Patch and Compliance

Patch and Compliance is a complete, integrated security management solution that helps you protect your LANDesk managed devices from a variety of prevalent security risks and exposures.

Patch and Compliance provides all the tools you need in order to download the most common types of security content updates (such as vulnerabilities, spyware, configuration security threats, virus definition (pattern) files, and unauthorized applications) from LANDesk security services. You can download associated patch files, and configure and run security assessment and remediation scans on your managed devices. You can also create your own custom definitions to scan for and remediate specific, potentially harmful conditions on devices. If any security risks are detected, Patch and Compliance provides a variety of methods to remediate affected devices. Additionally, at any time you can view detailed security information for scanned devices, and generate specialized patch and compliance reports.

All of these enterprise security management tasks can be performed from the convenience of a single console.

Additionally, Patch and Compliance lets you scan managed devices, and core servers and console machines, for versions of installed LANDesk software and deploy the appropriate LANDesk software updates.

NOTE: About LANDesk Security Suite
The Patch and Compliance tool is the main security management component of LANDesk Security Suite. Security Suite is based on much of the primary LANDesk Management Suite functionality, supplemented with specialized security management tools such as the Patch and Compliance, Antivirus, Endpoint Security (HIPS, Firewall, Device Control), and more. The Patch and Compliance tool offers the same features in Management Suite and Security Suite and is described in detail in this section. For more information on which basic LANDesk functionality is supported in Security Suite, see the LANDesk Security Suite Users Guide.

Read this section to learn about:

Looking ahead: What to do after configuring devices for security scanning and remediation

Once you understand Patch and Compliance concepts, how to navigate the user interface, and the general task workflow; and after you've configured devices to work with Patch and Compliance, you can perform the following patch and compliance management tasks:

For detailed information on performing these tasks, see Managing security content and patches, and Scanning and remediating devices.

Patch and Compliance overview

Patch and Compliance provides all of the tools you need to establish system-wide security across your network. With Patch and Compliance, you can automate the repetitive processes of maintaining security content, and organizing and viewing that content.

Use security scan tasks and policies to assess managed devices for known platform-specific vulnerabilities. You can download and manage patch executable files. Finally, you can remediate detected vulnerabilities by deploying and installing the necessary patch files, and verify successful remediation.

Additionally, you can create your own custom vulnerability definitions in order to scan managed devices for specific OS and application conditions that might threaten the operation and security of your system. Custom definitions can be configured for detection only or to do both detection and remediation. For more information, see Creating custom definitions and detection rules.

New features

Patch and Compliance offers several new capabilities, such as:


With Patch and Compliance, you can:

Security content types and subscriptions

When you install LANDesk Management Suite, the Patch and Compliance tool is now included by default (previously, it was a separate add-on). However, without a Security Suite content subscription, you can only scan for LANDesk software updates and custom definitions. A Security Suite content subscription enables you to take full advantage of the Patch and Compliance tool by providing access to additional security content (definition types).

LANDesk Security Suite content types include:

For information about Security Suite content subscriptions, contact your LANDesk reseller, or visit the LANDesk Web site.

The LANDesk User Community has user forums and best known methods for many LANDesk products and technologies. To access this valuable resource, go to:

Using Download Updates

Note that the Updates page of the Download updates dialog box includes several security content types in the definition types list.

Scanning and remediation functions are not the same for these various content types. For more information on how Patch and Compliance scans for and remediates detected security risks on managed devices, see the appropriate sections in Scanning and remediating devices.

Supported device platforms

Patch and Compliance supports most of the standard LANDesk-managed device platforms, including the following operating systems:

For information on configuring managed devices for security scanning, see Configuring devices for security scanning and remediation later in this section.

NOTE: Scanning core servers and consoles for LANDesk software updates is supported
You can also scan LANDesk core servers and consoles for LANDesk software updates, but those machines must first have the standard LANDesk agent deployed, which includes the security scanner agent required for security scanning tasks.

Role-based administration with Patch and Compliance

Patch and Compliance uses role-based administration to allow users access to features. Role-based administration is the access and security framework that lets LANDesk Administrators restrict user access to tools and devices. Each user is assigned specific roles and scope that determine which features they can use and which devices they can manage.

Administrators assign these roles to other users with the Users tool in the console. Patch and Compliance is a specific right that appears under the Security rights group in the Roles dialog box. In order to see and use the Patch and Compliance tool, a user must be assigned the necessary Patch and Compliance right.

