3 Replies Latest reply on Jun 26, 2018 10:11 AM by phoffmann

    Is there a way to delete the patch history for a device?

    RobLent Specialist

      So I have a server that I slipstreamed a load of patches into, or so I thought, and from EPM's point of view it states patches were applied on a certain date.

       

      However I can see from the server itself that the patch has not actually installed at all.

       

      So I am wondering if there is a way I can delete the patch history data for the server so that I can run a fresh Vulscan to get an up to date actual patch listing?

       

      I am assuming that a vulscan will pick up patches applied that EPM has not applied?

        • 1. Re: Is there a way to delete the patch history for a device?
          phoffmann SupportEmployee

          If you want to essentially "re-synch" a device from a vulscan point of view, try this as a starting point:

           

          • vulscan /clear
          • vulscan /reset

           

          The above two commands will send a command to the Core to "please delete all vulnerability info you have on me", and then wipe out the local vulnerability definitions file(s).

           

          After that, run a regular (full) vulnerability scan.

           

          See if that gets you back to where you want / expect to be.

           

          ============

           

          One *COULD* in theory start deleting items out of the patch history, but overall I prefer not to fiddle with the DB unless there's a genuine need for it. Let's see if the above gets you where you want to be first.

           

          Note that we MAY still flag a device as vulnerable if a patch is INSTALLED but hasn't been rebooted yet (Win 10 / Server 2016 only install / finalise stuff on REBOOT for some reason, rather than 'any shutdown'). So that may be one possible reason why you're seeing that. Usually if we're claiming something to still be vulnerable, it more often than not still is.

          • 2. Re: Is there a way to delete the patch history for a device?
            RobLent Specialist

            Thanks for that.

             

            Those swithces are useful to know about.

             

            However this did not do the trick for me.  I am now begining to think that maybe the issue is the slipstreaming of the patches.

             

            EPM says the patch is applied.  Our security scanning tool says it is not.  If I look at the dll that the security tool is identifiying as out of date on the server it is indeed out of date but EPM will not apply the patch as it believes it is already installed.

             

            I think I need to go back and work out how the slipstreaming bit did its job.

             

            Thanks for the reply.

            • 3. Re: Is there a way to delete the patch history for a device?
              phoffmann SupportEmployee

              That may be a content issue (either with our content), and/or a problem with how the patch runs.

               

              Could go either way.

               

              I'd suggest opening a ticket with support & troubleshooting it with them.

               

              Having followed this document here -- DPDTrace GUI Tool: Used to troubleshoot patch detection issues  -- may accelerate the process, as would have soe debug-logs available of the get-go. Other potentially useful articles are:

               

              Depending on the details involved, this can be "fun", as I've had a situation where Microsoft's published information was (knowingly) inaccurate, but that's "all we have" to build our definitions from, and they didn't see sufficient ROI in correcting it (because it'd need to be updated & translated in all those languages), so we were "correct as per the vendor published info" ... so there's a few ways this can go, potentially .

               

              But yeah, I'd go with support for this ... it could be a content issue on our end (in which case, we need to fix the relevant logic), and/or there may be a "more interesting" (read - complicated) situation going on.

               

              The world of patching can very much be less straight forward than expected.