Managing security content and patches

This section provides information on downloading, viewing, and organizing security content; downloading and working with patches; and creating and using custom definitions.

NOTE: Scanning and remediating devices
For information on performing security and compliance scans on managed devices for all types of security risks (such as OS and application vulnerabilities, software updates, spyware, system configuration exposures, etc.), remediating affected devices, as well as generating security alerts, logging, and reports, see Scanning and remediating devices.

Read this section to learn about:

Managing security content

Working with patches

Using custom definitions

Downloading security content

Your network and devices are continuously vulnerable to security risks and exposures from many harmful sources: worms, viruses, spyware, as well as ordinary maintenance issues like software updates and bug fixes. Patches are released regularly to repair inevitable operating system and application vulnerabilities. The Patch and Compliance tool makes the process of gathering the latest security type's definitions and patches quick and easy by letting you download content via a LANDesk-hosted database. LANDesk Security Suite services consolidates known definitions from trusted, industry/vendor sources and sends reliable information directly to you.

NOTE: Patch and Compliance also supports custom vulnerability definitions
In addition to known vulnerabilities, you can also create your own custom vulnerability definitions and associated detection rules. For more information, see Creating custom definitions and detection rules.

By establishing and maintaining up-to-date security content, you can better understand the nature and extent of the security risks for each platform and application you support, determine which vulnerabilities and other types of risks are relevant to your environment, and customize security scanning and remediation tasks. The first step in this security management strategy is to download a current listing of the latest known security content.

Using Download Updates

Use the Download Updates dialog box (Tools > Security > Patch and Compliance > Download Updates) to configure and perform security content updates at once, or create a scheduled update task to occur at a set time or as a recurring task (see Scheduling automatic security content updates).

NOTE: Only one LANDesk user on a specific core server (including additional consoles) can update security content at a time. If a user attempts to update content while the process is already running, a message prompt appears indicating there is a conflict.

To download security content (and patches)
  1. Click Tools > Security > Patch and Compliance.
  2. Click the Download updates toolbar button.
  3. Select the update source site from the list of available content servers.
  4. Select the definition types whose security content you want to update. You can select one or more types in the list depending on your LANDesk Security Suite content subscription. The more types you select, the longer the update will take.
  5. Select the languages whose content you want to update for the types you've specified.

    Some vulnerability and other definition types, and any associated patches, are language neutral or independent, meaning they are compatible with any language version of the OS or application addressed by that definition. In other words, you don't need a unique language-specific patch to remediate those vulnerabilities because the patch covers all supported languages. For example, Linux and UNIX platforms use only language neutral definitions and patches. However, Microsoft Windows and Apple Macintosh platform vulnerability definitions and patches are nearly always language specific.

    When downloading content for any platform (with the appropriate subscription), all of the selected platform's language neutral vulnerability definitions are automatically updated by default. If you've selected a Windows or Mac content type, you must also select the specific languages whose definitions you want to update. If you've selected the Sun Solaris or a Linux platform, you do not have to select a specific language because their content is language neutral and will be updated automatically.

  6. If you want new content (content that does not already reside in any groups) to automatically be placed in the Unassigned group instead of the default location, which is the Scan group, select the Put new definitions in the Unassigned group check box.
  7. If you want to automatically download associated patch executable files, click the Download patches check box, and then click one of the download options. (NOTE: Patches are downloaded to the location specified on the Patch Location page of the Download updates dialog box.)

  1. If you have a proxy server on your network that is used for external Internet transmissions (that is required to update security content and download patches), click Proxy Settings and specify the server's address, port number, and authentication credentials if a login is required to access the proxy server.
  2. Click Apply at any time to save your settings.
  3. Click Update Now to run the security content update. The Updating Definitions dialog box (see below) displays the current operation and status. (To create a scheduled task, click Schedule Update.)
  4. When the update has completed, click Close. Note that if you click Cancel before the update is finished, only the security content that has been processed to that point is downloaded to the core database. You would need to run the update again in order to obtain all of the remaining security content.

NOTE: Do not close the console while an update security process is running or the process will be terminated. However, this rule does not apply to a Download Security Content scheduled task, which will finish processing even if the console is closed while it is running.

