'm just missing something.

       

      If not, is there a way to get a list of all Bulletins/hotfixes that would be included in the Patching Job if we were to also select the 'Security Tools' option as well as 'Security Patches' ?  We have tried this and it does add the desired bulletin but it also adds other Bulletins as well.  Would a smartgroup with a criterion of "Hotfix where PATCH_TYPE equals 'Security Tool' " include everything that would be used by such a patching job?  We could probably select the 'Security Tools' option and use an exclude group on all Security Tool items except the Security Tool Bulletin we want but we need to be able to find everything that would be excluded in such a scenario.

        • 1. Security Patch vs Security Tool

          >>Is there a way to force the patching job to include only this bulletin in addition to its normal method of operation?

           

          In your Catalog, create new Smart Group (call it ExcludeButMS12-A03 or anything else you wish) with the following condition:

           

          Match "all" of the following conditions:

          "Hotfix" where "BULLETIN_ID" "does not equal" "MS12-A03"

          "Hotfix" where "PATCH_TYPE" "equals" "Security Tool"

           

          Expect this Smart Group to list all the Security Tools except for MS12-A03.

           

          Modify your Patch Analysis Job to scan against 'Security Patches' and 'Security Tools', and add the Exclude Filter to be "ExcludeButMS12-A03".

           

          Expect Analysis Job to scan against all security patches and tools, and exclude all the security tools except for MS12-A03.

          • 2. Security Patch vs Security Tool
            Jim Campbell

            Thanks, this is what I was planning to do assuming that smartgroup would work.  There do not appear to be very many classified as 'Security Tool' when I use this smartgroup so it looked a bit suscpicious.