Re: MS patch scanner - how to use it in "real life"?

From: Eric (ews@tellurian.net)
Date: 08/17/01 

Message-Id: <5.1.0.14.0.20010816183520.0341e158@mail.tellurian.net>
Date: Thu, 16 Aug 2001 18:40:44 -0700
To: Mattias Nyholm <mattias.nyholm@framfab.se>, "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
From: Eric <ews@tellurian.net>
Subject: Re: MS patch scanner - how to use it in "real life"?

If it reports patches that are missing that you know you've installed, run
it with the -v -z switches. For example. Everyone installed 01-007 when
it came out. However, MS just released a newer version of the patch with a
newer file version and a new reg key - this tool will find that stuff for
you without you having to crawl the MS website.

I'd bet that if you run hfnetchk -v -z you'll find that there are some
patches that have been re-released that you haven't kept up to date
on. That's what makes the tool really useful.

Finally, don't use the -a switch. running it without switches (default)
will show you the necessary patches and will not show you any superseded
patches. Then use the -v switch to see reasons why a patch wasn't
installed, and -z to skip reg key checks (as they can't be relied upon)

At 01:48 PM 8/16/2001 +0200, Mattias Nyholm wrote:

>I've been testing the MS patch scanner, and I have some doubts as to
>how useful it is "in real life". The thing is that the tool reports
>on installed and missing hotfixes without considering that several
>patches are outdated and have been replaced by other patches. This
>leads to several problems:
>
># Even on a fully patched system the tool will still report that
> some patches are missing.
># The tool can not be used as "run once, tell me if something
> is missing" way to make sure a server is secure.
># Since the tool reports on missing hotfixes even though they are
> replaced by a later patch one will have to create and maintain a
> list of current patches and compare the tools output to that list.
> To use this on a large scale one must write a separate tool to parse
> the output and compare it to the list.
>
>Have anyone else noticed the same problems, or have I completely
>misunderstood the tool? I'd be glad if I have! :)
>
>-mattias

Relevant Pages

  • Re: Office 2003 cannot install/uninstall/update
    ... reapply the patches that are missing. ... able to locate and to apply the patch from there. ... 290301 - Description of the Windows Installer CleanUp Utility: ...
    (microsoft.public.officeupdate)
  • Re: [PATCHv6.1 09/11] USB: gadget: g_multi: added documentation and INF files
    ... files for Windows XP SP3 are provided. ... Sorry about the previous patch -- it was missing the gadget_multi.txt ... I see a few v6.1 for some of these patches. ...
    (Linux-Kernel)
  • Re: MS patch scanner - how to use it in "real life"?
    ... MS patch scanner - how to use it in "real life"? ... list of missing hotfixes that are ONLY relevant for IIS. ... The thing is that the tool reports ... > patches are outdated and have been replaced by other patches. ...
    (Focus-Microsoft)
  • Re: MBSA & HFNetChkPro
    ... > Windows Update, no patches are missing. ... MBSA 2.0 seems to be missing things. ...
    (microsoft.public.windowsupdate)
  • Re: Problem deploying MS04-011
    ... It won't show as installed until you reboot. ... Today the reports still show no ... > systems having the patch applied. ... > Other patches we've deployed are reporting properly in SMS. ...
    (microsoft.public.sms.swdist)