IMPORTANT: LANDesk Script Writers group permission required
In order to create scheduled tasks and policies in the Patch and Compliance tool and the Security Configurations tool (for security and compliance scan tasks, repair tasks, and change settings tasks), a user must have the LANDesk Script Writers group permission. In other words, they must belong to a group that has the LANDesk Script Writers permission assigned. For more information about role-based administration, see Role-based administration.

With the Patch and Compliance right, you can provide users the ability to:

Patch and compliance task workflow

The following steps provide a quick summary outline of the typical processes involved in implementing patch and compliance management on your LANDesk network. Each of these procedures are described in detail in subsequent sections.

Basic steps in implementing and using patch and compliance management:

  1. Configure managed devices for security scans and remediation with the security scanner agent (via agent configuration or install/update tasks).
  2. Download security content (vulnerability and other security risk definitions) from a security content server (updated from industry/vendor data sources). Also, create custom definitions if desired.
  3. Organize and view security content.
  4. Create security and compliance assessment scan tasks.
  5. Configure scan and repair settings to determine scanner operation and end-user options. These settings define your security compliance policies.
  6. Use your customized scan tasks and settings to scan target devices for vulnerabilities, spyware, security threats, blocked applications, etc.
  7. View scan results for scanned devices.
  8. Download patches that will remediate detected vulnerabilities.
  9. Repair detected vulnerabilities by deploying and installing patches to affected devices
  10. Repair other detected security risks and exposures.
  11. View patch installation status and repair history information. You can also generate security-specific reports.

Understanding and using the Patch and Compliance tool

The Patch and Compliance tool window, like all other LANDesk tools, is opened from either the Tools menu or the Toolbox and can be docked, floated, and tabbed with other open tool windows (see Dockable tool windows).

NOTE: Patch and Compliance right
In order to see and access the Patch and Compliance tool, users must have either the LANDesk Administrator right (implying full rights), or the specific Patch and Compliance right. For more information about user roles and rights, see Role-based administration.

To open the Patch and Compliance tool, click Tools > Security > Patch and Compliance.

The Patch and Compliance window contains a toolbar and two panes. The left-hand pane shows a hierarchical tree view of security type definition and detection rule groups. You can expand or collapse the objects as needed.

The right-hand pane displays a column list of the selected group's definition details or detection rule details, depending upon which group you've selected in the left-hand pane, plus a Find feature for searching in long item lists.

NOTE: Characters not allowed when searching a list
In the Find box, the following extended characters are not supported: <, >, ', ", !

The Patch and Compliance tool window contains a toolbar with the following buttons:

Toolbar buttons

Type drop-down list

Use the Type drop-down list to determine which downloaded definitions display in the tree view. Definition types are designated by the publisher of the content. Filtering the display can be helpful if you want to see only one specific type of security content, or if you want to narrow down an extremely long comprehensive list.

The Type drop-down list includes the following options:

The left pane of the Patch and Compliance window shows the following items:

Tree view

The root object of the tree view contains all of the security types such as vulnerabilities, spyware, security threats, blocked applications, and custom definitions groups (and associated detection rule groups, if applicable). The root object can be expanded and collapsed as needed.

All Types (or the currently selected type name)

Contains the following subgroups:

The Detected list is a composite of all detected security definitions found by the most recent scan. The Scanned and Detected columns are useful in showing how many devices were scanned, and on how many of those devices the definition was detected. To see specifically which devices have a detected definition, right-click the item and click Affected computers.

Note that you can also view device-specific information by right-clicking a device in the network view, and then clicking Security and Patch Information.

You can only move definitions from the Detected group into either the Unassigned or Don't Scan groups.

By default, collected definitions are added to the Scan group during a content update. (IMPORTANT: Except for blocked applications, which are added to the Unassigned group by default.)

Scan can be considered one of three possible states for a security definition, along with Don't Scan and Unassigned. As such, a definition can reside in only one of these three groups at a time. A definition is either a Scan, Don't Scan, or Unassigned and is identified by a unique icon for each state (question mark (?) icon for Unassigned, red X icon for Don't Scan, and the regular vulnerability icon for Scan). Moving a definition from one group to another automatically changes its state.

By moving definitions into the Scan group (click-and-drag one or more definitions from another group, except the Detected group), you can control the specific nature and size of the next security scan on target devices.

