The Patch and Compliance tool window (Tools > Security
> Patch and Compliance) is where you perform security
scanning, remediation, and related tasks. You can download and
manage security content, configure security and compliance scans,
configure remediation, customize and apply security scanner
display/interaction settings, and view comprehensive
security-related information for scanned devices.
The main section for Patch and Compliance introduces this security
management tool. In that section you'll find overview and security
content subscription information, step-by-step instructions on how
to use all of the tool's features, including a description of the
tool's interface and functionality, see Understanding and using the Patch and Compliance
tool.
This section contains the following online help that describes
the Patch and Compliance dialog boxes. From the console interface,
these help sections are accessed by clicking the Help button
on their respective dialog box.
Use this dialog box to configure data columns for item lists in
the Patch and Compliance tool window. You decide which data columns
are displayed so that you can sort through long lists of downloaded
security definitions and quickly and easily find the information
you need for a specific task or situation.
NOTE:Using the
CVE ID data column
LANDesk security products support the CVE (Common Vulnerabilities
and Exposures) naming standard. With Patch and Compliance you can
search for vulnerabilities by their CVE names, and view CVE
information for downloaded vulnerability definitions. For more
information about the CVE naming convention, LANDesk compatibility
with the CVE standard, and how to use CVE identification to find
individual vulnerabilities in Patch and Compliance, see Using CVE names when searching for
vulnerabilities.
By adding and removing data columns, and moving them up and down
in the list (to the left and to the right in the column view), you
ensure that important, relevant information is front and
center.
Available columns: Lists the data columns that
are currently not displayed in the Patch and Compliance tool
window, but are available to add to the Selected Columns list.
Selected columns: Lists the data columns that
are currently displayed in the Patch and Compliance window. The
data columns display in a downloaded security definition list from
left to right in the same order as they appear here from top to
bottom.
Defaults: Restores the default displayed data
columns.
About the Manage filters
dialog box
Use this dialog box to manage filters you can use to customize
the security content that displays in the Patch and Compliance
window's item list. You can use filters to streamline a lengthy
list.
New: Opens the Filter Properties dialog box
where you can configure a new filter's settings.
Edit: Opens the Filter Properties dialog box
where you can modify and save the selected filter.
Delete: Removes the selected filter
permanently from the database.
Use filter: Applies the selected filter to the
current item list. The applied filter persists when you click
different groups in the tree view.
About the Filter properties
dialog box
Use this dialog box to create or edit security content list
filters. You can filter by operating system, security risk
severity, or any combination of both.
Filter name: Identifies the filter by a unique
name. This name appears in the Filter drop-down list.
Filter operating systems: Specifies the
operating systems whose definitions you want to display in the item
lists. Only those items associated with the operating systems you
select are displayed.
Filter severities: Specifies the severities
whose definitions you want to display in the items lists. Only
those items whose severity matches the ones you select are
displayed.
Download security content updates
help
About the Download Updates dialog
box
Use this dialog box to configure settings for downloading
security content updates, proxy server, patch file download
location, spyware autofix, and antivirus updates and backups.
After you specify the types of content updates you want to
download and the other options on the pages of the Download updates
dialog box:
To perform an immediate download, click Update
Now. If you click Apply, the settings you specify will
be saved and will appear the next time you open this dialog box. If
you click Close, you'll be prompted whether you want to save
the settings.
To schedule a download security content task, click
Schedule update to open the Scheduled update
information
dialog box, enter a name for the task, verify the information for
the task, and then click OK to add the task to Scheduled
tasks.
To save your changes on any page of this dialog box, click
Apply.
The Download updates
dialog box contains the following pages:
A basic LANDesk Management Suite installation allows you to
download and scan for LANDesk software updates, and to create and
use your own custom definitions. For all other security content
types, such as platform-specific vulnerabilities, spyware, etc.,
you must have a LANDesk Security Suite content subscription in
order to download the associated definitions.
For information about Security Suite content subscriptions,
contact your LANDesk reseller, or visit the LANDesk Web site.
Task-specific settings and global settings
Note that only the definition types, languages, and definition
and patch download settings are saved and associated with a
specific task when you create it. Those three settings are
considered task specific.
However, all of the settings on the other pages of the Download
updates dialog box are global, meaning they apply to all subsequent
security content download tasks. Global settings include: patch
download location, proxy server, spyware autofix, security alerts,
and antivirus. Any time you change a global settings it is
effective for all security content download tasks from that point
on.
About the Updates page
Select update source site: Specifies the
LANDesk Security content server that is accessed to download the
latest definitions, detection rules, and associated patches to your
database. Select the server nearest your location.
Definition types: Identifies which security
content definitions are updated. Only those definition types for
which you have a subscription are available. The more definition
types you select, the longer the download will take.
After you've downloaded security content, you can use the
Type drop-down list in the main Patch and Compliance tool
window to determine which definition types are displayed in a list.
For information on using the list options, see Type drop-down list. For information on how the
security scanner works for each different type, see How Patch and Compliance scans for different
security risks.
Languages: Identifies the language versions of
the selected definition types that are updated.
Some vulnerability and other definition types, and any
associated patches, are language neutral or independent, meaning
they are compatible with any language version of the OS or
application addressed by that definition. In other words, you don't
need a unique language-specific patch to remediate those
vulnerabilities because the patch covers all supported languages.
For example, Linux and UNIX platforms use only language neutral
definitions and patches. However, Microsoft Windows and Apple
Macintosh platform vulnerability definitions and patches are nearly
always language specific.
When downloading content for any platform (with the appropriate
security content subscription), all of the selected platform's
language neutral vulnerability definitions are automatically
updated by default. If you've selected a Windows or Mac content
type, you must also select the specific languages whose definitions
you want to update. If you've selected the Sun Solaris or a Linux
platform, you do not have to select a specific language because
their content is language neutral and will be updated
automatically.
Download patches for definitions selected
above: Automatically downloads patch executable files to the
specified download location (see Patch Location page), according to
one of the following download options:
For detected definitions only: Downloads only
the patches associated with vulnerabilities, security threats, or
LANDesk updates detected by the last security scan (i.e., the
definitions that are currently residing in the Detected
group).
For all downloaded definitions: Downloads ALL
of the patches associated with vulnerabilities, security threats,
and LANDesk software updates currently residing in the Scan
group.
Enable automatic patch deployment using Process
Manager: Lets you configure the LANDesk Process Manager
database that is required for using the integrated automatic patch
deployment feature.
LANDesk Process Manager:
Click the button to open the Automating Patch Deployment dialog box
describing the integrated capability between LANDesk Process
Manager and the Patch and Compliance tool that allows you to create
a workflow that automates patch deployment to target devices. You
also have the option of viewing a tutorial that steps you through
this procedure. LANDesk Process Manager includes online help that
you can access any time for detailed information about its features
and how to use them.
Put new definitions in Unassigned group (unless
overridden by definition group settings): Automatically places
new definitions and associated detection rules in the Unassigned
group instead of in the default Scan group. Select this option if
you want to be able to manually move content in and out of the Scan
group in order to customize the security scan.
NOTE: Definitions that have dependency with another
definition that already exists in a different group, such as the
Scan or Do Not Scan group, are automatically placed in that group
even if this option is selected. In other words, the dependency
relationship overrides this option so that the most recently
downloaded (new) definition is in the same group as the definition
with which it has dependency.
NOTE: Definitions that have already been selected to be
placed in the Alert group (in the Configure Alerts
dialog box) are automatically placed in the Scan group as well,
even if this option is selected, so that the appropriate alerting
takes place.
NOTE: For the blocked application type, the default download
location is different. Blocked application definitions are
downloaded to the Unassigned group by default, not the Scan group.
Therefore you don't have to select this option if you're
downloading only blocked application definitions.
Definition group settings: Opens the
Definition group settings dialog box where you can create, manage,
and select definition groups. You can use definition group settings
to automate how security definitions (content) that match specified
type and severity criteria are downloaded, their scan status, and
the download location.
About the Proxy settings
page
If your network uses a proxy server for external transmissions
(such as Internet access), use this page to enable and configure
the proxy server settings. Internet access is required for both
updating vulnerability information, and for downloading patch files
from appropriate Web services.
Use proxy server: Enables the proxy server
option (by default, this option is off). If you enable a proxy
server, you must fill in the address and port fields below.
