Fixing third-party software vulnerabilities

This section describes the features of Kaspersky Security Center that relate to fixing vulnerabilities in the software installed on managed devices.

Scenario: Finding and fixing third-party software vulnerabilities

This section provides a scenario for finding and fixing vulnerabilities on the managed devices running Windows. You can find and fix software vulnerabilities in the operating system and in third-party software, including Microsoft software.

Prerequisites

• Kaspersky Security Center is deployed in your organization.
• There are managed devices running Windows in your organization.
• Internet connection is required for Administration Server to perform the following tasks:
  • To make a list of recommended fixes for vulnerabilities in Microsoft software. The list is created and regularly updated by Kaspersky specialists.
  • To fix vulnerabilities in third-part software other than Microsoft software.

Stages

Finding and fixing software vulnerabilities proceeds in stages:

1. Scanning for vulnerabilities in the software installed on the managed devices

   To find vulnerabilities in the software installed on the managed devices, run the Find vulnerabilities and required updates task. When this task is complete, Kaspersky Security Center receives the lists of detected vulnerabilities and required updates for the third-party software installed on the devices that you specified in the task properties.

   The Find vulnerabilities and required updates task is created automatically by Kaspersky Security Center Quick Start Wizard. If you did not run the Wizard, start it now or create the task manually.

   How-to instructions:

   • Administration Console: Scanning applications for vulnerabilities, Scheduling the Find vulnerabilities and required updates task
   • Kaspersky Security Center 13.1 Web Console: Creating the Find vulnerabilities and required updates task, Find vulnerabilities and required updates task settings
2. Analyzing the list of detected software vulnerabilities

   View the Software vulnerabilities list and decide which vulnerabilities are to be fixed. To view detailed information about each vulnerability, click the vulnerability name in the list. For each vulnerability in the list, you can also view the statistics on the vulnerability on managed devices.

   How-to instructions:

   • Administration Console: Viewing information about software vulnerabilities, Viewing statistics of vulnerabilities on managed devices
   • Kaspersky Security Center 13.1 Web Console: Viewing information about software vulnerabilities, Viewing statistics of vulnerabilities on managed devices
3. Configuring vulnerabilities fix

   When the software vulnerabilities are detected, you can fix the software vulnerabilities on the managed devices by using the Install required updates and fix vulnerabilities task or the Fix vulnerabilities task.

   The Install required updates and fix vulnerabilities task is used to update and fix vulnerabilities in third-party software, including Microsoft software, installed on the managed devices. This task allows you to install multiple updates and fix multiple vulnerabilities according to certain rules. Note that this task can be created only if you have the license for the Vulnerability and Patch Management feature. To fix software vulnerabilities the Install required updates and fix vulnerabilities task uses recommended software updates.

   The Fix vulnerabilities task does not require the license option for the Vulnerability and Patch Management feature. To use this task, you must manually specify user fixes for vulnerabilities in third-party software listed in the task settings. The Fix vulnerabilities task uses recommended fixes for Microsoft software and user fixes for third-party software.

   You can start Vulnerabilities Fix Wizard that creates one of these tasks automatically, or you can create one of these tasks manually.

   How-to instructions:

   • Administration Console: Selecting user fixes for vulnerabilities in third-party software, Fixing vulnerabilities in applications
   • Kaspersky Security Center 13.1 Web Console: Selecting user fixes for vulnerabilities in third-party software, Fixing vulnerabilities in third-party software, Creating the Install required updates and fix vulnerabilities task
4. Scheduling the tasks

   To be sure that the vulnerabilities list is always up-to-date, schedule the Find vulnerabilities and required updates task to run it automatically from time to time. The recommended average frequency is once a week.

   If you have created the Install required updates and fix vulnerabilities task, you can schedule it to run with the same frequency as the Find vulnerabilities and required updates task or less often. When scheduling the Fix vulnerabilities task, note that you have to select fixes for Microsoft software or specify user fixes for third-party software every time before starting the task.

