8 Replies Latest reply on Aug 3, 2016 2:17 PM by John Thies

    Vendor Impact Patching Question

      Hello All!


      was wondering if anyone had any insight to this.

      Microsoft have 4 Severities for their patches. Critical, Important, Moderate, and Low.

      BMC list 5 serverities for their VENDOR IMPACT for patching. Critical, Important, Moderate, Low, and Unknown.


      Does anyone know what these "unknown" patches correlate with? are these considered LOW my Microsoft? is there any documentation around this?

        • 2. Re: Vendor Impact Patching Question
          Joe Piotrowski

          We use Shavlik's patch analysis engine, not Microsoft's. Impact is only listed for Security patches, all other patches are considered "Unknown."

          1 of 1 people found this helpful
          • 3. Re: Vendor Impact Patching Question
            John Thies

            Hi Joe


            I understand that this is quite old of a post but need clarification


            I am in the process of getting information on security patches, for one of my security people and they had a question on why patches were listed as "Patch impact - Unknown: Set when the analysis engine returns inappropriate value" in the articles I am able to find it specifically says "BSA uses the Shavlik scanning engines and in that regard only security patches will contain relevant information and all other patches are classed as “unknown”.


            in reviewing the patches listed by my security guy these are security patches like the ones listed below;

            Microsoft Security Bulletin MS10-105 – Important

            Microsoft Security Bulletin MS11-044 – Critical

            Microsoft Security Bulletin MS11-099 – Important

            Microsoft Security Bulletin MS12-001 – Important

            Microsoft Security Bulletin MS12-010 – Critical

            Microsoft Security Bulletin MS12-077 – Critical

            Microsoft Security Bulletin MS13-023 – Critical

            Microsoft Security Bulletin MS13-035 – Important

            Microsoft Security Bulletin MS13-046 – Important

            Microsoft Security Bulletin MS13-083 – Critical

            Microsoft Security Bulletin MS14-018 – Critical


            of course this is only a short list of what has been brought forward, and as you can clearly see from the list these are security patches and still return the classification of unknown


            can we get some clarification on why these are listed as unknown

            • 4. Re: Vendor Impact Patching Question
              Bill Robinson

              Open a ticket w/ support.

              • 5. Re: Vendor Impact Patching Question
                John Thies

                Thank Bill I will do that

                • 6. Re: Vendor Impact Patching Question
                  Joe Piotrowski

                  John - it's been quite a long time since I've done Windows patching on a regular basis, but I can add what my experience was as best I remember. Bill can chime in if anything I post is incorrect.


                  1) The bulletins you listed are all 2.5 - 8 years old.

                  Microsoft Security Bulletins

                  2) Shavlik looks at the entire industry (Adobe, Java, Firefox, Google, Microsoft, etc) and categorizes their patches differently than Microsoft

                  3) Shavlik actually handles patching Windows servers better than Microsoft (Shavlik handles superseded patches better, Microsoft tends to want to force you to install every patch)


                  On the surface my guess would be that because these patches are so old, Shavlik may not have bothered to categorize many of them. Last time I checked (which was a while ago) I thought they stopped using Unknown on all newer patches, but many older ones were marked that way.

                  • 7. Re: Vendor Impact Patching Question
                    Joe Piotrowski

                    FYI - I just looked up Bulletin MS14-018 on my Windows Patch Catalog and the Vendor Impact is set to Critical. So I assume that's why Bill suggested opening a ticket.

                    • 8. Re: Vendor Impact Patching Question
                      John Thies

                      Thank you Joe


                      I have opened a task with BMC for this and you may see it in the queue




                      John Thies

                      BladeLogic Server Automation Services

                      MailTo: John.Thies@Atos.Net<mailto:John.Thies@Atos.Net>

                      Phone: 971.273.3863



                          • Please note that my E-mail address was changed to @atos.net domain. Please update your records and send E-mails only to John.Thies@Atos.Net

                          • Please don’t send any E-mail messages to the @Xerox.com or @acs-inc.com address as it won’t be accessible after the end of December 2015