none
How does Configuration Manager see that a Security Update is needed?

    Question

  • Hi everyone,
    We use Configuration Manager to update security patches to our clients and servers.
    Also have ESM (Symantec Enterprise Security Manager) so see that security updates are needed for several products including Windows Server OS.

    ESM says that security updates are needed but Configuration Manager does not say is needed.
    ESM can pinpoint that the dll-files that should be updated with the patch is not updated, but SCCM either say that it is installed or not needed.

    So i want to know what SCCM know that ESM does not.. or if we have a problem? can we rescan machines?

    Confused.. :S... and help needed

    /Maekee


    /Maekee
    Monday, October 19, 2009 6:52 PM

All replies

  • SCCM uses the same technology that is used when you visit the windows updates website. It's the windows update agent. I would trust MS over sysmantec at knowing what patches are required. If you are not sync'ing the correct classification then there could be items required that are not being seen by the WUA.


     


    John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum
    Monday, October 19, 2009 11:41 PM
  • Hi John and everyone else,

    I have checked and all Classifications are selected and Windows Server OS udner Products.

    ESM for example says that MS08-004/KB960082 (Security Update for SQL Server 2000 Service Pack 4) is needed on six servers.

    If i check the KB article (http://support.microsoft.com/kb/960082) under File Information, the KB says that it changes the file version on the files listed in the article,
    including these files (that ESM checkes versions on):
    Odsole70.dll
    Semmap.dll
    Sqlagent.exe

    These files should according to the article change their version to: 2000.80.2055.0, but ESM finds these files with version 2000.80.2039.0 (not updated).
    I have logged on to three servers and the old version is correct.

    Feels like ESM is right and the update is needed? If not.. what does SCCM know that ESM does not? I can not just trust MS if i dont know this

    Hope everyone understand what i mean

    /Maekee


    /Maekee
    Tuesday, October 20, 2009 11:25 AM
  • Here is a question:  Have you run Windows Update to see if the patch pops up?

    If you need the patch installed and Windows Update agrees and ConfigMgr doesn't then I think you need to submit a case to Microsoft so they can determine the issue.  Either way I think we need to do some trouble shooting to get all the relavent facts together so we can find a solution for ConfigMgr/Windows Update/Symantec.

    Detection:
    Windows update: ??
    Symantec: Yes
    ConfigMgr: ??
    http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com
    Tuesday, October 20, 2009 11:56 AM
  • Hi,
    I think we have blocked direct internet access from our servers in the firewalls.
    When i try to run Microsoft Update i get: "website has encountered a problem and cannot display the page you are trying to view"

    So i installed MBSA 2.1 and downloaded the latest Offline Catalog and Authentication File and ran that in offline mode.
    It report the same thing as SCCM says and more, but even MBSA says that MS09-004 is installed.

    Soo.. why does ESM say that the version on the files that MS09-004 should update, are old (that they are) and not SCCM?
    Maybe SCCM lookes on other things that ESM dont know how to check?


    /Maekee
    Tuesday, October 20, 2009 3:06 PM
  • Hi,
    I think we have blocked direct internet access from our servers in the firewalls.
    When i try to run Microsoft Update i get: "website has encountered a problem and cannot display the page you are trying to view"

    So i installed MBSA 2.1 and downloaded the latest Offline Catalog and Authentication File and ran that in offline mode.
    It report the same thing as SCCM says and more, but even MBSA says that MS09-004 is installed.

    Soo.. why does ESM say that the version on the files that MS09-004 should update, are old (that they are) and not SCCM?
    Maybe SCCM lookes on other things that ESM dont know how to check?


    /Maekee
    I'm wondering if ESM is scanning all files and maybe finding older file versions in i386 or some other directory out there.  Try searching one of the noncompliant pcs for a particular file like  Odsole70.dll Semmap.dll or Sqlagent.exe and see if you come back with multiple versions.   Just a thought.
    Tuesday, October 20, 2009 3:59 PM
  • Hi Tom and thanks for the answer,
    I have looked at the version where the original is located (where KB points to) and they are old.
    So its not a wrong path on the files.

    Any other tips?


    /Maekee
    Wednesday, October 21, 2009 7:49 AM
  • I believe that Windows Update and SCCM both scan only the Registry to see if a particular patch was installed and not the actual file versions.

    This creates issues when you patch a system with the latest patches and then go back and install a Service Pack that was release with files from an earlier date. WU would show that everything was updated, but in fact several files would have been replaced by the older Service Pack.

    In a previous life, I used a product called Bigfix that looked at actual file version levels to determine if patches server needed. We learned the hard way that going back and installing a Service Pack that was several months old on a machine would cause all the newer patches to show as corrupt and require a reinstall.

     
    Wednesday, October 21, 2009 2:59 PM
  • Hi,
    Dont really know where to go from that answer?

    Lets say that i install the latest Security Updates and a month later install a Service Pack that came before the updates i installed.
    The Service Pack replaces some systemfiles to an older version than the security updates updates. If this is the case, is the system still up to date?

    Is the System not as secure any more? What should i do?


    /Maekee
    Tuesday, October 27, 2009 8:26 PM
  • Has anyone ever seen a datasheet that compares SCCM DCM to ESM?
    Monday, January 31, 2011 2:10 PM