   When scheduling the tasks, make sure that a task to fix vulnerability starts after the Find vulnerabilities and required updates task is complete.

5. Ignoring software vulnerabilities (optional)

   If you want, you can ignore software vulnerabilities to be fixed on all managed devices or only on the selected managed devices.

   How-to instructions:

   • Administration Console: Ignoring software vulnerabilities
   • Kaspersky Security Center 13.1 Web Console: Ignoring software vulnerabilities
6. Running a vulnerability fix task

   Start the Install required updates and fix vulnerabilities task or the Fix vulnerability task. When the task is complete, make sure that it has the Completed successfully status in the task list.

7. Create the report on results of fixing software vulnerabilities (optional)

   To view detailed statistics on the vulnerabilities fix, generate the Report on vulnerabilities. The report displays information about software vulnerabilities that are not fixed. Thus you can have an idea about finding and fixing vulnerabilities in third-party software, including Microsoft software, in your organization.

   How-to instructions:

   • Administration Console: Creating and viewing a report
   • Kaspersky Security Center 13.1 Web Console: Generating and viewing a report
8. Checking configuration of finding and fixing vulnerabilities in third-party software

   Be sure that you have done the following:

   • Obtained and reviewed the list of software vulnerabilities on managed devices
   • Ignored software vulnerabilities if you wanted
   • Configured the task to fix vulnerabilities
   • Scheduled the tasks to find and to fix software vulnerabilities so that they start sequentially
   • Checked that the task to fix software vulnerabilities was run

Results

If you have created and configured the Install required updates and fix vulnerabilities task, the vulnerabilities are fixed on the managed devices automatically. When the task is run, it correlates the list of available software updates to the rules specified in the task settings. All software updates that meet the criteria in the rules will be downloaded to the Administration Server repository and will be installed to fix software vulnerabilities.

If you have created the Fix vulnerabilities task, only software vulnerabilities in Microsoft software are fixed.

About finding and fixing software vulnerabilities

Kaspersky Security Center detects and fixes software

Finding software vulnerabilities

To find software vulnerabilities, Kaspersky Security Center uses characteristics from the database of known vulnerabilities. This database is created by Kaspersky specialists. It contains information about vulnerabilities, such as vulnerability description, vulnerability detect date, vulnerability severity level. You can find the details of software vulnerabilities on Kaspersky website.

Kaspersky Security Center uses the Find vulnerabilities and required updates task to find software vulnerabilities.

Fixing software vulnerabilities

To fix software vulnerabilities Kaspersky Security Center uses software updates issued by the software vendors. The software updates metadata is downloaded to the Administration Server repository as a result of the following tasks run:

• Download updates to the Administration Server repository. This task is intended to download updates metadata for Kaspersky and third-party software. This task is created automatically by the Kaspersky Security Center Quick Start Wizard. You can create the Download updates to the Administration Server repository task manually.
• Perform Windows Update synchronization. This task is intended to download updates metadata for Microsoft software.

Software updates to fix vulnerabilities can be represented as full distribution packages or patches. Software updates that fix software vulnerabilities are named fixes. Recommended fixes are those that are recommended for installation by Kaspersky specialists. User fixes are those that are manually specified for installation by users. To install a user fix, you have to create an installation package containing this fix.

If you have the Kaspersky Security Center license with the Vulnerability and Patch Management feature, to fix software vulnerabilities you can use Install required updates and fix vulnerabilities task. This task automatically fixes multiple vulnerabilities installing recommended fixes. For this task, you can manually configure certain rules to fix multiple vulnerabilities.

If you do not have the Kaspersky Security Center license with the Vulnerability and Patch Management feature, to fix software vulnerabilities, you can use the Fix vulnerabilities task. By means of this task, you can fix vulnerabilities by installing recommended fixes for Microsoft software and user fixes for other third-party software.

