Identifying Explicitly Installed Patches

In order to identify that a patch has been explicitly installed, several criteria must be met.

  • The patch must include a registry key that gets written to the machine on which it will be installed.
  • Some types of patches do not write registry keys to the system on which they're being installed. Since there is no explicit indication that the patch has been applied, it cannot be determined that the patch was specifically installed at any point in time. To ensure that these systems are up to date, run a scan against the system and ensure that there are no patches that appear as 'Patch Missing.'

    If Security Controls deploys the patch, however, it will write its own registry key to the remote system. This data is encrypted to prevent tampering. So, even if the patch doesn't normally write a registry key during deployment (SQL Patches, Office patches, etc), Security Controls will write a registry key that is then read by the scanner during the assessment phase. The application can read that all these patches are installed, what account was used to install the application, and when the patch was installed. This information is displayed on the patch details panel as well as a mouse over on 'Patch Found' text in the patch summary pane.

  • The registry key must exist on the system being scanned.
  • All the files in the patch (as defined by the data definition file) that were written to the remote system must be equal to or greater than the file versions recorded in the data file. If any of the file versions on the remote system are below what is expected, the patch is considered not installed even if the registry key is present.