NOTE: Caution about moving definitions from the Scan group
When you move definitions from the Scan to the Don't Scan group, the current information in the core database about which scanned devices detected those definitions is removed from the core database and is no longer available in either an item's Properties dialog box or in a device's Security and Patch Information dialog box. To restore that security assessment information, you would have to move the definitions back into the Scan group and run the same security scan again.

To move definitions, click-and-drag one or more from the Unassigned group into either the Scan or Don't Scan groups.

New definitions can also be automatically added to the Unassigned group during a content update by selecting the Put new definitions in the Unassigned group option on the Download updates dialog box.

You can use these product subgroups to copy definitions into the Scan group for product-specific scanning, or copy them into a custom group (see below in order to perform remediation for groups of products at once).

Definitions can be copied from a product group into the Scan, Don't Scan, or Unassigned group, or any of the user-defined custom groups. They can reside in platform, product, and multiple custom groups simultaneously.


Contains the following subgroups:

Detection Rules

The Detection Rules group displays only for certain security content types.

NOTE: Detection rules
These rules define the specific conditions (of the operating system, application, file, or registry) that a definition checks for in order to detect the associated security risk. Definitions (i.e., content types) that use detection rules include: vulnerabilities, security threats, and custom definitions. Spyware and blocked applications do not use detection rules.

The Detection Rules group contains the following subgroups:

By default, detection rules associated with a definition of any security content type are added to the Detection Rules Scan group during a content update. Likewise, custom detection rules associated with a custom definitions are added to the Scan group when you create the custom definition.

Note that in addition to having a definition's detection rules enabled, its corresponding patch executable file must also be downloaded to a local patch repository on your network (typically the core server) before remediation can take place. The Downloaded attribute (one of the detail columns in the tool window's right-hand pane) indicates whether the patch associated with that rule has been downloaded.

You can use these product subgroups to perform group operations.


The Settings group lets you view the various settings you've created for security scanning tasks. You can right-click any of the Settings groups to create a new settings and view the settings information in a report format.

Contains the following subgroups:

Definition details

The right pane of the Patch and Compliance window displays detailed information listed in sortable columns for definition and detection rule items, as described below:

Using a definition shortcut menu

You can right-click an item to view more details with the Properties option.

A definition's shortcut menu also lets you do the following tasks (depending on the security type):

Detection Rule details

Right-click a detection rule to view more details with the Properties option. The shortcut menu also lets you enable/disable the rule, download the associated patch, open the patch repository folder, and uninstall the patch.

Configuring devices for security scanning and remediation

Before managed devices can be scanned for vulnerabilities, spyware, security threats, and other security types, and receive patch deployments or software updates, they must have the security scanner agent installed (this agent is installed by default with the standard LANDesk agent).

This section includes information about configuring Windows devices for security scanning via an agent configuration, and information about configuring Linux, UNIX and Mac devices.

NOTE: Scanning core servers and consoles for LANDesk software updates is supported
You can also scan LANDesk core servers and consoles for LANDesk software updates, but they must first have the standard LANDesk agent deployed, which includes the security scanner agent required for security scanning tasks.

Configuring Windows devices for security scanning

The security scanner agent is included by default with the standard LANDesk agent and is installed on devices with even the most basic agent configuration. In other words, any Windows device configured with the Agent configuration tool will be ready for patch and compliance scanning and remediation.

Using the Agent Configuration tool

Use the Agent Configuration tool (Tools > Configuration > Agent Configuration > New Windows configuration) to create agent configurations with specified Patch and Compliance scanning settings , and other security settings, that can be deployed to target devices.

To configure devices for security scanning and remediation via an agent configuration
  1. In the console, click Tools > Configuration > Agent Configuration.
  2. Click the New Windows toolbar button.
  3. After specifying your desired settings for the agent configuration, click the Security and Compliance group, and then click Patch and Compliance Scan.
  4. Select how you want the security scanner to run on your managed devices. For more information about an option, click Help.
  5. Select a scan and repair settings from the available list to apply it to the agent configuration you're creating. You can create a new settings or edit an existing settings by clicking Configure. Scan and repair settings determine whether the security scanner displays on devices while running, reboot options, user interaction, and the security content types scanned.
  6. Finish specifying any other desired settings for the agent configuration and then click Save.