Server:
Address: Identifies the IP address of your
proxy server.
Port: Identifies the port number of your proxy
server.
HTTP based Proxy: Enables the proxy server, if
it's an HTTP-based proxy (such as Squid), so that it will
successfully connect to and download patches from FTP sites.
(Patches hosted at some FTP sites cannot be downloaded through an
HTTP-based proxy unless you first enable this option).
Requires login: Allows you to enter a username
and password if the proxy server is credentialed instead of a
transparent proxy server.
Username: Enter a valid username with
authentication credentials to the proxy server.
Password: Enter the user's password.
About the Patch location
page
Use this page to specify where patch executables are
downloaded.
UNC path where patches are stored: Specifies
where patch files are downloaded. The default location is the core
server's \LDLogon\Patch folder. You can enter a different UNC path
to download patches, but you must ensure access to that location by
entering valid authentication credentials in the fields below.
Credentials to store patches: Identifies a
valid username and password for accessing a location other than the
core server. If you're downloading patches to the default location
on the core server, the username and password fields are not
applicable.
Web URL where clients access patches:
Specifies a Web address where devices can access downloaded patches
for deployment. The default location is the core server's
\LDLogon\Patch folder. This location will normally be the same as
the UNC path specified above.
Test settings: Performs a connectivity test to
the specified Web URL.
Reset to default: Restores both the UNC path
and the Web URL to the default location, which is the core server's
\LDLogon\Patch folder.
About the LANDesk Antivirus
page
Use this page to configure download options for LANDesk
Antivirus virus definition files. Keep in mind this page applies
only to actual virus definition files that are used by LANDesk
Antivirus; it does not apply to the antivirus scanner detection
content (Antivirus updates) that are available in the definition
list on the Updates page.
Use this dialog box to view properties for downloaded content
definition types, including vulnerabilities, spyware, security
threats, software updates, etc. You also use this page to create
your own custom definitions.
This information is read-only for downloaded definitions. For
custom definitions, the fields on this dialog box are editable. You
can enter identification, attribute, and detection rule details
information for a custom definition by using the available fields
on this dialog box and on the detection rule properties dialog box.
For more information, see Creating custom definitions and detection
rules.
Use the left and right arrow buttons (<, >) to view the
previous or next definition's property information, in the order
they are currently listed in the main window.
The Definition properties dialog box contains the following
pages:
ID: Identifies the selected definition with a
unique, vendor-defined alphanumeric code (or user-defined in the
case of a custom definition).
Type: Identifies the selected item as a
vulnerability, security threat, custom definition, etc.
Publish Date: Indicates the date the selected
definition was published by the vendor (or created by a user).
Title: Describes the nature or target of the
selected definition in a brief text string.
Severity: Indicates the severity level of the
definition. For downloaded content, this severity level is assigned
by the vendor. For a custom definition, the severity is assigned by
whoever created the definition. Possible severity levels include:
Service Pack, Critical, High, Medium, Low, Not Applicable, and
Unknown. Use this information to evaluate the risk posed by the
definition, and how urgent scanning and remediation are for your
network.
Status: Indicates the status of the definition
in the Patch and Compliance window. The three status indicators
are: Scan, meaning the selected item is enabled for the next
security scan; Don't Scan, meaning it won't be scanned; and
Unassigned, meaning it is in a temporary holding area and won't be
scanned. For more information about these three states/groups, see
Understanding and using the Patch and Compliance
tool.
Language: Indicates the language of the
platform identified by the definition. For custom definitions, INTL
is the default value meaning the definition is language
independent, and can't be edited.
Category: Indicates a more specific category
within an individual security content type (see above).
Detection Rules: Lists the detection rules
associated with the selected definition. Note that
Downloaded indicates whether associated patch files are
downloaded to the local repository, and Silent Install
indicates whether the patch installs without user interaction.
You can right-click a detection rule to download its associated
patch (or patches), disable/enable the detection rule for security
scanning, uninstall its associated patches, or view its properties.
You can also double-click a detection rule to view its
properties.
If you're working with a custom definition, click Add to
create a new detection rule; click Edit to modify the
selected rule; or click Delete to remove the selected rule.
For more information on custom definitions, see To create custom detection
rules.
About the Definition:
Description page
Description: Provides additional details about
the selected definition. This information is provided by vendor
research and test notes (or by the user who created the custom
definition).
More information at: Provides a HTTP link to a
vendor-specific (or user-defined Web page), typically a support
site, with more information about the selected definition.
More information for CVE ID: (Applies only to
vulnerabilities) Provides the CVE ID (name) for the selected
vulnerability, plus a link to the CVE Web page for that specific
CVE ID. For more information, see Using CVE names when
searching for vulnerabilities.
About the Definition:
Dependencies page
This page displays only if the selected definition has an
associated prerequisite definition, or if another definition
depends on the selected definition before it can run. You can use
this page to make sure your security scan task contains all the
definitions necessary to operate properly before scanning
devices.
A dependency relationship can exist only for the following
security definition types:
Prerequisites: Lists any definitions that have
to be run BEFORE the selected definition can be checked for on
devices. If any of the definitions in this list aren't included in
your scan task, the selected definition won't be detected by the
security scanner.
Dependencies: Lists any definitions that won't
be detected by the security scanner until AFTER the selected
definition is run. Note that the selected definition will be
scanned for even if these definitions aren't included in your
security scan task. However, if you want your scan task to
successfully detect a definition in this list, the selected
definition must be run first.
About the
Definition: Custom Variables page
This page displays ONLY if the selected security definition
includes settings or values that can be modified. Some system
configuration security threat definitions have variable settings
that you can change before including them in a security scan.
Typically, antivirus definitions also have custom variable
settings.
With custom variables you can fine-tune security threat scanning
by modifying one or more setting's values so that the scanner
checks for conditions you define, and therefore determines a device
to be vulnerable only if that condition is met (i.e., the value you
specify is detected).
NOTE:Edit Custom
Variables right required
In order to edit custom variable settings, a LANDesk user must have
the Edit Custom Variables role-based administration right. Rights
are configured with the Users tool.
Every security definition with customizable variables has a
unique set of specific values that can be modified. In each case
however, the Custom Variables page will show the following
common information:
Name: Identifies the custom variable. The name
can't be modified.
Value: Indicates the current value of the
custom variable. Unless the variable is read-only, you can
double-click this field to change the value.
Description: Provides additional useful
information about the custom variable from the definition
publisher.
Default value: Provides the default value if
you've changed it and want to restore it to its original
value.
To change a custom variable, double-click the Value
field, and either select a value if there's an available drop-down
list, or manually edit the value, and then click Apply. Note
that some variables are read-only and can't be edited (this is
usually indicated in the description).
Custom variable override settings information can be viewed in
the device's Inventory view.
NOTE:Custom
variable override settings
In some situations you may want to ignore a custom variable
settings, or in other words create an exception to the rule. You
can do this with a feature called custom variable override
settings. Custom variable override settings let you decide which
custom variables to essentially ignore when scanning devices so
that they are not detected as vulnerable and are not remediated
even if they meet the actual conditions of a definition's detection
rules. You can create as many custom variable override settings as
you like, and apply them to devices using a Change settings
task. For more information, see About the Custom variable override settings dialog
box.
Detection Rule properties
help
About the Detection Rule
properties dialog box
Use this dialog box to view detection rule properties for
downloaded security content, or to create and edit custom detection
rules.
This information is read-only for detection rules belonging to
downloaded definitions. For custom definitions, the fields on the
pages of this dialog box are editable. You can specify detection
rule settings and configure the options on each page in order to
create custom detection rules. Furthermore, if the custom detection
rule allows remediation, you can add special commands that run
during remediation (patch install or uninstall).
You can use the left and right arrow buttons (<, >) to
view property information for the previous or next detection rule
in the order they are currently listed in the main window.
The Detection rule properties dialog box contains the following
pages:
About the Detection
rule: General information page
Name: Displays the name of the detection
rule.
State: Indicates whether the detection rule is
set to scan or not to scan. These two states correspond to the Scan
and Don't Scan groups (under Detection Rules in the Patch and
Compliance window).
ID: Shows the ID of the definition associated
with this rule.
Title: Shows the title of the definition
associated with this rule.