To configure the patch download location
  1. On the Download updates dialog box, click the Patch Location tab.
  2. Enter a UNC path where you want the patch files copied. The default location is the core server's \LDLogon\Patch directory.
  3. If the UNC path entered above is to a location other than the core server, enter a valid username and password to authenticate to that location.
  4. Enter a Web URL where devices can access the downloaded patches for deployment. This Web URL should match the UNC path above.
  5. You can click Test Settings to check to see if a connection can be made to the Web address specified above.
  6. If you want to restore the UNC path and Web URL to their default locations, click Restore to Default. Again, the default storage location is the core server's \LDLogon\Patch directory.

Scheduling automatic security content updates

You can also configure security content updates as a scheduled task to occur at a set time or as a recurring task. To do this, simply click the Schedule download toolbar button. The Scheduled update information dialog box shows task-specific settings for the task. Click OK to create a Download Security Content task in the Scheduled Tasks window, where you can specify the scheduling options.

NOTE: Task-specific settings and global settings
Note that only the definition types, languages, and definition and patch download settings are saved and associated with a specific task when you create it. Those three settings are considered task specific. However, all of the settings on the other pages of the Download updates dialog box are global, meaning they apply to all subsequent security content download tasks. Global settings include: patch download location, proxy server, spyware autofix, security alerts, and antivirus. Any time you change a global settings it is effective for all security content download tasks from that point on.

Viewing security content

After security content has been updated with the LANDesk Security service, you can view the definitions and detection rules (for vulnerabilities and custom definitions) only in their respective groups in the Patch and Compliance tool window.

Use the Type drop-down list to view content for a specific definition type or for all definition types. You can also use the Filter control to further customize the content you want to display.

Once security content has been downloaded, you can move items into different status groups, or copy them into your own custom groups. For information on how to use the different groups, see Understanding and using the Patch and Compliance tool.

You can also view property details for each of the updated definitions and detection rules by right-clicking an item and selecting Properties. This information can help you determine which definitions are relevant to your network's supported platforms and applications, how detection rules check for the presence of definitions, what patches are available, and how you want to configure and perform remediation for affected devices.

NOTE: Custom definitions can be modified
If you select a downloaded industry definition, its properties dialog box is primarily for information viewing purposes only. However, if you select a custom definition, or are creating a new custom definition, the pages and fields in the properties dialog box are editable, allowing you to define the definition and its detection rules.

Searching for vulnerabilities by CVE names

LANDesk supports the CVE (Common Vulnerabilities and Exposures) naming standard. With Patch and Compliance you can search for vulnerabilities by their CVE names, and view CVE information for downloaded vulnerability definitions.

For more information about the CVE naming convention, LANDesk compatibility with the CVE standard, and how to use CVE identification to find individual security vulnerability definitions, see Using CVE names.

Using filters to customize item lists

The Filter drop-down list lets you create and apply custom display filters to control the items that display in the right-hand frame of the tool window. Filters can help you streamline a large amount of security content. You can filter content by operating system and severity.

The Filter control can be used in conjunction with the Type control to display exactly the security content you're interested in viewing.

To create a new display filter
  1. In Patch and Compliance, click the Filter drop-down list, and then click Manage filters.
  2. Click New.
  3. Enter a name for the new filter.
  4. If you want to filter content by operating system, click the check box, and then select the operating systems you want to display.
  5. If you want to filter by the severity of the definition, click the check box, and then select the severities you want to display. Click OK
To apply a filter to a content group's display
  1. Click the content group in the left-hand pane of the window.
  2. Click the Filter drop-down list, and then select a filter from the list.

Purging unused definitions

You can purge unused definitions from the Patch and Compliance tool window and the core database if you determine that it isn't relevant to your environment or if a successful remediation makes the information obsolete.

When you purge definitions, associated detection rule information is also removed from the Detection Rules groups in the tree view. However, the actual associated patch files aren't removed by this process. Patch files must be removed manually from the local repository, which is typically on the core server.

To purge unused definitions
  1. Click Tools > Security > Patch and Compliance.
  2. Click the Purge unused definitions toolbar button.
  3. Select the platforms whose definitions you want to remove. You can select one or more platforms in the list. If a definition is associated with more than one platform, you must select all of its associated platforms in order for the definition to be removed.
  4. Select the languages whose definition you want to remove (associated with the platform selected above). If you select a Windows or Macintosh platform above, you should specify the languages whose definition you want to remove. If you select a UNIX or Linux platform above, you must specify the Language neutral option in order to remove their language independent definitions.
  5. Click Remove.

Viewing security information for a scanned device

You can also view information specific to scanned devices directly from the network view by right-clicking one or more selected devices, and then clicking Security and Patch Information.

