interchange patch manager

Customer tools for the road ahead

SHIFT YOUR LANDESK INVESTMENT

INTO OVERDRIVELearn more at

Momentum.LANDESK.com

C a r s o n P l a t e r oC o n s u l t a n tL A N D E S K P r o f e s s i o n a l S e r v i c e s

LANDESK Patch Manager 2016

Agenda

What’s new in LANDESK Patch Manager 2016 Getting started How we scan and remediate Understanding the Patch and Compliance Tool Configure devices Managing Security Content Scanning devices Patching devices

LDMS Improvements to Patch Manager - Summary

Improved Charts Improved Patch Definition Group

options Ability to provide Tags for Definitions Integration with Rollout Projects tool Improved Icons

Dashboards and charts

Double-click to create a related query

Chart colors – can choose from different themes

Display the dashboard in a separate window

Copy to clipboard as an image

Download updates improvements

Apply group settings by Definition Type and Severity

Actions available: Assign Scan Status Assign Autofix Status Add to Custom Groups Assign Tags Add to rollout projects

Definition Tagging

Add one or more tags to patch definitions

Add specifics tags based on Download Updates Definition group filter criteria

Integration with Rollout Projects Tool

LANDESK Patch and Compliance“Why”

Main tasks for configuration Patch and Compliance

o Configure the LANDESK Agent Security and Compliance Settingso Download vulnerability definitions from a LANDESK Content Servero Create a scan job to detect vulnerabilities in your environmento Use the scan results to determine what you are going to patch in your

environmento Download patches for detected vulnerabilitieso Repair detected vulnerabilities by installing patches to affected deviceso View reports to see patch status and repair history

Managing ContentWhat is the definition of a definition?

Understand LANDESK Content typeso Linux: Security Threats and Vulnerabilities

o Mac: Security Threats, Antivirus (Kaspersky, LANDESK, McAfee and Symantec)

o Windows:

o Antivirus updates for LANDESK Antivirus and for 3rd party Antivirus vendors.

(Avast, AVG, Avira, Bitdefender, Bullguard, eScan, ESET, eTrust, Gdata, Kaspersky, McAfee, Microsoft Forefront, Windows Defender, Panda, Shavlik, Sophos, Symantec, Trend Micro, and Vipre)

o Driver Updates: Dell Poweredge Servers, HP Client, Lenovo Think Client, Lenovo Thinkserver, Microsoft

o Applications to block (Malware, Hacking Tools, Etc)

o LANDESK File Reputation

o Microsoft Windows Security Threats

o Microsoft Windows Spyware

o SCAP (Secure Content Automation Tool)

o Software Updates (Intel, LANDESK, Lenovo, Thinkvantage)

o Vulnerabilities

(7-zip, Acro Software, Adobe, AOL, Apple, Box, Cisco, Citrix, Filezilla, Foxit, GlavSoft Google, HP, IAC, IBM, ICQ, IDM, Intel, LibreOffice, McAfee, Microsoft, Mozilla, Notepad++, Nuance, Nullsoft, OpenOffice, Opera, Oracle, Pidgin, Qualcomm, RealNetworks, RealVNC, Skype, Sun, TechSmith, The Gimp Team, TortoiseSVN, TightVNC, Trend Micro, UltraVNC, VideoLAN, VMWare, Winzip, Wireshark, Xmind, Yahoo)

Content scanning and remediation behavior

Selecting and downloading content types

Vulnerability Content LANDESK Content comes in different categories. A regular schedule should be configured to

download Security and Patch content at regular intervals.

Different content types can have separate download tasks.

Managing downloaded content

Many customers patch monthly. Definition Group Setting can be used to sort definitions into groups and rollout projects.

New distribution group settings options in LDMS 2016

LDMS 2016 offers great flexibility in organizing downloaded content automatically

New tabbed interface in the Download Updates tool

Filter Scan Autofix Groups and Tags Rollout Projects

Patch Group Examples

0 New Patches 1 Pilot Baseline

Year

“I’ve downloaded content… Now what?”

Which Patches Should I Deploy?

11,000+ Windows Vulnerabilities Severity

Microsoft NA – carefully review before deploying Use Filters

Suffixes _Manual _Upgrade _Fixit _Detect_Only _All_Updates

Patch Definition Review

Replaced By Repairable Detected Multiple Versions Upgrade Product

Disable Replaced Rules

Check once in a while Scan – Replaced or Partial Replaced

Agent ConfigurationAgent Settings

Configuring Agent Settings

The Agent Configuration settings are in the Agent Configuration Tool These settings control the behaviors of the settings when scanning and repairing vulnerabilities on the client.

These settings include such things as whether or not the user will see the Vulnerability Scanner interface, options to defer repairs, reboot behaviors, scanning and repair schedules, etc.

Patch Maintenance

Meaningful Name State AND Time Windows Only Scan and Download

Now Repair\Reboot

in Window Reboot Settings

Must Agree

Pre-Repair / Post-Repair

Succeeded=true Or Zero (0)

Message=“Hello World” If running script depends on file being there or access to

share

Scanning and RepairGetting the work done

Scanning Devices

Scanning of your devices can be started in several ways:

1. Right-click computer and select “Patch and Compliance scan now…”2. Regular schedule driven by the local scheduler on the client3. Running Vulscan.exe (Vulnerability scanner) from the command line4. As part of a repair by right-clicking on a group and clicking “Repair”

(In this case the scan and the repair will both be run in succession)

Typically vulnerability scans should be run daily.

Reviewing scan results

After scanning your environment, those vulnerabilities that have been found will show up in the Detected section of the tree.

You can then take action on them by multi-selecting and then choosing right-click repair, or drag them into a group, etc.

Repairing vulnerabilities

Repairing vulnerabilities can be initiated in several ways including the following:

Right-click definitions and choose “Repair” (Up to 100 at a time) Right-click a group and choose “Repair” (Can be greater than 100) Autofix (or Autofix by Scope) As part of a rollout project

Repair by Group

Dynamic Can contain more than 100 definitions Will repair definitions at that level or below

Useful for repairing baseline plus recent tested patches

TroubleShootingWhat to do if reboot and retry fail

Clean Repair History

Right-Click Device -> Security and Patch Information Clean/Repair History

Lookup Wusa.exe and MSIExec errors Patch Download – make sure core has downloaded patch

Reboot and Try Again (Why!)

Detection is often based upon file scanning Without a reboot old file is still in place

If after a reboot a definition is still detected, try running it manually on the workstation. Possibly a more useful error message will display

Custom DefinitionsPlagiarism is Good

Custom Definitions Made Easy

Take what’s there and make it new again! Right Click Definition Clone -> Change -> Save

Custom Variables

Change Install Behavior of Patches

Close Browsers and Apps Used by Install Actions

Query Filter

Only Used in Custom Defs Target Double Check Does Hit Database

Stop Processes

Distribution and Patch Setting must be set to Kill Processes

Install Actions

Use Reuse Change

Hands on Lab

Thank youYour feedback is welcome. Please fill out the survey for this session in the interchange 16 app.