For security reasons, any third-party software updates that you install by using the Vulnerability and Patch Management feature are automatically scanned for malware by Kaspersky technologies. These technologies are used for automatic file check and include anti-virus scan, static analysis, dynamic analysis, behavior analysis in the sandbox environment, and machine learning.

Kaspersky experts do not perform manual analysis of third-party software updates that can be installed by using the Vulnerability and Patch Management feature. In addition, Kaspersky experts do not search for vulnerabilities (known or unknown) or undocumented features in such updates, as well as do not perform other types of analysis of the updates other than the specified in the paragraph above.

A user interaction may be required when you update a third-party application or fix a vulnerability in a third-party application on a managed device. For example, the user may be prompted to close the third-party application if it's currently open.

To fix some software vulnerabilities, you must accept the End User License Agreement (EULA) for installing the software if EULA acceptance is requested. If you decline the EULA, the software vulnerability is not fixed.

Fixing third-party software vulnerabilities

Expand all | Collapse all

After you obtain the software vulnerabilities list, you can fix software vulnerabilities on managed devices that are running Windows. You can fix software vulnerabilities in the operating system and in third-party software, including Microsoft software, by creating and running the Fix vulnerabilities task or the Install required updates and fix vulnerabilities task.

A user interaction may be required when you update a third-party application or fix a vulnerability in a third-party application on a managed device. For example, the user may be prompted to close the third-party application if it's currently open.

As an option, you can create a task to fix software vulnerabilities in the following ways:

• By opening the vulnerability list and specifying which vulnerabilities to fix.

  As a result, a new task to fix software vulnerabilities is created. As an option, you can add the selected vulnerabilities to an existing task.

• By running the Vulnerability Fix Wizard.

  The Vulnerability Fix Wizard is only available under the Vulnerability and Patch Management license.

  The Wizard simplifies creation and configuration of a vulnerability fix task and allows you to eliminate the creation of redundant tasks that contain the same updates to install.

Fixing software vulnerabilities by using the vulnerability list

To fix software vulnerabilities:

1. Open one of the lists of vulnerabilities:
   • To open the general vulnerability list, go to OPERATIONS → PATCH MANAGEMENT → Software vulnerabilities.
   • To open the vulnerability list for a managed device, go to DEVICES → MANAGED DEVICES → <device name> → Advanced → Software vulnerabilities.
   • To open the vulnerability list for a specific application, go to OPERATIONS → THIRD-PARTY APPLICATIONS → APPLICATIONS REGISTRY → <application name> → Vulnerabilities.

   A page with a list of vulnerabilities in the third-party software is displayed.

2. Select one or more vulnerabilities in the list, and then click the Fix vulnerability button.

   If a recommended software update to fix one of the selected vulnerabilities is absent, an informative message is displayed.

   To fix some software vulnerabilities, you must accept the End User License Agreement (EULA) for installing the software, if EULA acceptance is requested. If you decline the EULA, the software vulnerability is not fixed.

3. Select one of the following options:
   • New task

     The Add Task Wizard starts. If you have the Vulnerability and Patch Management license, the Install required updates and fix vulnerabilities task is preselected. If you do not have the license, the Fix vulnerabilities task is preselected. Follow the steps of the Wizard to complete the task creation.

   • Fix vulnerability (add rule to specified task)

     Select a task to which you want to add the selected vulnerabilities. If you have the Vulnerability and Patch Management license, select the Install required updates and fix vulnerabilities task. A new rule to fix the selected vulnerabilities will be automatically added to the selected task. If you do not have the license, select the Fix vulnerabilities task. The selected vulnerabilities will be added to the task properties.

     The task properties window opens. Click the Save button to save the changes.

If you have chosen to create a task, the task is created and displayed in the task list at DEVICES → TASKS. If you have chosen to add the vulnerabilities to an existing task, the vulnerabilities are saved in the task properties.

