Method and system for patch management

US 20040210653A1
Filed: 04/16/2004
Published: 10/21/2004
Est. Priority Date: 04/16/2003
Status: Abandoned Application

First Claim

Patent Images

1. A method for updating and maintaining current operating information on a processor-based target device, the method comprising the steps of:

discovering current operating information associated with the target device;

comparing the current operating information associated with the target device with updated operating information retrievable from a database;

identifying at least one patch applicable to the discovered current operating information associated with the target device;

determining if the at least one identified patch has been applied on the target device and, if necessary, applying the at least one identified patch on the target device; and

entering an updated patch status of the target device in the database.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for patch management. The method and system automatically determines a set of patches applicable to a target device and initiates transfer, if necessary, to the target device and records which patches if any, have been transferred to the target device. The method and system also automatically distributes patches to a target device based on policy, state and management data. The method and system allow patches to be automatically acquired and managed for patch gap, patch vulnerability and patch security compliance.

Citations

40 Claims

1. A method for updating and maintaining current operating information on a processor-based target device, the method comprising the steps of:
- discovering current operating information associated with the target device;
  
  comparing the current operating information associated with the target device with updated operating information retrievable from a database;
  
  identifying at least one patch applicable to the discovered current operating information associated with the target device;
  
  determining if the at least one identified patch has been applied on the target device and, if necessary, applying the at least one identified patch on the target device; and
  
  entering an updated patch status of the target device in the database.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the current operating information of the target device includes at least one of a group comprised of:
    - (a) an identity and version level of at least one software application program currently residing on the target device;
      
      (b) an identity and version level of at least one operating system residing on the target device;
      
      (c) an identity and version level of at least one hardware device residing on the target device; and
      
      (d) an identity and version level of at least one firmware program residing on the target device.
  - 3. The method of claim 1, further comprising the steps of:
    - querying the database to determine a patch status of the target device; and
      
      identifying gaps in patch coverage for the target device.
  - 4. The method of claim 1, wherein the target device is in communication with a server.
  - 5. The method of claim 1, wherein the discovering step includes a plurality of target devices.
  - 6. The method of claim 5, wherein the plurality of target devices include a plurality of mobile devices.
  - 7. The method of claim 1 further comprising a computer readable medium having stored therein instructions for causing a processor to execute the steps of the method.
  - 8. The method of claim 1 wherein the at least one identified patch includes two components comprising a state file for importing into the database and a manifest file used by a target agent on the target device that provides policy information and security information for the at least one identified patch.
  - 9. The method of claim 8 wherein the state file comprises patch information, detailed information about patch components and patch target information from a patch authority and wherein the manifest file includes patch target information from a patch authority, prerequisite and superceded path information, a plurality of indicators used to determine if a patch is properly installed and information on how to apply a patch.

10. A method for updating and maintaining current operating information on a processor-based target device, the method comprising the steps of:
- discovering current operating information associated with the target device;
  
  transferring the current operating information associated with the target device to a second device;
  
  comparing the current operating information associated with the target device with updated operating information retrievable from a database by the second device;
  
  identifying at least one patch applicable to the current operating information associated with the target device;
  
  forwarding the at least one identified patch from the second device to the target device;
  
  determining if the at least one identified patch has been applied on the target device and, if necessary, applying the at least one identified patch on the target device;
  
  generating an updated patch status on the target device;
  
  sending the updated patch status to the second device; and
  
  using the second device to enter the updated patch status of the target device in the database.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10 further comprising a computer readable medium having stored therein instructions for causing a processor to execute the steps of the method.
  - 12. The method of claim 10, wherein the second device is a server.
  - 13. The method of claim 10 wherein the current operating information of the target device includes at least one of the group comprised of:
    - (a) an identity and version level of at least one software application program currently residing on the target device;
      
      (b) an identity and version level of at least one operating system residing on the target device;
      
      (c) an identity and version level of at least one hardware device residing on the target device; and
      
      (d) an identity and version level of at least one firmware program residing on the target device.
  - 14. The method of claim 10, further comprising the steps of:
    - querying the database to determine a patch status of the target device; and
      
      identifying gaps in patch coverage for the target device.
  - 15. The method of claim 10, wherein the discovering step includes multiple target devices.
  - 16. The method of claim 10, wherein the determining step is performed by a target agent residing on the target device.

17. A system for updating and maintaining current operating information on a processor-based target device, the system comprised of:
- means for discovering current operating information associated with the target device;
  
  means for transferring the current operating information associated with the target device to a second device;
  
  means for comparing the current operating information associated with the target device with updated operating information retrievable from a database by the second device;
  
  means for identifying at least one patch applicable to the current operating information associated with the target device;
  
  means for forwarding the at least one patch from the second device to the target device;
  
  means for determining if the at least one patch has been applied on the target device and, if necessary, applying the at least one patch on the target device;
  
  means for generating an updated patch status on the target device;
  
  means for sending the updated patch status to the second device; and
  
  means for using the second device to enter the updated patch status of the target device in the database.

