When might patches distributed by ZPM show different status than Windows Update Service?

  • 7011780
  • 12-Feb-2013
  • 29-Nov-2018

Environment

Novell ZENworks Configuration Management 11.2
ZENworks Patch Management
Discover Applicable Updates (DAU)
Microsoft Windows Update (WSUS)

Situation

Why does the ZPM DAU (Discover Applicable Updates) sometimes show that a device is not patched even though the MSI for the patch is shown as installed in Add/Remove Programs for hot patches?

Resolution

There are two types of Lumension patches:
  1. One type of patch is custom-built by the Lumension content team.  This type of patch does not have LSAC in the description.  For this type of patch, the analyze.exe may be looking for specific dll versions, registry entries etc.  Example from debug.log: 
    Detecting
     File [C:\WINDOWS\system32\tsddd.dll]
      Version Found: [5.1.2600.5512], Check Against: >= [5.1.2600.2096]
       Version information within specified range
    In the above example, it is possible, for example that another patch delivered the correct dll.  So while the MSI list may not show the patch, and Microsoft Updater may list it as required, the deeper analysis is that for all of the files delivered by the patch, the device has the correct and current version.  If a user or other app were to back-rev the dll, the next DAU (Discover Applicable Updates) scan would show the patch as required.  This lower-level approach guarantees more security.
  2. Another type of patch distributed by Lumension uses the original MSI installer from the vendor.  These patches will tend to trend correctly with the Microsoft list of required patches.  In the patch description, this will typically show as LSAC.  Since Microsoft updater inspects the MSI list, these will tend to be the same.