Introduction
This document lists the main tables used by patch manager. It also describes some of the columns useful in building custom reports. This document covers both LANDESK Management Suite 9.5 and 9.6.
Purpose
Many customers wish to create their own reports or query the database for patch information directly using SQL tools. This document describes most of the patch tables and how the information they hold. It also highlights many of the columns that either link to other tables or are not easily understood and could use a little explanation.
LANDESK Customer Support does not write custom reports, however this document will help customers when they write their own queries/reports.
Main Patch Definition Tables
Vulnerability Table
This table contains information about the Patch Definition. In this example we’ll use MS14-065.
Vulnerability_Idn this column is unique per patch definition and is how the definition will be referenced in other tables.
Vul_ID this value is what appears in Patch Manager as the “ID” column.
Severity this value corresponds to the severity as follows:
0- Service Pack
1- Critical
2- Important/High
3- Moderate/Medium
4- Low
5- NA
6- Used by non-Vulnerability types like Application Blocking
Vendor this value lists the vendor of the patch
Status this value denotes what state the patch definition is in as follows:
0- Do Not Scan
1- Scan
2- Unassigned
Type defines what type of a definition it is as follows:
0- Vulnerabilities
1- Spyware
2- Security Threats
3- LANDESK Updates
4- Custom Definitions
5- Blocked Apps
6- Software Updates
7- Drivers
8- Antivirus
Scanned, Detected, Repaired, NotScannedCount all refer to the counts of machines that have fallen into the various categories. Important note: Gather historical data is the task that updates these numbers
SupercededState This value denotes if the vulnerability has been superceded (replaced) by a newer vulnerability
0- Not superceded
1- Some rules have been superceded
2- All rules have been superceded
Patch Table
Inside of each definition listed in the vulnerability table, there could be multiple rules that define how to detect and usually how to remediate each vulnerability. In our example definition MS14-065 there are 9 rules at the time of writing this. You can view these by opening the MS14-065 definition and viewing “Detection Rules” under the General Tab.
Highlights of the Patch table and how certain columns relate to the Vulnerability Table:
Patch_idn this column assigns a unique ID to each Patch rule. Other tables like patchtoproduct and patchtoplatform will refer to rows in the Patch table by this patch_idn.
Vulnerability_idn shows the unique Vulnerability that each Patch rule refers to. This number will likely be different for each core. For example, in my DB MS14-065 is Vulnerability_Idn 25870. If I query the Patch table for all rows that have Vulnerability_Idn = 25559 I get back 9 rows as expected. These are the 9 rules that are found under “Detection Rules” in the console for MS14-065.
UniqueFileName This column shows the patch name that is stored in the Patch download location, typically //coreserver/ldlogon/patch.
URL is the download URL for the patch, if there is one. Some vulnerabilities don’t have a download or it has to be manually downloaded.
Name this is the name of the rule. You may note some strange capitialization in names, this is normal. In case more than one rule is needed per patch (UniqueFileName) this column maintains case-sensitivity.
Ignore this is used if the rule has been disabled (0 = on, 1 = disabled). See this document for more info on disabled rules: https://community.landesk.com/support/docs/DOC-32270
Download indicates if a patch can be downloaded for this rule.
InPatchDir indicates if the patch has been downloaded
Commands this is where the rule’s detection and remediation commands are stored, it is not human readable.
Reboot, CanRunSilent, Uninstallable all indicate if the rule needs a reboot, can run silent, and/or is uninstallable. 0=no 1=yes
SupercededByVulID this column indicates the Vulnerability_Idn of a definition that replaces that rule. In this example, MS14-080 replaces all of the rules in MS14-065.
ComputerVulnerability
This table ties vulnerabilities and computers together; showing which machines are vulnerable or not vulnerable to a particular vulnerability. It also shows the detection reason, first detection date and the last date the vulnerability has been scanned for on the computer.
Computer_Idn relates to the Computer table. Using the Computer_Idn you can query the Computer table to find device name or other info.
Detected indicates the vulnerability is detected on that computer
PatchDetected indicates if the patch has been identified as having been installed on the machine. 0= Not detected, 1= Detected, -1= Unknown
Reason shows the cause of detection or non-detection
Patch shows the specific patch that would or was detected
PatchInstalledState Shows if the patch was not installed (0), failed to install (1), or succeeded (2)
DateDetected shows the first date the vulnerability was detected
LastScanDate shows the last date the computer was scanned for the vulnerability
Expected Shows what value was expected
Found Shows what was actually found on the computer
PatchHistory Table
The patchhistory table shows actions that have occurred on a computer. There are 2 unique columns that need explanation: Type and ActionCode.