Description: Shows the description of the
definition associated with this rule.
Comments: Provides additional information from
the vendor, if available. If you're creating or editing a custom
definition, you can enter your own comments.
Detection logic
pages
The following pages refer to the detection logic used by the
selected detection rule to determine whether the vulnerability
definition (or other definition type) exists on a scanned
device.
About the Detection logic:
Affected platforms page
Identifies the operating systems the security scanner will run
on to check for this rule's associated definition. In other words,
only devices matching the selected platforms will attempt to
process this rule. At least one platform MUST be selected. If a
target device is running a different operating system, the security
scanner quits.
About the Detection logic:
Affected products page
Products: Lists the products you want to check
for with the detection rule to determine whether the associated
definition exists on scanned devices.. Select a product in the list
to view its name, vendor, and version information. You do not need
to have a product associated with a detection rule. Associated
products act as a filter during the security scan process. If none
of the specified associated products are found on the device, the
security scan quits. However, if no products are specified, the
scan proceeds to the files check.
If you're creating or editing a custom detection rule, click
Configure to open a new dialog box that lets you add and
remove products in the list. The list of available products is
determined by the security content you've updated via the LANDesk
Security service.
Name: Provides the name of the selected
product.
Vendor: Provides the name of the vendor.
Version: Provides the version number of the
selected product.
About the Detection
logic: Files used for detection page
Files: Lists the file conditions (existence,
version, date, size, etc.) that are used to determine whether the
associated definition exists on scanned devices. Select a file in
the list to view its verification method and expected parameters.
If all the file conditions are met, the device is not affected.
Said another way, if any of these file conditions are NOT met, the
vulnerability is determined to exist on that device. If there are
no file conditions in the list, the scan proceeds to the registry
check.
If you're creating or editing a custom detection rule, click
Add to make the fields editable, allowing you to configure a
new file condition and expected values/parameters. A rule can
include one or more file conditions, depending on how complex you
want to make it. To save a file condition, click Update. To
delete a file condition from the list, select it and click
Remove.
Verify using: Indicates the method used to
verify whether the prescribed file condition is met on scanned
devices. For example, a detection rule can scan for file existence,
version, date, size, and so on. The expected parameters that appear
below the verification method are determined by the method itself
(see the list below).
If you're creating or editing a custom detection rule, select
the verification method from the Verify using drop-down
list. As stated above, the parameter fields are different for each
verification method, as described in the following list:
Note that the Search for file recursively option applies
to all the file verification methods except for the MSI methods,
and causes the scan to search for files in the specified path
location and any existing subfolders.
File Existence Only: Verifies by scanning for
the specified file. Parameters are: Path (location of the file on
the hard drive), including the filename, and Requirement (must
exist or must not exist).
File Version: Verifies by scanning for the
specified file and its version number. Parameters are: Path,
Minimum Version, and Requirement (must exist, must not exist, or
may exist).
Note that for the File Version, Date, and Size parameters, after
specifying the file path and name, you can click the Gather
Data button to automatically populate the appropriate value
fields.
File Date: Verifies by scanning for the
specified file and its date. Parameters are: Path, Minimum Date,
and Requirement (must exist, must not exist, or may exist).
File Size and/or Checksum: Verifies by
scanning for the specified file and its size or checksum value.
Parameters are: Path, Checksum, File size, and Requirement (must
exist, must not exist, or may exist).
MSI Product ID installed: Verifies by scanning
to ensure the specified MSI product is installed (a product
installed by the Microsoft Installer utility). Parameters are: Guid
(the product's global unique identifier).
MSI Product ID NOT installed: Verifies by
scanning to ensure the specified MSI product isn't installed.
Parameters are: Guid.
About the Detection
logic: Registry settings used for detection page
Registry: Lists the registry key conditions
that are used to determine whether the associated vulnerability (or
other type) exists on a scanned device. Select a registry key in
the list to view its expected parameters. If any of these
conditions are NOT met, the vulnerability is determined to exist on
that device.
IMPORTANT: If there
are no registry conditions in the list, AND there were no file
conditions on the Files page, the scan fails. In other words, a
detection rule must have at least one file or registry
condition.
If you're creating or editing a custom detection rule, click
Add to make the fields editable allowing you to configure a
new registry key condition and expected parameters. A rule can
include one or more registry conditions. To save a registry
condition, click Update. To delete a registry condition from
the list, select it and click Remove.
Key: Identifies the registry key's expected
folder and path.
Name: Identifies the expected name of the
key.
Value: Identifies the expected value of the
key.
Requirement: Indicates whether the registry
key must or must not exist on target devices.
About the Detection logic:
Custom script page
Use this page if you want to write a custom VB script that
checks for any other conditions on scanned devices. The security
scanner's runtime properties that can be accessed with a custom
script to report its results are: Detected, Reason, Expected, and
Found.
Click the Use editor button to open your default script
editing tool, associated with this file type. When you close the
tool you're prompted to save your changes in the Custom Script
page. If you want to use a different tool you have to change the
file type association.
About the custom
vulnerability's product properties: General information page
Use these dialog boxes when creating a custom vulnerability
definition that includes a custom product.
You can enter a name, vendor, and version number, and then
define the detection logic that determines the conditions for the
vulnerability to exist.
These dialog boxes are similar to the properties dialog boxes
for downloaded published vulnerability definitions. Please see the
corresponding sections above.
This page includes the following options:
Affected products: Lists products that are
affected by this custom vulnerability definition.
Available products: Lists all downloaded
products.
Filter available products by affected
platforms: Restricts the list of available products to only
those that are associated with the platforms you've selected on the
Detection logic: Affected platforms page.
Add: Opens the Properties dialog box where you
can create a custom product definition.
About the custom
vulnerability's product: Detection logic page
The following pages refer to the detection logic used by the
selected detection rule to determine whether the vulnerability
definition (or other definition type) exists on a scanned
device.
These dialog boxes are similar to the detection logic dialog
boxes for downloaded known OS and application vulnerability
definitions published by vendors that are described above. For
information about the options, see the corresponding sections
above.
About the custom
vulnerability's product: Detection logic: Files used for detection
page
See the Detection logic: Files used for detection page
above.
About the custom
vulnerability's product: Detection logic: Registry settings keys
used for detection page
See the Detection logic: Registry settings used for detection
page above.
About the custom
vulnerability's product: Detection logic: Custom detection script
page
See the Detection logic: Custom script page above.
About the Patch
information page
Use this page to define and configure the rule's associated
patch file (if one is required for remediation) and the logic used
to detect whether the patch is already installed. You can also
configure additional patch file install or uninstall commands for
customized remediation.
This page and the ones under it refer to the patch file required
to remediate a vulnerability. These pages are applicable only if
the selected detection rule allows remediation by deploying a patch
file. If the detection rule is limited to scanning only, or if the
security content type doesn't use patch files for remediation, as
in the case of security threats, or spyware, then these pages are
not relevant.
Repaired by patch, or detection only: Click
one of these options to specify whether the detection rule will
just check for the presence of the associated definition (detect
only), or if it can also remediate that definition by deploying and
installing the required patch.
Patch download information:
Patch URL: Displays the full path and file
name of the patch file required to remediate the selected
definition if detected. The is location from where the patch file
is downloaded.
Auto-downloadable: Indicates whether the patch
file can be automatically downloaded from its hosting server. You
can use this option with custom detection rules if you want to
prevent patch files from being downloaded via the rule's shortcut
menu. For example, you may need to prevent automatic patch download
if there's a firewall that blocks access to the hosting
server.
Download: If you're creating or editing a
custom detection rule that performs remediation, and you've entered
a patch filename and URL, you can click Download to attempt
to download the patch file at this time. You can download the patch
file at a later time if you prefer.
Repair information:
Unique filename: Identifies the unique
executable filename of the patch file.
Note that it is strongly recommended that when you download a patch
file, you create a hash for the patch file by clicking Generate
MD5 Hash. (Most, if not all, known vulnerability's associated
patch files should have a hash.) The patch file must be downloaded
before you can create a hash. A hash file is used to ensure the
integrity of the patch file during remediation (i.e., when it's
deployed and installed on an affected device). The security scanner
does this by comparing the hash code created when you click the
Generate MD5 Hash button with a new hash it generated immediately
before attempting to install the patch file from the patch
repository. If the two hash files match, remediation proceeds. If
the two hash files do not match, indicating the patch file has
changed in some way since being downloaded to the repository, the
remediation process quits.
