[SOLVED] Antivirus vs Windows Updates

I've taken computer, network, and information security courses at the university level and we always exploited systems and networks via computers without the latest Windows updates. But you may not know a computer has been infected unless you have an antivirus. Needless to say you would want to keep both updated.

To the question: If you were the CISO of a company with many locations and a central IT department that managed the networks remotely, and you could require the local site managers to manually check for one or the other (antivirus or updates), which would you have them check on a monthly basis?

It may sound like a silly question, but a particular company is setup like that and they check for antivirus for a monthly security survey. I'm wondering why they don't check for Windows Updates as well. Maybe they have been directed to do so, but there is no documented requirement except for the antivirus. It doesn't even appear that they have a scheduled restart each week. This allows some computers to go weeks and months without the latest Windows Updates.

I spent 6+ months working in the vulnerability assessment shop of the Network Control Center when I was in the USAF. We used Windows SMS back then, but it was replaced by SCCM shortly after. I was in charge of making sure 2000+ computers receive their updates and as well as regular restarts. I feel like the company I'm referring to does not properly utilize Windows SCCM to configure restarts and updates.

What should I do? I've been working for this company for a few years now. Not in the IT department either.
Last edited:


Since you're not in the IT Department, it's not your concern (officially). If they have a suggestion box, you may want to ask them about more frequent updates of Windows software, but I suspect they already have enough work on their hands.

Windows updates have a tendency to break some third party and/or home-grown applications. The updates need to be tested against multiple platforms and the dozens, hundreds or even thousands of different pieces of software that the end users require to complete their tasks. Imagine the headaches of installing a Windows update and having 30% of the company workforce no longer able to perform their jobs! Testing all platforms and all applications is very time and resource intensive and most companies are not willing to hire/purchase the resources necessary to do the job.

Should it be done with each update? Absolutely! Is there any company on the planet that actually does it for every Windows update? I seriously doubt it.
Reactions: MrN1ce9uy
I know what you're saying with testing updates and breaking software. When I was in the USAF, every single update was tested before implemented via SCCM (for the most part, I'm sure not EVERY update against EVERY software) But I'm sure you're right in that most companies don't have the time or resources to do that.

It's one thing to learn about IT security, and another to see it in the real world. Government is altogether different I suppose.


I've worked both sides as well (also USAF). I used to work with SMS as well, but left that job before they made the transition to SCCM. I was also a web and database administrator and I remember some very long nights of testing new updates on the test bench (which worked fine) and then having it fail on the production server and then spending the next 12 hours recovering the server/data.

On the corporate side, I worked, briefly, setting up test beds for users to come test their software. We'd set up the test systems as close to the user's system as possible, install the update, and then have the users come up and run through a testing routine. Since they were "users" and not actual "testers" it was sometimes pointless as they had no idea why they were there and even less of an idea of how to create/follow a test plan.

The only major update that I really worked (corporate side) was the rollout of Windows XPSP3. I spent the next two months putting out fires and reminding people of why they need to save their work on the network drive instead of the local drive.

-Wolf sends