Scanning Engine Overview

The Security Controls scan engine performs security patch assessment against a variety of Windows-based operating systems and products from Microsoft and other product vendors.

The Security Controls engine uses a data definition file that contains information about which security hotfixes are available for each product. The data file contains security bulletin name and title, and detailed data about product-specific security hotfixes, including:

  • Files in each hotfix package and their file versions
  • Registry changes that were applied by the hotfix installation package
  • Information about which patches replace which other patches
  • Related Microsoft Knowledge Base article numbers
  • Cross references to the Common Vulnerabilities and Exposures (CVE) database hosted by (formerly (CVEID)

The data definition file, which is contained on the console in a secured file named, is created and hosted by Ivanti.

When you run Security Controls (without specifying advanced file input options), the program must download a copy of this XML file so that it can identify the hotfixes that are available for each product. The XML file is a digitally signed CAB file and is available on the Ivanti website. Security Controls downloads the CAB file, verifies its digital signature, and then extracts the XML file to your local computer. Note that a CAB file is a compressed archive that is similar to a ZIP file.

After the data file is extracted, Security Controls scans your machine (or the selected machines) to determine the operating system, product levels, and programs that you are running. Security Controls then identifies security patches that are available for your combination of installed software. Patches that are applicable to your machine but are not currently installed are displayed as Missing Patch in the resulting output. In the default configuration, Security Controls output displays only those patches that are necessary to bring your machine up to date. Security Controls recognizes roll-up packages and does not display those patches that are replaced by later patches.