Requires reboot: Indicates whether the patch
file requires a device reboot before completing its installation
and configuration processes on the device.
Silent install: Indicates whether the patch
file can complete its installation without any end user
interaction.
Detecting the patch
pages
The following pages refer to the detection logic used by the
rule to check if the patch is already installed on devices.
IMPORTANT: ALL of the
specified conditions for BOTH files and registry settings must be
met in order for the patch file to be detected as installed on a
device.
About the Detecting the
patch: Files used for installed patch detection page
This page specifies the file conditions used to determine
whether the patch file is already installed on a device. The
options on this page are the same as on the Files page for
definition detection logic (see above). However, the logic works
conversely when detecting patch installation. In other words, when
checking for a patch installation, all of the file conditions
specified on this page must be met in order to determine an
installation.
About the Detecting the
patch: Registry settings used for installed patch detection
page
This page specifies the registry key conditions used to
determine whether the patch file is already installed on a device.
The options on this page are the same as on the Registry settings
page for definition detection logic (see above). However, the logic
works conversely in this case. In other words, when checking for a
patch installation, all of the registry conditions specified on
this page must be met in order to determine an installation.
IMPORTANT: ALL of the
specified conditions for BOTH files and registry settings must be
met in order for the patch file to be detected as installed on a
device.
Patch install and uninstall pages
The following pages let you configure additional commands that
run when the patch is installed on or uninstalled from affected
devices.
This option is available only for custom definitions that allow
remediation.
These commands are useful if you need to program specific
actions on target devices to ensure successful remediation.
Additional commands aren't required. If you don't configure any
additional commands, the patch file executes by itself by default.
Keep in mind that if you do configure one or more additional
commands, you must also include a command that executes the actual
patch file with the Execute command.
About the Patch
install commands page
Use this page to configure additional commands for a patch
install task. The available commands are the same for patch install
and uninstall.
Commands: Lists commands in the order they
will run on target devices. Select a command to view its arguments.
You can change the order of commands with the Move Up and
Move Down buttons. To remove a command from the list, select
it and click Remove.
Add: Opens a dialog box that lets you select a
command type to add to the Commands list.
Command Arguments: Displays the arguments that
define the selected command. An argument's values can be edited. To
edit any argument, double-click its Value field, and then
type directly in the field. For all the command types, you can also
right-click in the Value field to insert a macro/variable
into the argument.
The following list describes the commands and their
arguments:
Copy: Copies a file from the specified source
to the specified destination on the hard drive of the target
device. This command can be used before and/or after executing the
patch file itself. For example, after extracting the contents of a
compressed file with the Unzip command, you may want to copy files
from one location to another.
The arguments for the Copy command are: Dest (full path where
you want to copy the file), not including the filename and Source
(full path, and file name, of the file you want to copy).
Execute: Runs the patch file, or any other
executable file, on target devices.
The arguments for the Execute command are: Path (full path, and
file name, where the executable file resides; for the patch file,
you can use the %SDMCACHE% and %PATCHFILENAME% variables), Args
(command-line options for the executable file; note this field is
not required), Timeout (number of seconds to wait for the
executable to terminate before continuing to the next command in
the list, if the Wait argument is set to true), and Wait (true or
false value that determines whether to wait for the executable to
terminate before continuing to the next command in the list).
ButtonClick: Automatically clicks a specified
button that displays when an executable file runs. You can use this
command to program a button click if such interaction is required
by the executable.
In order for the ButtonClick command to work properly, the Wait
argument for the preceding Execute command must be set to false so
that the executable doesn't have to terminate before continuing to
the button click action.
The arguments for the ButtonClick command are: Required (true or
false value indicating whether the button must be clicked before
proceeding; if you select true and the button can't be clicked for
any reason, remediation quits; if you select false and the button
can't be clicked, remediation will continue, ButtonIDorCaption
(identifies the button you want clicked by its text label, or its
control ID), Timeout (number of seconds it takes for the button you
want clicked appears when the executable runs), and WindowCaption
(identifies the window or dialog box where the button you want
clicked is located).
ReplaceInFile: Edits a text-based file on
target devices. Use this command if you need to make any
modifications to a text-based file, such as a specific value in an
.INI file, before or after executing the patch file to ensure that
it runs correctly.
The arguments for the ReplaceInFile command are: Filename (full
path and name of the file you want to edit), ReplaceWith (exact
text string you want to add to the file, and Original Text (exact
text string you want to replace in the file).
StartService: Starts a service on target
devices. Use this command to start a service required for the patch
file to run, or to restart a service that was required to be
stopped in order for the patch file to run.
The arguments for the StartService command are: Service (name of
the service).
StopService: Stops a service on target
devices. Use this command if a service must be stopped on a device
before the patch file can be installed.
The arguments for the
StopService command are: Service (name of the service).
Unzip: Unzips a compressed file on target
devices. For example, you can use this command if remediation
requires more than one file be run or copied on target
devices.
The arguments for the Unzip command are: Dest (full path to
where you want to extract a compressed file's contents on a
device's hard drive), and Source (full path and filename of the
compressed file).
WriteRegistryValue: Writes a value to the
registry.
The arguments for the WriteRegistryValue are: Key, Type,
ValueName, ValueData, WriteIfDataEmpty
About the Patch
uninstall commands page
Use this page to configure additional commands for a patch
uninstall task. The available commands are the same for patch
install and uninstall. However, the Patch uninstall commands page
includes two unique options:
Patch can be uninstalled: Indicates whether
the patch file can be uninstalled from remediated devices.
Original patch is required for uninstall:
Indicates whether the original patch executable file itself must be
accessible on the core server in order to uninstall it from scanned
devices.
Use this dialog box to download patch executable files that are
required to remediate the selected vulnerability but that are not
currently available on the core server (or in some other specified
patch repository location). Required patches must reside in the
designated patch location in order for a managed device with a
detected vulnerability to be remediated successfully.
Name: Indicates the name of the patch
executable file.
Definitions: Indicates the vulnerability which
is associated with this patch file.
Downloaded: Shows whether the patch file has
been downloaded or not.
Can download: Indicates whether the patch can
be automatically downloaded, or whether it has to be downloaded by
a Patch and Compliance process.
Show currently required patches only: Displays
only those patch files that are required to remediate the selected
vulnerability at this time. In other words, the list will include
patches that have superseded earlier patches, not the earlier
patches.
Show all associated patches: Displays a
comprehensive listing of all of the associated patches for the
selected vulnerability, whether they have been superseded or
not.
Download: Click to download the patch files
from the update source site.
Cancel: Cancels the download operation.
Patch and Compliance tasks help
About the Create security
scan task dialog box
Use this dialog box to create and configure a scheduled task
that runs the security scanner on target devices.
IMPORTANT:LANDesk
Script Writers group permission required
In order to create scheduled tasks and policies in the Patch and
Compliance tool (for security and compliance scan tasks, and repair
tasks), a user must have the LANDesk Script Writers group
permission. In other words, they must be part of a group that has
the LANDesk Script Writers permission assigned. For more
information about role-based administration, see Role-based administration.
You can also run an immediate on-demand security or compliance
scan on one or more target devices. Right-click the selected device
(or up to 20 multi-selected devices), and either click Security
scan and select a scan and repair settings, or click
Compliance scan, and then click OK.
This dialog box contains the following options:
Task name: Enter a unique name to identify the
security scan task.
Create a scheduled task: Adds the security
scan task to the Scheduled tasks window, where you can configure
its scheduling and recurrence options, and assign target
devices.
Create a policy: Adds the security scan task
as a policy to the Scheduled tasks window, where you can configure
the policy options.
Scan and repair settings: Specifies scan and
repair settings used for the scan task. Scan and repair settings
determine whether the security scanner displays on devices while
running, reboot options, user interaction, and the security content
types scanned. Select a scan and repair settings from the drop-down
list to assign it to the security scan task you're creating. You
can click Edit to modify the options for the selected scan
and repair settings. You can also click Configure to create
a new scan and repair settings. For more information, see About the Configure scan and repair (and compliance)
settings dialog box.
