Our KBox regularly detects as needed patches that in fact are not needed. These patches end up appearing as failures in my patch reporting process and are causing a lot of extra follow-up work. Please share your patching best practices with the forum. Do you label patches down to the application level to make sure no false-positive detections occur? How do you work around false-positive detections?
0 Comments   [ - ] Hide Comments


Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
Answer this question or Comment on this question for clarity


Can you elaborate more on some specific examples of false positives you've had, including the patch id's? It may be a problem with the patch signatures or feed, and we'd like to work with Lumension on that.
Answered 08/31/2010 by: jkatkace
Purple Belt

Please log in to comment
Adobe and Quicktime were the worst. Quicktime assumed that if you didn't have the newest version, you needed the patch. This included not having Quicktime installed at all. Patch management installed Quicktime 4.3 on my servers. I finally make a group and disabled all Quicktime and Adobe patches.
Answered 08/31/2010 by: bgatech
Orange Senior Belt

Please log in to comment
My recommendation is to uncheck the box to Include Software Installers (Security/Patching/Patch Subscriptions/Application Settings) This way only patches are downloaded, not full application installers.
I also intensely distrust Apple patching behavior for Windows machines, exactly for the reason you describe, so when I get new patch notifications, I disable all Apple patches for Windows.
Answered 08/31/2010 by: mlathrop
Fifth Degree Brown Belt

Please log in to comment
This is what you want to do if you don't want inactive patches or patches you really don't want to show up in the reports:

1. Use this FAQ to exclude software installer: http://www.kace.com/support/kb/index.php?action=artikel&cat=6&id=917&artlang=en
2. Use this FAQ to build patch smart labels so it will only detect the OS or specific application patches: http://www.kace.com/support/kb/index.php?action=artikel&cat=6&id=1068&artlang=en

3. Also check out reports that only reports active patches as well in the example report section:

Answered 12/30/2010 by: Llee
Senior Yellow Belt

Please log in to comment