To fix the third-party software vulnerabilities, start the Install required updates and fix vulnerabilities task or the Fix vulnerabilities task. If you have created the Fix vulnerabilities task, you must manually specify the software updates to fix the software vulnerabilities listed in the task settings.

Fixing software vulnerabilities by using the Vulnerability Fix Wizard

The Vulnerability Fix Wizard is only available under the Vulnerability and Patch Management license.

To fix software vulnerabilities by using the Vulnerability Fix Wizard:

1. On the OPERATIONS tab, in the PATCH MANAGEMENT drop-down list, select Software vulnerabilities.

   A page with a list of vulnerabilities in the third-party software installed on managed devices is displayed.

2. Select the check box next to the vulnerability that you want to fix.
3. Click the Run Vulnerability Fix Wizard button.

   The Vulnerability Fix Wizard starts. The Select the vulnerability fix task page displays the list of all existing tasks of the following types:

   • Install required updates and fix vulnerabilities
   • Install Windows Update updates
   • Fix vulnerabilities

   You cannot modify the last two types of tasks to install new updates. To install new updates, you can only use the Install required updates and fix vulnerabilities task.

4. If you want the Wizard to display only those tasks that fix the vulnerability that you selected, then enable the Show only tasks that fix this vulnerability option.
5. Choose what you want to do:
   • To start a task, select the check box next to the task name, and then click the Start button.
   • To add a new rule to an existing task:
     1. Select the check box next to the task name, and then click the Add rule button.
     2. On the page that opens, configure the new rule:
        • Rule for fixing vulnerabilities of this severity level

          Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

          If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the severity of the selected update (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

          If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

          By default, this option is disabled.

        • Rule for fixing vulnerabilities by means of updates of the same type as the update defined as recommended for the selected vulnerability (available only for Microsoft software vulnerabilities)
        • Rule for fixing vulnerabilities in applications from the selected vendor (available only for third-party software vulnerabilities)
        • Rule for fixing a vulnerability in all versions of the selected application (available only for third-party software vulnerabilities)
        • Rule for fixing the selected vulnerability
        • Approve updates that fix this vulnerability

          The selected update will be approved for installation. Enable this option if some applied rules of update installation allow installation of approved updates only.

          By default, this option is disabled.

     3. Click the Add button.
   • To create a task:
     1. Click the New task button.
     2. On the page that opens, configure the new rule:
        • Rule for fixing vulnerabilities of this severity level

          Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

          If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the severity of the selected update (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

          If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

          By default, this option is disabled.

        • Rule for fixing vulnerabilities by means of updates of the same type as the update defined as recommended for the selected vulnerability (available only for Microsoft software vulnerabilities)
        • Rule for fixing vulnerabilities in applications from the selected vendor (available only for third-party software vulnerabilities)
        • Rule for fixing a vulnerability in all versions of the selected application (available only for third-party software vulnerabilities)
        • Rule for fixing the selected vulnerability
        • Approve updates that fix this vulnerability

          The selected update will be approved for installation. Enable this option if some applied rules of update installation allow installation of approved updates only.

          By default, this option is disabled.

     3. Click the Add button.

If you have chosen to start a task, you can close the Wizard. The task will complete in background mode. No further actions are required.

If you have chosen to add a rule to an existing task, the task properties window opens. The new rule is already added to the task properties. You can view or modify the rule or other task settings. Click the Save button to save the changes.

If you have chosen to create a task, you continue to create the task in the Add Task Wizard. The new rule that you added in the Vulnerability Fix Wizard is displayed in the Add Task Wizard. When you complete the Wizard, the Install required updates and fix vulnerabilities task is added to the task list.

Creating the Fix vulnerabilities task

Expand all | Collapse all

The Fix vulnerabilities task allows you fix software vulnerabilities on managed devices that are running Windows. You can fix software vulnerabilities in third-party software, including Microsoft software.