About the
Create compliance scan task dialog box
Use this dialog box to create and configure a task that runs the
security scanner to check target devices specifically for
compliance with your security policy based on the contents of the
Compliance group.
NOTE:On-demand
security and compliance scans
You can also run an immediate security or compliance scan on one or
more target devices. Right-click the selected device (or up to 20
multi-selected devices), and either click Security scan and
select a scan and repair settings, or click Compliance scan,
and then click OK.
This dialog box contains the following options:
Task name: Enter a unique name to identify the
compliance scan task.
Create a scheduled task: Adds the compliance
scan task to the Scheduled tasks window, where you can configure
its scheduling and recurrence options, and assign target
devices.
Target machines that have not reported since:
Limits the compliance scan to only those managed devices that
haven't reported security scan results since the date you
specify.
Start now: Sets the scheduled scan task to
begin as soon as the task is added to the Scheduled tasks window so
that you don't have to manually configure scheduling options.
Create a policy: Adds the compliance scan task
as a policy to the Scheduled tasks window, where you can configure
the policy options.
About the Change
settings task dialog box
Use this dialog box to create and configure a task that changes
the default settings on target devices for Patch and Compliance
services, including:
Scan and repair settings
Compliance security settings (applies only to
compliance security scans)
Custom variable override settings
With a change settings task you can conveniently change a
managed device's default settings (which are written to the
device's local registry) without having to redeploy a full agent
configuration.
Task name: Enter a unique name to identify the
task.
Create a scheduled task: As the task to the
Scheduled tasks window, where you can configure its scheduling and
recurrence options, and assign target devices.
Create a policy: Adds the task as a policy to
the Scheduled tasks window, where you can configure the policy
options.
Scan and repair settings: Specifies scan and
repair settings used for security scan tasks. Scan and repair
settings determine whether the scanner displays on devices while
running, reboot options, user interaction, and the security content
types scanned. Select one of the settings from the drop-down list.
Click Edit to modify the options for the selected settings.
Click Configure to create a new settings. For more
information, see About the Scan and repair (and compliance)
settings dialog box's pages.
Compliance settings: Specifies compliance
settings used for compliance scan tasks. Compliance settings
determine when and how a compliance scan takes places, whether
remediation occurs automatically, and/or what to do when LANDesk
Antivirus detects a virus infection on target devices.
Custom variables override settings: Specifies
custom variable override settings used on target devices when
they're scanned for security definitions that include custom
variables (such as security threats and viruses). Custom variable
override settings let you specify values you want to ignore or
bypass during a security scan. This is very useful in situations
where you don't want a scanned device to be identified as
vulnerable according to a definition's default custom variable
settings. Select one of the settings from the drop-down list. From
the drop-down list, you can also select to remove the custom
variable override settings from target devices. The Remove
custom variable settings option lets you clear a device so that
custom variable settings are in full affect. Click Edit to
modify the options for the selected settings. Click
Configure to create a new settings. For more information,
see About the Custom variable override settings dialog
box.
About the Create reboot
task dialog box
Use this dialog box to create and configure a generic reboot
task.
A reboot task can be useful when you want to install patches
(without rebooting) as a single process and then reboot those
remediated devices as another separate task. For example, you can
run a scan or a patch install task during the day, and then deploy
a reboot only task at a more convenient time for end users.
Task name: Identifies the task with a unique
name.
Create a scheduled task: Creates a reboot task
in the Scheduled tasks window when you click OK.
Create a policy: Creates a reboot policy when
you click OK.
Scan and repair settings: Specifies which scan
and repair settings' reboot configuration is used for the task to
determine reboot requirements and action on target devices. Select
a scan and repair settings from the drop-down list, or click
Configure to create a new scan and repair settings.
About the Create repair
task dialog box
Use this dialog box to create and configure a repair
(remediation) task for the following definition types:
vulnerabilities, spyware, LANDesk software updates, custom
definitions, and security threats with an associated patch. The
schedule repair option is not applicable to blocked
applications.
Task name: Identifies the repair task with a
unique name. The default is the name of the selected definition or
the custom group. You can edit this name if you prefer.
Repair as a scheduled task: Creates a security
repair task in the Scheduled tasks window when you click
OK.
Split into staging task and repair task:
(Optional) Allows you to create to separate tasks in the Scheduled
tasks tool; one task for staging the required patch files in the
target device's local cache; and one task for actually installing
those patch files on the affected devices.
Select computers to repair: Specifies which
devices to add to the scheduled repair task. You can choose no
devices, all affected devices (devices where the definition was
detected by the last security scan), or only the affected devices
that are also selected (this last option is available only when you
access the Schedule repair dialog box from within a device Security
and Patch Information dialog box).
Use Multicast: Enables Targeted Multicast for
patch deployment to devices. Click this option, and click
Multicast Options if you want to configure multicast
options. For more information, see About the Multicast options dialog box.
Repair as a policy: Creates a security repair
policy when you click OK.
Add query representing affected devices:
Creates a new query, based on the selected definition, and applies
it to the policy. This query-based policy will search for devices
affected by the selected definition, and deploy the associated
patch.
Download patch only from local peers:
Restricts patch deployment so that it will only take place if the
patch file is located in the device local cache or on a peer on the
same subnet. This option conserves network bandwidth, but note that
for the patch installation to be successful, the patch file must
currently reside in one of these two places.
Download patch only (Do not repair): Downloads
the patch file to the patch repository but does not deploy the
patch. You can use this option if you want to retrieve the patch
file in a staging scenario for testing purposes before actual
deployment.
Scan and repair settings: Specifies which scan
and repair settings is used for the repair task to determine
whether the security scanner displays on devices when it is
running. Select an scan and repair settings from the drop-down
list, or click Configure to create a new scan and repair
settings.
About the Create repair
task: Patches page
Use this page to show either required patches only or all
associated patches for the selected vulnerability. (NOTE:
The fields on this page are the same as the fields on the About the Download associated patches dialog box.)
To download patches directly from this page, if they have not
already been downloaded and placed in the patch repository, click
Download.
About the Multicast
options dialog box
Use this dialog box to configure the following Targeted
Multicast options for a scheduled security repair task:
Multicast Domain Discovery:
Use multicast domain discovery: Select this
option if you want Targeted Multicast to do a domain discovery for
this job. This option won't save the domain discovery results for
reuse.
Use multicast domain discovery and save
results: Select this option if you want Targeted Multicast to
do a domain discovery for this job and save the results for future
use, saving time on subsequent multicasts.
Use results of last multicast domain
discovery: Use this option once you've had Targeted Multicast
do a domain discovery that saved the results.
Have domain representative wake up computers:
Use this option if you want computers that support Wake On LAN
technology to turn on so they can receive the multicast.
Number of seconds to wait after Wake on LAN:
How long domain representatives wait to multicast after the Wake On
LAN packet has been sent. The default waiting period is 120
seconds. If some computers on your network take longer than 120
seconds to boot, you should increase this value. The maximum value
allowed is 3600 seconds (one hour).
The options below let you configure task-specific Targeted
Multicast parameters. The defaults should be fine for most
multicasts. Here are what the options do:
Maximum number of multicast domain representatives
working simultaneously: No more than this number of
representatives will be actively doing a multicast at one
time.
Limit the processing of machines that failed
multicast: When a device fails to receive the file through
multicast, it will download the file from the Web or file server.
This parameter can be used to limit the number of devices that will
obtain the file at one time. For example, if the maximum number of
threads was 200 and the maximum number of multicast failure threads
was 20, the Custom Job dialog box would process no more than 20
computers at a time that failed the multicast. The Custom Job
dialog box will process up to 200 devices at a time if they
successfully received the multicast, but no more than 20 of the 200
threads will be processing devices that failed the multicast task.
If this value is set to 0, the Custom Job dialog box won't perform
the distribution portion of the task for any computer that failed
multicast.
Number of days the files stay in the cache:
Amount of time that the file being multicast can stay in the cache
on each target computer. After this period of time, the file will
be automatically purged.
Number of days the files stay in multicast domain
representative cache: Amount of time that the file being
multicast can stay in the cache on the multicast domain
representative. After this period of time, the file will be
automatically purged.
Minimum number of milliseconds between packet
transmissions (WAN or Local): Minimum amount of time to wait
between sending out multicast packets.