Type:
TypeVulnerability= 0,
TypeSpyware= 1,
TypeSecurityCheck= 2,
TypeSoftwareUpdate= 3,
TypeUserDefined= 4,
TypeBlocker= 5,
TypeSoftware= 6,
TypeDrivers= 7,
TypeAV= 8,
TypeLastType= 8,
TypeGeneralEvent= 10,
TypeSendTaskStatus= 13,
TypeSWPackage= 20,
TypeNone= -1,
TypeLANDeskAV= 80,
TypeCompliance= 98,
TypeAlerting= 99,
TypeGroup= 100
ActionCode::
IS_NONE= 0,
IS_DOWNLOAD_FAILED= 0,
IS_LAUNCH_FAILED= 1,
IS_LAUNCH_SUCCEEDED= 2,
IS_UNINSTALL_DOWNLOAD_FAILED= 3,
IS_UNINSTALL_LAUNCH_FAILED= 4,
IS_UNINSTALL_LAUNCH_SUCCEEDED= 5,
IS_SPYWARE_REPAIR_FAILED= 6,
IS_SPYWARE_REPAIR_SUCCEEDED= 7,
IS_RT_SPYWARE_REPAIR_FAILED= 8,
IS_RT_SPYWARE_REPAIR_SUCCEEDED= 9,
IS_VIRUS_REPAIR_FAILED= 10,
IS_VIRUS_REPAIR_SUCCEEDED= 11,
IS_VIRUS_QUARANTINE_FAILED= 12,
IS_VIRUS_QUARANTINE_SUCCEEDED= 13,
IS_SUSPICIOUS_QUARANTINE_FAILED= 14,
IS_SUSPICIOUS_QUARANTINE_SUCCEEDED= 15,
IS_SUSPICIOUS_NO_ACTION_TAKEN= 16,
IS_RT_VIRUS_REPAIR_FAILED= 17,
IS_RT_VIRUS_REPAIR_SUCCEEDED= 18,
IS_RT_VIRUS_QUARANTINE_FAILED= 19,
IS_RT_VIRUS_QUARANTINE_SUCCEEDED= 20,
IS_RT_SUSPICIOUS_QUARANTINE_FAILED= 21,
IS_RT_SUSPICIOUS_QUARANTINE_SUCCEEDED= 22,
IS_APP_BLOCK_FAILED= 23,
IS_APP_BLOCK_SUCCEEDED= 24,
IS_AVSERVICE_FAILED_TO_START= 25,
IS_VIRUS_FOUND= 26,
IS_RT_VIRUS_FOUND= 27,
IS_SUSPICIOUS_FOUND= 28,
IS_RT_SUSPICIOUS_FOUND= 29,
IS_REBOOT_NEEDED= 30,
IS_REBOOT_NOT_NEEDED= 31,
IS_INSTALLING_AV= 32,
IS_REMOVING_AV= 33,
IS_INSTALLED_AV= 34,
IS_REMOVED_AV= 35,
IS_FAILED_INSTALL_AV= 36,
IS_FAILED_REMOVE_AV= 37,
IS_AV_REBOOT_PENDING= 38,
IS_LOGIN= 39,
IS_LOGOFF= 40,
Miscellaneous Patch Tables
Platform
Lists the various platforms that Vulscan can detect. Not all Platforms will be listed as patch content may be the same between similar platforms.
PatchProduct
Shows the different products detected by Patch. Not all products are expected to be in this list, these are just common ones.
PatchSettings
This is where the different settings are stored such as proxy info for download updates
PatchtoPatchProduct and PatchtoPlatform
Relates the Patch table to PatchProduct and Platform tables
PatchTrend, PatchTrendCompCounts, and PatchTrendScoped
Shows trending information for patches. Trend data is captured during Gather Historical Data tasks.
VulcountsScoped
Shows detection counts for vulnerabilities with the various scopes applied.
It also shows if vulnerabilities are set to be scanned or autofixed by scope (9.6sp1+)
Conclusion
This document describes the main tables used in patch and lists information about columns that would be useful for building custom reports