If you do not have the Vulnerability and Patch Management license, you cannot create new tasks of the Fix vulnerabilities type. To fix new vulnerabilities, you can add them to an existing Fix vulnerabilities task. We recommend that you use the Install required updates and fix vulnerabilities task instead of the Fix vulnerabilities task. The Install required updates and fix vulnerabilities task enables you to install multiple updates and fix multiple vulnerabilities automatically, according to the rules that you define.

A user interaction may be required when you update a third-party application or fix a vulnerability in a third-party application on a managed device. For example, the user may be prompted to close the third-party application if it's currently open.

To create the Fix vulnerabilities task:

1. In the main menu, go to DEVICES → TASKS.
2. Click Add.

   The Add Task Wizard starts. Proceed through the Wizard by using the Next button.

3. For the Kaspersky Security Center application, select the Fix vulnerabilities task type.
4. Specify the name for the task that you are creating.

   A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).

5. Select devices to which the task will be assigned.
6. Click the Add button.

   The list of vulnerabilities opens.

7. Select the vulnerabilities that you want to fix, and then click OK.

   Microsoft software vulnerabilities usually have recommended fixes. No additional actions are required for them. For vulnerabilities in software from other vendors, you first need to specify a user fix for each vulnerability that you want to fix. After that, you will be able to add those vulnerabilities into the Fix vulnerabilities task.

8. Specify the operating system restart settings:
   • Do not restart the device

     Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.

   • Restart the device

     Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).

   • Prompt user for action

     The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

     By default, this option is selected.

   • Repeat prompt every (min)

     If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.

     By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.

     If this option is disabled, the prompt is displayed only once.

   • Restart after (min)

     After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.

     By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.

   • Force closure of applications in blocked sessions

     Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.

     If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.

     If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.

     By default, this option is disabled.

9. Specify the account settings:
   • Default account

     The task will be run under the same account as the application that performs this task.

     By default, this option is selected.

   • Specify account

     Fill in the Account and Password fields to specify the details of an account under which the task is run. The account must have sufficient rights for this task.

   • Account

     Account under which the task is run.

   • Password

     Password of the account under which the task will be run.

10. If you want to modify the default task settings, enable the Open task details when creation is complete option on the Finish task creation page. If you do not enable this option, the task is created with the default settings. You can modify the default settings later, at any time.
11. Click the Finish button.

    The task is created and displayed in the list of tasks.

12. Click the name of the created task to open the task properties window.
13. In the task properties window, specify the general task settings according to your needs.
14. Click the Save button.

The task is created and configured.

Creating the Install required updates and fix vulnerabilities task

Expand all | Collapse all

The Install required updates and fix vulnerabilities task is only available under the Vulnerability and Patch Management license.

The Install required updates and fix vulnerabilities task is used to update and fix vulnerabilities in third-party software, including Microsoft software, installed on the managed devices. This task allows you to install multiple updates and fix multiple vulnerabilities according to certain rules.

To install updates or fix vulnerabilities by using the Install required updates and fix vulnerabilities task, you can do one of the following:

• Run the Update Installation Wizard or the Vulnerability Fix Wizard.
• Create an Install required updates and fix vulnerabilities task.
• Add a rule for update installation to an existing Install required updates and fix vulnerabilities task.

To create the Install required updates and fix vulnerabilities task:

1. In the main menu, go to DEVICES → TASKS.
2. Click Add.

   The Add Task Wizard starts. Follow the steps of the Wizard.

3. For the Kaspersky Security Center application, select the Install required updates and fix vulnerabilities task type.
4. Specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
5. Select devices to which the task will be assigned.
6. Specify the rules for update installation, and then specify the following settings:
   • Start installation at device restart or shutdown

     If this option is enabled, updates are installed when the device is restarted or shut down. Otherwise, updates are installed according to a schedule.

     Use this option if installing the updates might affect the device performance.