This value is only used when the domain representative isn't
multicasting a file from its own cache. If this parameter isn't
specified, then the default minimum sleep time stored on the
subnet/domain representative computer will be used. You can use
this parameter to limit bandwidth usage across the WAN.
Maximum number of milliseconds between packet
transmissions (WAN or Local): Maximum amount of time to wait
between sending out multicast packets. For more information, see
Minimum number of milliseconds between packet transmissions
above.
About the Uninstall patch
dialog box
Use this dialog box to create and configure an uninstall task
for patches that have been deployed to affected devices.
Task name: Identifies the task with a unique
name. The default is the name of the patch. You can edit this name
if you prefer.
Uninstall as a scheduled task: Creates an
uninstall patch task in the Scheduled tasks window when you click
OK.
Select targets: Specifies which devices to add
to the uninstall patch task. You can choose no devices, all devices
with the patch installed, or only the devices with the patch
installed that are also selected (this last option is available
only when you access the Uninstall Patch dialog box from within a
device Security and Patch Information dialog box).
If the original patch is required:
Use Multicast: Enables Targeted Multicast for
deploying the uninstall patch task to devices. Click this option,
and click Multicast Options if you want to configure the
multicast options. For more information, see About the Multicast options dialog box.
Uninstall as a policy: Creates an uninstall
patch policy in the Scheduled tasks window when you click
OK.
Add query representing affected devices:
Creates a new query, based on the selected patch, and applies it to
the policy. This query-based policy will search for devices with
the selected path installed and uninstall it.
Scan and repair settings: Specifies which scan
and repair settings is used for the uninstall task to determine
whether the security scanner displays on devices, reboot options,
MSI location information, etc. Select an scan and repair settings
from the drop-down list, or click Configure to create a new
scan and repair settings.
About the Gather
historical information dialog box
Use this dialog box to compile data about scanned and detected
vulnerabilities on managed devices. This information is used for
security reports. You can either gather the data immediately or
create a task to collect the data for a specified period of
time.
This dialog box contains the following options:
Task name: Identifies the gather historical
information task with a unique name.
Keep historical data for: Specifies the amount
of time (in days) for which data will be collected. You can specify
1 day to 3,000 days.
Build report data for definitions published less
than: Restricts the report to data about vulnerabilities
published within the specified time period.
Warn: Displays a message on the core server
console if a gather historical task has not run in the specified
time period.
Gather now: Immediately collects the current
data for detected, scanned, and not scanned vulnerabilities.
Create task: Adds the task to the Scheduled
tasks window, where you can configure its scheduling and recurrence
options, and assign target devices.
Purge: Completely removes the data about
vulnerabilities collected to this point.
Patch and Compliance settings help
About the Configure
scan and repair (and compliance) settings dialog box
Use this dialog box to manage your scan and repair (and
compliance) settings. Once configured, you can apply settings to
security scan tasks, compliance scan tasks, repair tasks, uninstall
tasks, and reboot tasks.
This dialog box contains the following options:
New: Opens the settings dialog box where you
can configure the options pertaining to the specified settings
type.
Edit: Opens the settings dialog box where you
can modify the selected settings.
Copy: Opens a copy of the selected settings as
a template, which you can then modify and rename.
Delete: Removes the selected settings from the
database.
NOTE: The selected settings may currently be associated with
one or more tasks or managed devices. If you choose to delete the
setting: devices with that settings still have it and continue to
use it until a new change settings task is deployed; scheduled
tasks with that settings still run on target devices, as do local
scheduler tasks with that settings, until a new configuration is
deployed.
Close: Closes the dialog box, without applying
any settings to the task.
About the Scan and repair
(and compliance) settings dialog box's pages
Use this dialog box to create and edit scan and repair settings.
Scan and repair settings determine whether the security scanner
displays on devices while running, reboot options, user
interaction, and the content types scanned.
NOTE:Note on
compliance scan settings
The information on this dialog box can also apply to compliance
scans, with the Compliance page taking the place of the
Scan page. See the About the Compliance page section below
for details about the specific settings that apply to compliance
scans.
NOTE:Note on
reboot task settings
The settings on the Reboot page of this dialog box can also
be used for a reboot only task.
You can create as many scan and repair settings as you like and
edit them at any time. For example, you can configure a scan and
repair settings with a specific notification and reboot scenario
for desktop devices, and another scan and repair settings with
different reboot options for servers. Or, you can configure an scan
and repair settings for Windows vulnerability scanning, and another
one for spyware scanning, etc.
Once configured, you can apply scan and repair settings to
security scan tasks, repair tasks, uninstall tasks, and reboot
tasks.
Scan and repair settings
Name: Identifies the settings with a unique
name. This name appears in the settings drop-down list on a
security task dialog box.
The settings dialog box contains the following pages:
Show progress dialog box: Enables the security
scanner to display information on end user devices while it is
running. Select an option from the drop-down list (Never, Always,
Only when repairing) to determine if and when you want to show
scanner activity, and if you want to configure other display and
interaction options in this dialog box. If you select Never, none
of the other options on this page are available to configure, and
the scanner runs transparently on devices. If you select Always,
you can configure the other options.
Hide if user is showing a presentation: Does
not display the security scanner on end user devices if the
Microsoft Office PowerPoint application is running on the
device.
Allow user to cancel scan: Shows a Cancel
button on the security scanner dialog on the end user device. Click
this option if you want the end user to have the opportunity to
cancel a scan operation. If this option is not checked, the dialog
doesn't have a Cancel button and the end user can't stop the
scan.
When no reboot is required:
Require end user input before closing: For a
scan or repair task that doesn't require a reboot in order to
complete its full operation, click this option if you want the
scanner to prompt the end user before its display dialog closes on
the device. If you select this option, and the end user does not
respond the dialog box remains open which could cause other
scheduled tasks to timeout.
Close after timeout: For a scan or repair task
that doesn't require a reboot, click this option is you want the
scanner's display dialog to close after the duration you
specify.
CPU utilization when scanning: Lets you
fine-tune CPU usage by the security scanner in order to improve
overall system performance. If several processes are running
concurrently and maximizing CPU utilization on devices, you can
reduce this setting for the security scanner.
Scheduled task status: Indicates the level of
information sent to the Scheduled tasks tool about the scheduled
security scan task.
About the Scan options
page
Scan for: Specifies which content types you
want to scan for with this scan task. You can select either a
custom group (preconfigured) or specific content types. You can
select only those content types for which you a LANDesk Security
Suite content subscription. Also, the actual security definitions
that are scanned for depends on the contents of the Scan group in
the Patch and Compliance window. In other words, if you select
vulnerabilities and security threats in this dialog box, only those
vulnerabilities and security threats currently residing in their
respective Scan groups will be scanned for.
Immediately repair all detected items:
Indicates that any security risk identified by this particular
group scan will be automatically remediated.
Enable autofix: Indicates that the security
scanner will automatically deploy and install the necessary
associated patch files for any vulnerabilities or custom
definitions it detects on scanned devices. This option applies to
security scan tasks only. In order for autofix to work, the patch
file must also have autofix enabled.
About the Compliance
settings page
NOTE:Compliance
security scans
Keep in mind the options on the Compliance page apply to compliance
security scans only.
Scanning:
Frequently scan the Compliance group: Runs a
frequent security scan based on the contents of the Compliance
group. The basic frequent security scan is defined in the initial
agent configuration, but you can override it with the options on
this page. You can specify to run the compliance security scan only
when a user is logged into the managed device.
Scan after IP address change: Performs a
compliance security scan whenever the IP address changes on target
devices. For example, if a laptop is reconnected to your network
and receives a different IP address than before.
Disable the frequent security scanner in Agent
configuration: Indicates that a frequent security scan set up
via the device's agent configuration will be turned off, and the
frequent scan settings defined here will be used for a compliance
security scan instead.
Actions:
Enable autofix: Indicates that the security
scanner will automatically deploy and install the necessary
associated patch files for any vulnerability definitions it detects
on scanned devices. This option applies to security and compliance
scan tasks only. In order for autofix to work, the must also have
autofix enabled.
Immediately repair all detected items: All
detected vulnerabilities are remediated, even if their associated
patches do not have autofix enabled.
Enforce 802.1X supported scan: Ensures that
802.1X-enabled devices that are scanned for security compliance
using this settings are either allowed access or quarantined based
on their being compliant or non-compliant to the custom security
policy.