When creating or editing an agent configuration, you can specify some of the security scanner options, such as when and how often the scanner runs automatically on managed devices, whether the scanner displays progress and prompts on the end user device, as well as global settings for remediation operations such as device reboot and autofix. For more information on customizing the behavior of the security scanner agent as part of creating and deploying agent configurations to managed Windows devices, see Deploying Security services.

NOTE: WinSock2 is required on Windows 9x devices in order for the security scanner agent to run.

After agent configuration occurs, a program icon for the security scanner is added to the LANDesk Management program group in the Start menu on the managed device. This program can be used to run the scanner directly from the device as opposed to any runkey launch, recurring local scheduler launch, or scheduled task via the console.

Additional security settings in agent configurations

When defining a device agent configuration (for Windows devices), you can also enable and configure complementary security features, such as:

See the sections below for more information.

About the Frequent Security scan page

Use this page to enable and configure high frequency scanning for critical, time-sensitive security risks such as recently discovered and malignant viruses, and firewall configuration risks.

This page contains the following options:

About the Spyware and Application Blocker pages

Use these pages to enable and configure spyware detection and real-time application blocking and removal on managed devices configured with this agent configuration.

NOTE: Blocked application disclaimer
For legal information about blocked application content, see the Legal disclaimer for the blocked applications type.

Real-time spyware detection checks only for spyware definitions that reside in the Scan group, and that have autofix turned on. You can either manually enable the autofix option for downloaded spyware definitions, or configure spyware definition updates so that the autofix option is automatically enabled when they are downloaded.

Real-time spyware detection monitors devices for new launched processes that attempt to modify the local registry. If spyware is detected, the security scanner on the device prompts the end user to remove the spyware.

This page contains the following options:

With real-time application blocking, remediation is NOT a separate task. Application blocking takes place as part of the security scan itself, by editing the registry on the local hard drive to disable user access to those unauthorized applications. Security services uses the Software license monitoring tool's softmon.exe feature to deny access to specified application executables even if the executable file name has been modified because softmon.exe reads the file header information.

This page contains the following options:

Configuring Linux and UNIX devices for security scanning

Patch and Compliance also supports vulnerability scanning on:

For each platform, security content can be downloaded with Patch and Compliance just as with Windows vulnerabilities.

Linux and UNIX devices can't be configured with the security scanner agent via the console's agent configuration tool. Linux and UNIX device configuration is a manual process. For more information about setting up Linux and UNIX devices, see Configuring Linux and UNIX device agents. You can also see the README file contained in the respective platform's tar file located in the platforms folder under ManagementSuite\LDLogon on the core server.

Once configured, Linux and UNIX platforms can be scanned for vulnerabilities via scheduled tasks from the console. If vulnerabilities are detected, remediation must be performed manually at the affected device.

Configuring Mac OS X devices for security scanning

On Macintosh OS X devices, Patch and Compliance supports security content downloads, as well as security scanning and remediation.

Additionally, you can create and configure agent configuration for your Macintosh devices with the Agent configuration tool. As with Windows agent configuration, the security scanner agent is part of the default standard LANDesk agent for Macintosh devices. To create and deploy a Macintosh agent configuration with security scanner support, see Managing Macintosh devices.

Once configured, Macintosh devices can be scanned for vulnerabilities via scheduled tasks from the console. If vulnerabilities are detected, remediation must be performed at the affected device.

To launch the security scanner manually on Mac devices
  1. Open the Mac OS X System Preferences and select the LANDesk Client page.
  2. On the Overview tab, click Check Now in the Security section.




Legal disclaimer for the blocked applications type

NOTE: Disclaimer
As a convenience to its end users, LANDesk provides access to a database containing certain information regarding executable files that an end user may utilize in connection with the application blocker functionality of the LANDesk Security Suite. THIS INFORMATION IS PROVIDED AS-IS WITHOUT ANY EXPRESS, IMPLIED, OR OTHER WARRANTY OF ANY KIND, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. As such, LANDesk does not guarantee the accuracy, completeness or currency of this information and the end user is responsible to review and confirm this information before use. Any use of this information is at the end users own risk.

Some of the Summary information in the blocked applications definitions are provided from:, and is copyrighted as follows: "Presentation, format and comments Copyright © 2001-2005 Paul Collins; Portions Copyright © Peter Forrest, Denny Denham, Sylvain Prevost, Tony Klein; Database creation and support by Patrick Kolla; Software support by John Mayer; All rights reserved."