     By default, this option is disabled.

   • Install required general system components

     If this option is enabled, before installing an update the application automatically installs all general system components (prerequisites) that are required to install the update. For example, these prerequisites can be operating system updates

     If this option is disabled, you may have to install the prerequisites manually.

     By default, this option is disabled.

   • Allow installation of new application versions during updates

     If this option is enabled, updates are allowed when they result in installation of a new version of a software application.

     If this option is disabled, the software is not upgraded. You can then install new versions of the software manually or through another task. For example, you may use this option if your company infrastructure is not supported by a new software version or if you want to check an upgrade in a test infrastructure.

     By default, this option is enabled.

     Upgrading an application may cause malfunction of dependent applications installed on client devices.

   • Download updates to the device without installing them

     If this option is enabled, the application downloads updates to the device but does not install them automatically. You can then Install downloaded updates manually.

     Microsoft updates are downloaded to the system Windows storage. Updates of third-party applications (applications made by software vendors other than Kaspersky and Microsoft) are downloaded to the folder specified in the Folder for downloading updates field.

     If this option is disabled, the updates are installed to the device automatically.

     By default, this option is disabled.

   • Folder for downloading updates

     This folder is used to download updates of third-party applications (applications made by software vendors other than Kaspersky and Microsoft).

   • Enable advanced diagnostics

     If this feature is enabled, Network Agent writes traces even if tracing is disabled for Network Agent in Kaspersky Security Center Remote Diagnostics Utility. Traces are written to two files in turn; the total size of both files is determined by the Maximum size, in MB, of advanced diagnostics files value. When both files are full, Network Agent starts writing to them again. The files with traces are stored in the %WINDIR%\Temp folder. These files are accessible in the remote diagnostics utility, you can download or delete them there.

     If this feature is disabled, Network Agent writes traces according to the settings in Kaspersky Security Center Remote Diagnostics Utility. No additional traces are written.

     When creating a task, you do not have to enable advanced diagnostics. You may want to use this feature later if, for example, a task run fails on some of the devices and you want to get additional information during another task run.

     By default, this option is disabled.

   • Maximum size, in MB, of advanced diagnostics files

     The default value is 100 MB, and available values are between 1 MB and 2048 MB. You may be asked to change the default value by Kaspersky Technical Support specialists when information in the advanced diagnostics files sent by you is not enough to troubleshoot the problem.

7. Specify the operating system restart settings:
   • Do not restart the device

     Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.

   • Restart the device

     Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).

   • Prompt user for action

     The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

     By default, this option is selected.

   • Repeat prompt every (min)

     If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.

     By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.

     If this option is disabled, the prompt is displayed only once.

   • Restart after (min)

     After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.

     By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.

   • Wait time before forced closure of applications in blocked sessions (min)

     Applications are forced to close when the user's device goes locked (automatically after a specified interval of inactivity, or manually).

     If this option is enabled, applications are forced to close on the locked device upon expiration of the time interval specified in the entry field.

     If this option is disabled, applications do not close on the locked device.

     By default, this option is disabled.

8. If you want to modify the default task settings, enable the Open task details when creation is complete option on the Finish task creation page. If you do not enable this option, the task is created with the default settings. You can modify the default settings later, at any time.
9. Click the Finish button.

   The task is created and displayed in the list of tasks.

10. Click the name of the created task to open the task properties window.
11. In the task properties window, specify the general task settings according to your needs.
12. Click the Save button.

    The task is created and configured.

If the task results contain a warning of the 0x80240033 "Windows Update Agent error 80240033 ("License terms could not be downloaded.")" error, you can resolve this issue through the Windows Registry.

Adding rules for update installation

Expand all | Collapse all

This feature is only available under the Vulnerability and Patch Management license.

When installing software updates or fixing software vulnerabilities by using the Install required updates and fix vulnerabilities task, you must specify rules for the update installation. These rules determine the updates to install and the vulnerabilities to fix.