This dialog box lets you view detection, installation, and repair history, and perform patch management tasks.

Working with patches

The following section describes various tasks that can be performed specifically with patch executable files.

Downloading patches

In order to deploy security patches to affected devices, the patch executable file MUST first be downloaded to a local patch repository on your network. The default location for patch file downloads is this directory on the core server:

/LDLogon/Patches

You can change this location on the Patch Location page of the Download updates dialog box.

You can download one patch at a time, or a set of patches together.

NOTE: Patch download location and proxy server settings
Patch downloads always use the download location settings currently found on the Patch Location page of the Download updates dialog box. Also note that if your network uses a proxy server for Internet access, you must first configure the proxy server's settings on the Proxy Settings page before you can download patch files.

Patch and Compliance first attempts to download a patch file from the URL (shown on the Patch Properties dialog box). If a connection can't be made, or if the patch is unavailable for some reason, then the patch is downloaded from the LANDesk Security content service, which is a LANDesk-hosted database containing patches from trusted industry sources.

Download methods

Use one the following methods to download patches:

You can download patches from the Download Updates dialog box concurrently with their associated security definitions. This procedure is described above, see Using Download Updates.

You can also download patches directly from a detection rule or a security definition.

To download patches from a detection rule
  1. From any Detection Rules group, right-click a detection rule, and then click Download Patch. (You can also download patches for custom definitions from the detection rule dialog box when creating or editing a custom definition.)
  2. Or, to download a set of patches, select any number of rules in any Detection Rules group, right-click the selection, and then click Download Patch.
  3. The download operation and status displays in the Downloading Patches dialog. You can click Cancel at any time to stop the entire download process.
  4. When the download is finished, click the Close button.

NOTE: With a detection rule, you can also download patches from its properties dialog box (Properties > Patch Information > Download)

To download associated patches from a security definition
  1. Right-click the security definition(s), click Download associated patches.
  2. Select whether to download all associated patches or only current patches.
  3. Click Download.

For more information on patch file download status, see Understanding and using the Patch and Compliance tool.

Uninstalling patches (patch rollback)

You can uninstall (i.e., rollback) patches that have been deployed to managed devices. For example, you may want to uninstall a patch that has caused an unexpected conflict with an existing configuration. By uninstalling the patch, you can restore the device to its original state.

To uninstall or rollback a patch
  1. From any detection rule listing, right-click one or more rules, and then click Uninstall Patch.
  2. Enter a name for the uninstall task.
  3. Specify whether the uninstall is a scheduled task or a policy-based scan, or both.
  4. If you selected scheduled task, specify which devices from which you want to uninstall the patch.
  5. If the patch can't be uninstalled without accessing its original executable file (i.e., to use command-line parameters), and you want to deploy the executable using Targeted Multicast, select the Use multicast check box. To configure Multicast options, click the Multicast Options button. For more information, see About the Multicast options dialog box.
  6. If you selected policy, and you want to create a new query based on this uninstall task that can be used later, click the Add a query check box.
  7. Select a scan and repair settings from the available list (or create a custom settings for this scan), to determine how the scanner operates on end user devices.
  8. Click OK. For a scheduled task, you can now add target devices and configure the scheduling options in the Scheduled tasks tool. For a policy, the new policy appears in the Application Policy Management window with the task name specified above. From there you can add static targets (users or devices) and dynamic targets (query results), and configure the policy's type and frequency.

If a patch installation failed, you must first clear the install status information before attempting to install the patch again. You can clear the install (repair) status for the selected device by clicking Clear on the Security and Patch Information dialog box. You can also clear the patch install status by vulnerability.

Removing patches from the core database

To remove patch files permanently, you must delete them from the patch repository, which is typically on the core server.

Using custom definitions

Creating custom definitions and detection rules

In addition to the known vulnerabilities that you update via the Patch and Compliance tool, you can also create your own custom (or user-defined) definitions, complete with custom detection rules, associated patch files, and special additional commands to ensure successful remediation.

Vulnerability definitions consist of a unique ID, title, publish date, language, and other identifying information, as well as the detection rules that tell the security scanner what to look for on target devices. Detection rules define the specific platform, application, file, or registry conditions that the security scanner checks for in order to detect a vulnerability (or practically ANY system condition or status) on scanned devices.

Custom vulnerability definitions is a powerful, flexible feature that lets you implement an additional, proprietary level of patch security on your LANDesk system. In addition to enhancing patch security, custom vulnerabilities can be used to assess system configurations, check for specific file and registry settings, and deploy application updates, among other innovative uses that take advantage of the scanning capabilities of the vulnerability scanner.