If a virus cannot be removed or quarantined
(LANDesk Antivirus only): The following two options apply to
LANDesk Antivirus only and provide a method for you to have an
antivirus scan trigger or initiate a full security scan that checks
target devices configured with this settings for compliance with
your current security policy. In other words, whether the device is
healthy or unhealthy. You can select one or both of the options
below. The action described by these options occurs any time a
virus is detected on the device and can't be removed or
quarantined. (NOTE: As a prerequisite for performing this
type of scan, you must first add the predefined AV-110 antivirus
definition to the Compliance group. You should also add any other
definitions you want to use to define your security policy to the
Compliance group.)
Immediately scan devices for compliance: If a
virus is detected and can't be removed or quarantined, a compliance
security scan (by the security scanner, not the antivirus scanner)
is initiated right away.
Perform network access control check to determine
if device is unhealthy: If a virus is detected and can't be
removed or quarantined, a network access control check is initiated
immediately by LANDesk NAC.
About the Repair options
page
Before repairing, installing, or uninstalling a
patch: Select whether you want the repair to begin immediately,
or if you want a prompt to appear on the end user device with
message and interaction controls as configured with the options
below, or if you want to wait to perform the repair until the
device is locked or the user is logged off.
Message: Type a message in this box that will
appear in the security scanner's display dialog on the end user
device WHEN a security scan task detects any of the specified
definitions on the scanned device. You can customize this message
depending on the type of security scan you're running.
If no end user response:
Wait for user response before repair, install, or
uninstall: For a patch file operation prompt that doesn't
receive a response, click this option if you want the scanner to
continue waiting indefinitely.
After timeout, automatically: For a patch file
operation prompt that doesn't receive a response, click this option
if you want the scanner to automatically proceed and perform the
patch file operation or close without performing the operation,
after the duration you specify.
Start repair even if:
User is running a presentation: Indicates that
remediation will begin regardless of whether the Microsoft Office
PowerPoint application is running on the device.
Reboot is already pending: Indicates that
remediation will begin without waiting for the reboot
operation.
Maximum bandwidth when downloading from
source: Specifies the bandwidth percentage you want to be used
for the patch file download from the patch repository to scanned
devices. You can use this settings to balance network traffic for
large patch file deployments.
Maximum bandwidth when downloading from peer:
Specifies the bandwidth percentage you want to be used for the
patch file download from a peer machine. You can use this settings
to balance network traffic for large patch file deployments.
About the MSI information
page
Use this page if a patch file needs to access its originating
product installation resource in order to install any necessary
supplemental files. For example, you may need to provide this
information when you're attempting to apply a patch for Microsoft
Office or some other product suite.
Original package location: Enter the UNC path
to the product image.
Credentials to use when referencing the original
package location: Enter a valid user name and password to
authenticate to the network share specified above.
Ignore the /overwriteoem command-line option:
Indicates the command to overwrite OEM-specific instructions will
be ignored. In other words, the OEM instructions are executed.
Run as Information: Credentials for running
patches: Enter a valid user name and password to identify the
logged in user for running patches.
About the Reboot options
page
When deciding whether to reboot: Specify how
you want the security scanner to act when a scan or repair task
tries to reboot a device for any reason. You can select for the
device to never reboot, reboot only if needed, or always
reboot.
When rebooting:
Prompt user before rebooting: For when a
reboot occurs, click this option if you want the security scanner
to prompt the end user. If you select this option, you can
configure the accompanying reboot options below.
If no one is logged in, reboot immediately without
prompting or delay: Ensures the reboot will occur automatically
in the event no one is currently logged into the device.
Allow user to defer reboot: Shows a defer
button on the reboot prompt on the end user device. Specify the
deferral time span and the number of times the end user can defer
the reboot. The deferral (or snooze time) begins with the next
local scheduler poll. (Note that due to local scheduler operation
the minimum snooze time is 10 minutes.)
Allow user to cancel reboot: Shows a cancel
button on the reboot prompt on the end user device.
Reboot message: Type a message in this box
that will appear in the security scanner's display dialog on the
end user device WHEN a security scan task prompts the end user
before attempting to reboot the device.
Wait for user response before rebooting: For a
reboot prompt that doesn't receive a response, click this option if
you want the scanner to continue waiting indefinitely. If there's
no response, the prompt remains open.
After timeout, automatically: For a reboot
prompt that doesn't receive a response, click this option if you
want the scanner to automatically proceed and either reboot,
snooze, or close the prompt without rebooting, after the duration
you specify.
About the Network
settings page
Use this page to identify an alternate core server that can be
used for security scanning and remediation if the main core server
is not available.
Communicate with alternate core server:
Enables communication with an alternate server.
Server name: Enter the name of a valid,
licensed LANDesk core server.
NOTE: The syntax for
the servername field should be: <servername>:<port
number> where port number is the secure port 443 for SSL
transmission. If you enter only a servername, without specifying
port 443, it defaults to port 80 which is the standard HTTP
port.
About the Pilot
configuration page
Use this page to create and configure a pilot group for testing
security definitions before performing a wider deploying on your
entire network.
Periodically scan and repair definitions in the
following group: Enables the pilot security scan features. Once
you've checked this option, you need to select a custom group from
the drop-down list.
Change settings: Opens the Schedule scan
dialog box where you can define the parameters for the security
scan. Click the Help button for details.
About the Schedule
periodic pilot scan and repair dialog box
This dialog box is shared by several LANDesk management tasks.
For details about the options on this dialog box, see About the Schedule dialog
box.
About the Spyware
scanning page
Use this page to replace (or override) spyware settings from a
device's agent configuration.
Real-time spyware detection monitors devices for new launched
processes that attempt to modify the local registry. If spyware is
detected, the security scanner on the device prompts the end user
to remove the spyware.
This page contains the following options:
Override settings from client configuration:
Replaces existing spyware settings on devices initially configured
via an agent configuration. Use the options below to specify the
new spyware settings you want to deploy to target devices.
Settings:
Enable real-time spyware blocking: Turns on
real-time spyware monitoring and blocking on devices with this
agent configuration.
NOTE: In order for real-time spyware scanning and detection
to work, you must manually enable the autofix feature for any
downloaded spyware definitions you want included in a security
scan. Downloaded spyware definitions don't have autofix turned on
by default.
Notify user when spyware has been blocked:
Displays a message that informs the end user a spyware program has
been detected and remediated.
If an application is
not recognized as spyware, require user's approval before it can be
installed: Even if the detected process is not recognized as
spyware according to the device's current list of spyware
definitions, the end user will be prompted before the software is
installed on their machine.
About the Configure
custom variable override settings dialog box
Use this dialog box to manage your custom variable override
settings. Once configured, you can apply custom variable override
settings to a change settings task and deploy it to target devices
to change (or remove) their default custom variable override
settings.
Custom variables overrides lets you configure exceptions to
custom variable values. In other words, with custom variable
override settings you can ignore or bypass a specific custom
variable condition so that a scanned device is not determined to be
vulnerable.
This dialog box contains the following options:
New: Opens the Custom variable override
settings dialog box where you can configure the options.
Edit: Opens the settings dialog box where you
can modify the selected custom variable override settings.
Copy: Opens a copy of the selected settings as
a template, which you can then modify and rename.
Delete: Removes the selected settings from the
database.
NOTE: The selected settings may currently be associated
with one or more tasks or managed devices. If you choose to delete
the settings, devices with that settings still have it and continue
to use it until a new change settings task is deployed; scheduled
tasks with that settings still run on target devices, as do local
scheduler tasks with that settings, until a new configuration is
deployed.
Close: Closes the dialog box, without applying
any settings to the task.
About the Custom
variable override settings dialog box
Use this dialog box to create exceptions to custom variable
settings. Some system configuration security threat definitions
have variable settings that you can change before including them in
a security scan. Typically, antivirus definitions also have custom
variable settings.
With custom variables you can fine-tune security threat scanning
by modifying one or more setting's values so that the scanner
checks for conditions you define, and therefore determines a device
to be vulnerable only if that condition is met (i.e., the value you
specify is detected). Custom variables are a global settings, so
when you scan for a security definition that includes a custom
variable it will always be determined to be vulnerable if that
custom variable condition is met.
