Purpose
The purpose of this article is to explain how patch scan detection works in Shavlik Protect, Ivanti Patch for Windows Servers and patch scan SDK.
Overview
To understand the basics of how the scan engine works in our products, please see the following information from the online Help system Patch Scanning Overview
The Ivanti Patch for Windows scan engine performs security patch assessment against a variety of Windows-based operating systems and products from Microsoft and other product 3rd party vendors.
The Ivanti patch scan engine uses a data definition file that contains information about which security hotfixes are available for each product. The data file contains security bulletin name and title, and detailed data about product-specific security hotfixes, including:
- Files in each hotfix package and their file versions
- Registry changes that were applied by the hotfix installation package
- Information about which patches replace which other patches
- Related Microsoft Knowledge Base article numbers
- Cross references to the Common Vulnerabilities and Exposures (CVE) database hosted by Mitre.org (CVEID)
The data definition file, which is contained on the console in a secured file named WindowsPatchData.zip, is created and hosted by Ivanti. The WindowsPatchData.zip replaces the hf7b.xml used by previous patch scan engine versions and is used for the following Product versions:
- Ivanti Patch for Windows Servers 9.3+
- Shavlik Protect 9.2+
- OEM patch scan SDK 9.2+
When you run Ivanti Patch for Windows (without specifying advanced file input options), the program must download a copy of this XML file so that it can identify the hotfixes that are available for each product. The XML file is a digitally signed CAB file and is available on the Ivanti website. Ivanti Patch for Windows downloads the CAB file, verifies its digital signature, and then extracts the XML file to your local computer. Note that a CAB file is a compressed archive that is similar to a ZIP file.
After the data file is extracted, Ivanti Patch for Windows scans your machine (or the selected machines) to determine the operating system, service packs, and programs that you are running. Ivanti Patch for Windows then identifies security patches that are available for your combination of installed software. Patches that are applicable to your machine but are not currently installed are displayed as Missing Patch in the resulting output. In the default configuration, Ivanti Patch for Windows output displays only those patches that are necessary to bring your machine up to date. Ivanti Patch for Windows recognizes roll-up packages and does not display those patches that are replaced by later patches.
Read more about Replacement Patch detection (Supersedence) here: Determining Patch Replacements
During the scanning process the detection goes through a few main steps, simplified in order here:
- DPD (Dynamic Product Detection) - The scan engine will first use DPD to identify the:
A. Operating System
B. Any products installed on the target system
C. The service pack level of any installed products (if applicable).
2. Patch detection: Once DPD determines all applicable products on the target system the scan then goes into individual patch detection for any patches that apply to the OS or products on the target system. For each individual patch the scan goes through registry and/or file checks for any registry keys or files that are affected by the patch. This is also where any filtering comes into play. (i.e. product, patch type, severity, or any other patch filter settings)
Additional Information
- Online help files can be found here: Online Help System
Affected Products
- Ivanti Patch for Windows Servers 9.3+
- Shavlik Protect 9.2+
- OEM SDK 9.2+