NOTE: Creating custom blocked application definitions
You can also create your own custom definitions for the blocked application type. From the Type drop-down list, select Blocked Applications, enter an executable filename and a descriptive title for the definition, and then click OK.

Custom definitions don't necessarily have to perform remediation actions (deploying and installing patch files). If the custom definition is defined with a Detect Only detection rule or rules that can only be detected by Patch and Compliance, the security scanner looks at target devices and simply reports back the devices where the rule's prescribed condition (i.e., vulnerability is found). For example, you can write a custom Detect Only rule for the security scanner to check managed devices for the following:

You can create as many custom vulnerability definitions as you need to establish and maintain the optimal level of patch security for your environment.

Creating custom definitions

To create custom definitions
  1. Click Tools > Security > Patch and Compliance.
  2. From the Type drop-down list, select All Types or Custom Definitions. (The Create custom definition toolbar button is available only with one of these two types selected; or with the Blocked Applications type selected, if you want to create a custom blocked application definition.)
  3. Click the Create custom definition toolbar button. An editable version of the properties dialog box opens, allowing you to configure vulnerability settings.



  4. Enter a unique ID for the vulnerability. (The system-generated ID code can be edited.)
  5. The type is a Custom Definition and can't be modified.
  6. The publish date is today's date and can't be modified.
  7. Enter a descriptive title for the vulnerability. This title displays in vulnerability lists.
  8. Specify the severity level. Available options include: Unknown, Service Pack, Critical, High, Medium, Low, and Not Applicable.
  9. Specify the status for the vulnerability. Available options include: Don't Scan, Scan, and Unassigned. When you specify a status, the vulnerability is placed in the corresponding group in the tree view (see Tree view).
  10. The language settings for user-defined vulnerabilities is automatically set to INTL (International or Language neutral, which means the vulnerability can be applied to any language version of operating systems and/or applications).
  11. The Detection Rules list displays all the rules used by this vulnerability. If you are creating a new custom vulnerability, you should configure at least one detection rule that is used by the security scanner to scan devices for the vulnerability. To add detection rules, click Add. (See the procedure below for step-by-step instructions.)
  12. If you want to provide additional information about this vulnerability, click Description and type your comments in the text box and/or enter a valid Web address where more information is posted.

As with known vendor vulnerabilities, custom vulnerabilities should include one or more detection rules that tell the security scanner what conditions to look for when scanning managed devices. Follow the steps below to create a detection rule for a custom vulnerability.

Creating custom detection rules

To create custom detection rules
  1. Right-click a custom definition, and then click Properties. (Or double-click the vulnerability definition.)
  2. Click the Add button located under the Detection Rules list. An editable version of the Rules Properties dialog box opens at the dialog box's General Information page, allowing you to configure a detection rule.



  3. At the General Information page, enter a unique name for the rule. The rule's status cannot be modified here. To change the status of a detection rule, right-click the rule in any list view, and then click Enable or Disable, depending on the current state. The rule's definition information cannot be modified here either. However, you can enter any information you want in the Comments box.
  4. Use the various pages of the Rules Properties dialog box to define the detection rule, as described in the rest of this procedure.
  5. Open the Detection Logic pages.
  6. At the Affected Platforms page, select the platforms you want the security scanner to run on to check for this detection rule's definition. The list of available platforms is determined by the vulnerabilities you've updated via the Patch and Compliance tool. Click Load default platform list to add the available platforms to the list. You must select at least one platform.
  7. At the Affected Products page, associate the rule with one or more specific software applications. First, click Edit to open the Selected Affected Products dialog box where you can add and remove products in the Affected Products list (this list can be shortened if you like, by clicking the check box at the bottom of the dialog box). The list of available products is determined by the content you've updated. You do not need to have a product associated with a detection rule. Associated products act as a filter during the security scan process. If the specified associated product is found on the device, the scan quits. However, if the product is found, or if no products are specified, the scan continues to the files check.
  8. At the Files page, configure specific file conditions that you want the rule to scan for. Click Add to make the fields on this page editable. The first step in configuring a file condition is to specify the verification method. The fields on this page depend on the verification method you select. To save a file condition, click Update. You can add as many file conditions as you like. For a detailed description of this option, see About the Detection logic: Files used for detection page.
  9. At the Registry Settings page, configure specific registry conditions that you want the rule to scan for. Click Add to make the fields editable. To save a registry condition, click Update. You can add as many registry conditions as you like. For a detailed description of this option, see About the Detection logic: Registry settings used for detection page.
  10. At the Custom Script page, you can create a custom VB script to assist with detection for this detection rule. The security scanner's runtime properties that can be accessed with a custom script to report its results are: Detected, Reason, Expected, and Found.