18. A system for updating and maintaining current operating information on a processor-based target device, the system comprised of:
- at least one target device configured to receive a patch; and
  
  a second device configured to perform a database look-up to identify at least one patch applicable to the at least one target device, the second device capable of sending to the at least one target device a list of the at least one patch applicable to the at least one target device and receiving from the at least one target device an updated message regarding the patch status of the at least one target device.
- View Dependent Claims (19, 20, 21)
- - 19. The system of claim 18, wherein the second device is a server.
  - 20. The system of claim 18, further comprised of:
    - a target agent residing in the at least one target device, the target agent capable of;
      
      receiving the list of the at least one patch applicable to the at least one target device;
      
      determining whether the at least one patch has been applied to the at least one target device;
      
      generating a patch status for the at least one target device; and
      
      sending the patch status to the second device.
  - 21. The system of claim 19, further comprising of an administrator capable of querying the database to determine a patch status of the at least one target device.

22. The system of clam 21, wherein the administrator can query the database when the target device is not in communication with the second device.

23. A method for updating and maintaining current operating information on a processor-based target device, the method comprised of:
- discovering current operating information associated with a target device;
  
  comparing the current operating information against a desired state of information, for the target device to determine, based on policy data associated with the target device, whether at least one patch needs to be applied to the target device;
  
  transferring the desired state of information to the target device;
  
  having a target agent compare the desired state of information to the current operating information in order to identify if at least one patch should be applied to the target device;
  
  sending a patch list from the target agent to a second device requesting at least one patch that should be applied to the target device;
  
  forwarding the at least one patch from the second device to the target device; and
  
  applying the at least one patch to the target device.
- View Dependent Claims (24, 25, 26, 27, 28, 29)
- - 24. The method of claim 23, wherein the second device is a server.
  - 25. The method of claim 23, wherein the comparing step is performed using a differencing method.
  - 26. The method of claim 23, wherein the at least one patch that the policy data indicates should be applied to the target device is sent to the target device without a request from the target agent.
  - 27. The method of claim 26, wherein the policy data includes qualitative information about each patch.
  - 28. The method of claim 27, wherein an administrator determines, based on the qualitative information, whether a patch should be applied on the target device.
  - 29. The method of claim 28, wherein the determination of the administrator is included in the policy data.

30. A data processing system for updating and maintaining current operating information on a processor-based target device, the data processing system comprised of a component for:
- discovering current operating information associated with the target device;
  
  comparing the current operating information associated with the target device with updated operating information retrievable from a database;
  
  identifying at least one patch applicable to the current operating information associated with the target device;
  
  determining if the at least one patch has been applied on the target device and, if necessary, applying the at least one patch of the target device; and
  
  entering an updated patch status of the target device in the database.
- View Dependent Claims (31, 32)
- - 31. The data processing system of claim 30, wherein the target device is in communication with a second device.
  - 32. The data processing system of claim 30, wherein the second device is a server.

33. A computer readable medium having computer executable instructions for performing a method comprising:
- discovering current operating information associated with the target device;
  
  comparing the current operating information associated with the target device with updated operating information retrievable from a database;
  
  identifying at least one patch applicable to the current operating information associated with the target device;
  
  determining if the at least one patch has been applied on the target device and, if necessary, applying the at least one patch on the target device; and
  
  entering an updated patch status of the target device in the database.
- View Dependent Claims (34)
- - 34. The computer readable medium of claim 33, having computer executable instructions for performing a method further comprising:
    - transferring the current operating information associated with the target device to a second device;
      
      forwarding the at least one patch from the second device to the target device;
      
      generating an updated patch status on the target device;
      
      sending the updated patch status to the second device; and
      
      using the second device to enter the updated patch status of the target device in the database.

35. A method for managing patches for software., comprising:
- automatically acquiring a plurality of patches from a plurality of vendors for a plurality of software products;
  
  automatically discovering current operating information associated with a plurality of target devices;
  
  automatically completing a vulnerability assessment for the acquired plurality of patches using the discovered current operating information associated with the plurality of target devices;
  
  automatically completing an impact analysis for applying the acquired plurality of patches to the discovered current operating information for the plurality of target devices;
  
  automatically deploying the plurality of patches to the plurality of target devices based on policy-based information, wherein the policy-based information includes in-part, information from the vulnerability assessment and the impact analysis; and
  
  automatically installing the deployed plurality of patches on the plurality of target devices.
- View Dependent Claims (36, 37, 38, 39, 40)
- - 36. The method claim 35 further comprising a computer readable medium having stored therein instructions for causing a processor to execute the steps of the method.
  - 37. The method of claim 35 wherein the step of automatically completing a vulnerability analysis includes automatically completing a patch gap analysis to determine where components of the operating information may be vulnerable to applying a patch and identifies which new patches may be required based on the discovered current operating information.
  - 38. The method of claim 35 wherein the step of automatically completing an impact analysis includes automatically completing a conflict analysis to determine what new patches may be need and how the new patches may conflict with old patches already applied to the target device.
  - 39. The method of claim 35 further comprising automatically verifying application of the deployed plurality of patches on the plurality of target devices.
  - 40. The method of claim 35 further comprising, automatically performing quality assurance operations on the plurality of target devices to provide a desired level of quality for application of the deployed plurality of patches on the plurality of target devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Novadigm, Inc. (HP Inc.)
Inventors
McCullough, Greg, Hammond, Richard P., Kanoor, Madhu, Lagrasta, Sam, Clarizio, Dan, Fitzgerald, Joseph J.

Application Number

US10/826,481
Publication Number

US 20040210653A1
Time in Patent Office

Days
Field of Search
US Class Current

709/223
CPC Class Codes

G06F 8/65 Updates security arrangemen...

Method and system for patch management

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for patch management

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links