NOTE:Edit Custom
Variables right required
In order to edit custom variable settings, and configure custom
variable override settings, a LANDesk user must have the Edit
Custom Variables role-based administration right. Rights are
configured with the Users tool.
Custom variable override settings information can be viewed in
the device's Inventory view.
About the Definition
group settings dialog box
Use this dialog box to create, edit, and select settings that
control how and where security definitions are downloaded based on
their type and/or severity.
This dialog box contains the following options:
Definition type and severity filters: Lists
definition group settings.
Type: Shows the definition type for the
selected group settings.
Severity: Shows the definition severity for
the selected group settings.
Status: Shows the status (Do not scan, Scan,
and Unassigned) for definitions that match the group settings when
they're downloaded. Status corresponds to the group nodes in the
tree view. Unassigned is the default status.
Group(s): Shows the group or groups where the
security definitions matching the type and severity criteria
specified above are placed. You can add and delete as many custom
groups as you like.
Autofix: If you've specified that downloaded
security definitions are set to Scan status (placed in the Scan
group), select this option if you want the vulnerabilities to have
autofix enabled.
About the Definition
filter properties dialog box
Use this dialog box to define a definition group settings. These
settings control how and where security definitions are downloaded
based on their type and/or severity.
This dialog box contains the following options:
Filter: Defines which security content
(definitions) will be place in the group or groups selected below.
Definition type: Select the definition type
you want to download with your desired status and location.
Severity: Select the severity for the
specified definition type. If the type matches but the severity
does not, the definition will not be filtered by this
settings.
Action: Defines what you want to do with the
downloaded definitions and where you want them placed.
Set status: Select the status for the
downloaded definitions. Options include: Do not scan, Scan, and
Unassigned.
Set autofix: Select autofix if the status is
Scan and you want the security risk to be fixed automatically upon
detection.
Put definition in custom groups: Select one or
more groups with the Add and Delete buttons. You can select any of
the custom groups you've created, the Alert group, the Compliant
group, and several of the available security industry groups.
About
the Alert settings dialog box
Use this dialog box to configure security-related alerting for
scanned devices, including both vulnerability and antivirus
alerting.
The Alert settings dialog box contains the following pages:
Definitions page
Use this page to configure security alerting. If you've added
security definitions to the Alert group, Patch and Compliance will
alert you whenever any of those definitions is detected on any
scanned device.
Minimum alert interval: Specifies the shortest
time interval (in minutes or hours) in which alerts for detected
vulnerabilities are sent. You can use this settings if you don't
want to be alerted too frequently. Set the value to zero if you
want instant, real-time alerting to occur.
Add to Alert group: Indicates which
vulnerabilities, by severity level, are automatically placed in the
Alert group during a content download process. Any definition
placed in the Alert group is also automatically placed in the Scan
group by default (in order to include those definitions in a
security scan task).
Antivirus page
Use this page to configure antivirus alerting.
Minimum alert level: Specifies the shortest
time interval (in minutes or hours) in which alerts for detected
viruses are sent. You can use this settings if you don't want to be
alerted too frequently. Set the value to zero if you want instant,
real-time alerting to occur.
Alert on: Indicates which antivirus events
generate alerts.
About the Rollup core
settings dialog box
Use this dialog box to enable and configure automatic forwarding
of the latest security scan results to a rollup core server on your
network. Security scan data forwarding allows you to view real-time
vulnerability status for all of your managed devices in a large,
distributed enterprise network without having to manually retrieve
that data directly from the primary core server.
Every time the security scanner runs it writes a scan results
file to a folder called VulscanResults on the core server and
notifies the LANDesk Security web service, which adds the file to
the core database. If the rollup core settings are enabled and a
valid rollup core is identified, the rollup core reads the scan
results file into its own database, providing faster access to
critical vulnerability information.
The Rollup core settings dialog box contains the following
options:
Send scan results to rollup core immediately:
Enables immediate forwarding of security scan results to the
specified core server, using the method described above.
Use default rollup URL: Check this box if you
want the default URL to be used when the scan results file is sent
from the core server to the rollup core. Enter the name of the core
server, and then check this box to automatically insert the script
and Web address in the Rollup URL field.
Rollup core name: Identifies the rollup core
you want to receive the latest security scan results from the core
database.
Rollup URL: Specifies the Web address of the
rollup core receiving the security scan results and the destination
folder for the scan results file on the rollup core. The rollup URL
can either be automatically inserted by checking the Use default
rollup URL
check box, or you can manually edit the field by clearing the check
box and entering the URL you want.
Patch and Compliance toolbar help
About the Purge patch and compliance
definitions dialog box
Use this dialog box to completely remove definitions (and their
associated detection rules) from the core database.
NOTE:Requires the
LANDesk Administrator right
A user must have the LANDesk Administrator right in order to
perform this task.
You may want to remove definitions if they have become obsolete,
are not working properly, or if the related security risk has been
totally resolved.
This dialog box contains the following options:
Platforms: Specifies the platforms whose
definitions you want to remove from the database. If a definition
is associated with more than one platform, you must select all of
its associated platforms in order for the definition and its
detection rule information to be removed.
Languages: Specifies the language versions of
the selected platforms whose definitions you want to remove from
the database. If you've selected a Windows or Macintosh platform,
you should specify the languages whose definition information you
want to remove. If you've selected a UNIX or Linux platform, you
must specify the Language neutral option in order to remove those
platform's language independent definition information.
Types: Specifies the content types whose
definitions you want to remove.
Purge: Completely removes definition and
detection rule information for the types you've selected that
belong to the specified platforms and languages you've selected.
This information can only be restored by downloading the content
again.
Close: Closes the dialog box without saving
changes and without removing definition information.
About the Security scan
information view
Use this dialog box to view detailed patch deployment activity
and status for scanned devices on your network.
You can view scan results for:
Computers not recently reporting
Computers with no results
Computers needing patches by selected severity
type
About the Threshold
settings dialog box
Use this dialog box to define time periods for security scan
(patch deployment) results that appear in the Security scan
information
dialog box.
Threshold for not recently scanned: Indicates
the maximum number of days to check for devices that haven't been
scanned for patch deployment.
About the Security
and Patch Information dialog box
Use this dialog box to view detailed security information for
selected devices. You can view a device's scan results, detected
security definitions, missing and installed patches (or software
updates), and repair history.
Use the Clear button to remove all scan information from
the database for the selected devices.
You can also right-click a vulnerability (or other security
content type) in this view and directly create a repair task, or
enable/disable the autofix option for applicable security content
types.
Displayed information is based on the selected security content
type
The group names and information fields that display on this page
are dynamic, depending on the security content type you select from
the Type drop-down list. For example, if you select
vulnerabilities, the following information fields display:
Missing Patches (Vulnerabilities Detected):
Lists all of the vulnerabilities detected on the device by the last
scan.
Installed Patches: Lists all of the patches
installed on the device.
Repair History: Shows information about the
remediation tasks attempted on the device. This information is
helpful when troubleshooting devices. To clear this data, click
Purge Repair History, specify the devices and time range
settings, and then click Purge.
Vulnerability Information:
Title: Displays the title of the selected
vulnerability.
Detected: Indicates whether the selected
vulnerability was detected.
First detected: Displays the date and time the
vulnerability was initially detected on the device. This
information can be useful if you've performed multiple scans.
Reason: Describes the reason why the selected
vulnerability was detected. This information can be useful in
helping you decide whether the security risk is serious enough to
prompt immediate remediation.
Expected: Displays the version number of the
file or registry key the vulnerability scanner is looking for. If
the version number of the file or registry key found on the scanned
device matches this number, the vulnerability does not exist.
Found: Displays the version number of the file
or registry key found on the scanned device. If this number is
different than the Expected number above, the vulnerability
exists.
Patch Information:
Patch Required: Displays the file name of the
patch executable required to remediate the selected
vulnerability.
Patch Installed: Indicates whether the patch
file has been installed.
Last action date: Displays the date and time
the patch was installed on the device.
Action: Indicates whether the last action was
an install or an uninstall.
Details: Indicates whether the
deployment/installation was successful. If an installation failed,
you must clear this status information before attempting to install
the patch again.
Clear: Clears the current patch installation
date and status information for the selected device. Clearing this
information is necessary in order to attempt to deploy and install
the patch again.