    NOTE: You can click the Use editor button to open your default script editing tool, associated with this file type. When you close the tool you're prompted to save your changes in the Custom Script page. If you want to use a different tool you have to change the file type association.

  11. At the Patch Information page, specify whether the vulnerability associated with this detection rule can be repaired or can only be detected on your managed devices. If you select the repair option, the Patch Download Information and Repair Information fields become editable.
  12. If you can repair by deploying a patch, enter the URL to that patch file and specify whether it can be downloaded automatically. (You can attempt to download the associated patch file at this time by clicking Download, or you can download it at another time.)
  13. Also, if you can repair by deploying a patch, enter a unique filename for the patch file and specify whether the patch requires a reboot in order to complete remediation and if the patch requires user input during remediation. (For a detection rule that includes remediation, we strongly recommend you create a hash for the patch file by clicking Generate MD5 Hash. The actual patch file must be downloaded before you can create a hash. For more information on the hash, see About the Detection rule: General information page.)
  14. For a rule that allows remediation of the associated vulnerability, you can configure additional commands that are run during the remediation process on affected devices. To configure additional remediation commands, click the Patch Install Commands page, and then click Add to select a command type and to make the command's argument fields editable. Additional patch install commands are NOT required. If you don't configure special commands, the patch file executes as it normally would by itself. For a detailed description of this option, see About the Patch install commands page.

Now that you've created a custom vulnerability definition, you can do the same things with it as you would with a known vulnerability from an industry source. You can set the vulnerability's status to Scan or place it in the Scan group to be included in the next security scan, place it in the Don't Scan or Unassigned group, view affected computers, enable Auto Fix, create a repair job, or clear scan/repair status. To choose an option, right-click a custom vulnerability definition to access its shortcut menu.

Two operations that are unique to user-defined definitions are importing and exporting, and deleting.

Importing and exporting custom definitions

The Patch and Compliance tool provides a way for you to import and export custom definitions and their detection rules. You can't import and export known industry vulnerability definitions.

Custom definitions are exported and imported as an XML-formatted file.

Import and export is useful if you want to share custom definitions with other core servers. Exporting makes it possible for you to save a backup copy for a definition that you want to remove temporarily from the core database.

You can also use the export/import feature to export a definition, manually edit the exported file as a template and save multiple variations of the definition, and then import the new definitions. If the definition is complex, this procedure can be faster and easier than creating multiple definitions in the console.

To export custom definitions
  1. From a Custom Definitions list, select one or more custom definitions.
  2. Click the Export toolbar button. (Or, right-click the selected definitions, and then click Export.)
  3. Enter the path to the folder where you want to export the definitions as an individual XML file.
  4. If you've exported the definitions before to the specified location and you want to replace it, click the Overwrite existing definitions.
  5. Click Export, and check the Export Status window to see whether the definitions are successfully exported.
    NOTE: An exported definition continues to exist in the core database, and therefore still appears in the Custom Definitions group that corresponds to its status: Unassigned, Scan, or Don't Scan.
  6. Click Close.
To import custom definitions
  1. In Patch and Compliance, click the Import Custom Definitions toolbar button.
  2. Locate and select one or more definitions (in the XML file you want to import), and then click Open. If the definition already exists in the core database, you're prompted whether you want to overwrite it. Check the status window to see whether the definition is successfully imported.
  3. Click Close. Imported definitions (new and updated) are placed in the Custom Definitions Unassigned group.

Deleting custom definitions

If you no longer need a custom definition, you can delete it. Deleting a custom definition removes its information and its associated detection rules from the core database, and from the Patch and Compliance tool window. (Exporting does not remove the definition information.)

As with purging known vulnerability information, deleting custom definitions does not remove any downloaded associated patch files. Patch files must be removed manually from the patch repository.

To delete custom definitions, select one or more custom definitions, and then click the Delete selected custom definitions button in the toolbar.

NOTE: Restoring exported custom definitions
If you delete a custom definition that had previously been exported as an XML file, you can restore that definition by importing it back into the database via the Patch and Compliance tool.