Skip to content

Patches

What are patch issues?

A patch is a security update for an operating system. The Nanitor agent installed on your assets checks for missing patches and reports them to the server. When a patch is missing, Nanitor raises a patch issue that includes information about the patch itself along with a link to the patch provider.

Nanitor tracks two important dates for each patch:

  • Vendor release date — When the patch was published by the vendor
  • Discovery date — When Nanitor first detected the missing patch on an asset

These dates can differ. For example, if you add a new asset to Nanitor after a patch was released, the discovery date will be when you onboarded the asset, not when the vendor originally released the patch.

Patch age in Nanitor is calculated from the discovery date (when the patch was first or most recently found missing), not the vendor release date. This gives you an accurate picture of how long the patch has been outstanding in your environment.

A missing patch will often exist on multiple assets. A patch issue is only considered resolved when the patch has been installed on all affected assets.

Patch issues can also "pop up" multiple times during your Nanitor journey. If a patch issue was previously resolved but a new asset is later added where that same patch is missing, the issue will reopen.

Available Patches for Vulnerabilities

When viewing a vulnerability issue, the Available Patches tab shows which vendor patches address the vulnerability.

Available Patches tab

How patches are grouped

Patches are grouped by specific OS build (e.g., "Windows Server 2016 Datacenter 14393") so you only see updates relevant to your exact version. This mirrors how Microsoft publishes advisories and ensures you're looking at the right patches for your environment.

Top Match vs Alternative

  • Top Match — The recommended patch based on supersedence and patch type. This is typically the most current cumulative update that addresses the vulnerability. Start here when planning remediation.
  • Alternative — Other valid patches that also address the vulnerability. These may be older updates or different patch types.

The Top Match helps you prioritize when multiple patches exist, distinguishing between critical security updates and standard cumulative updates.

Patch Report

The patch status report can be accessed from the Reports menu.

Patch report overview

The report is grouped by your existing labels. Since an asset can belong to multiple labels, the same patch may be listed under multiple groups. The overview section shows:

  • Total number of existing patches
  • Overdue patches — where the discovery date is older than 30 days

The report also tells you which assets are missing each patch. Clicking on the links in the report takes you to a filtered list of issues or assets.

Patch report details

For example, the report shows all P1 patches (issues with a priority score between 60 and 80). You can also use the report to see patch issues that have been resolved within the last 30 days, helping you track your patching progress over time.

Patch Events

Nanitor keeps track of patch-related activities so you can trace the history of any patch issue. You can view these in the activity log.

Patch events in activity log

You can filter on the following patch events:

  1. Patch installed on asset — The patch was successfully applied to an asset
  2. Patch issue created — The first asset was discovered with this missing patch
  3. Patch issue resolved — The patch has been installed on all affected assets
  4. Patch status changed on asset — The priority rating on the patch issue was raised due to the age of the missing patch
  5. Patch uninstalled on asset — A previously installed patch was removed. This typically happens when a patch caused problems on the asset and was rolled back.

See Also