The exact settings depend on whether you add a rule for all updates, for Windows Update updates, or for updates of third-party applications (applications made by software vendors other than Kaspersky and Microsoft). When adding a rule for Windows Update updates or updates of third-party applications, you can select specific applications and application versions for which you want to install updates. When adding a rule for all updates, you can select specific updates that you want to install and vulnerabilities that you want to fix by means of installing updates.

You can add a rule for update installation in the following ways:

• By adding a rule while creating a new Install required updates and fix vulnerabilities task.
• By adding a rule on the Application Settings tab in the properties window of an existing Install required updates and fix vulnerabilities task.
• Through the Update Installation Wizard or the Vulnerability Fix Wizard.

To add a new rule for all updates:

1. Click the Add button.

   The Rule Creation Wizard starts. Proceed through the Wizard by using the Next button.

2. On the Rule type page, select Rule for all updates.
3. On the General criteria page, use the drop-down lists to specify the following settings:
   • Set of updates to install

     Select the updates that must be installed on client devices:

     • Install approved updates only. This installs only approved updates.
     • Install all updates (except declined). This installs updates with the Approved or Undefined approval status.
     • Install all updates (including declined). This installs all updates, regardless of their approval status. Select this option with caution. For example, use this option if you want to check installation of some declined updates in a test infrastructure.
   • Fix vulnerabilities with a severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

4. On the Updates page, select the updates to be installed:
   • Install all suitable updates

     Install all software updates that meet the criteria specified on the General criteria page of the Wizard. Selected by default.

   • Install only updates from the list

     Install only software updates that you select manually from the list. This list contains all available software updates.

     For example, you may want to select specific updates in the following cases: to check their installation in a test environment, to update only critical applications, or to update only specific applications.

     • Automatically install all previous application updates that are required to install the selected updates

       Keep this option enabled if you agree with the installation of interim application versions when this is required for installing the selected updates.

       If this option is disabled, only the selected versions of applications are installed. Disable this option if you want to update applications in a straightforward manner, without attempting to install successive versions incrementally. If installing the selected updates is not possible without installing previous versions of applications, the updating of the application fails.

       For example, you have version 3 of an application installed on a device and you want to update it to version 5, but version 5 of this application can be installed only over version 4. If this option is enabled, the software first installs version 4, and then installs version 5. If this option is disabled, the software fails to update the application.

       By default, this option is enabled.

5. On the Vulnerabilities page, select vulnerabilities that will be fixed by installing the selected updates:
   • Fix all vulnerabilities that match other criteria

     Fix all vulnerabilities that meet the criteria specified on the General criteria page of the Wizard. Selected by default.

   • Fix only vulnerabilities from the list

     Fix only vulnerabilities that you select manually from the list. This list contains all detected vulnerabilities.

     For example, you may want to select specific vulnerabilities in the following cases: to check their fix in a test environment, to fix vulnerabilities only in critical applications, or to fix vulnerabilities only in specific applications.

6. On the Name page, specify the name for the rule that you are adding. You can later change this name in the Settings section of the properties window of the created task.

After the Rule Creation Wizard completes its operation, the new rule is added and displayed in the rule list in the Add Task Wizard or in the task properties.

To add a new rule for Windows Update updates:

1. Click the Add button.

   The Rule Creation Wizard starts. Proceed through the Wizard by using the Next button.

2. On the Rule type page, select Rule for Windows Update.
3. On the General criteria page, specify the following settings:
   • Set of updates to install

     Select the updates that must be installed on client devices:

     • Install approved updates only. This installs only approved updates.
     • Install all updates (except declined). This installs updates with the Approved or Undefined approval status.
     • Install all updates (including declined). This installs all updates, regardless of their approval status. Select this option with caution. For example, use this option if you want to check installation of some declined updates in a test infrastructure.
   • Fix vulnerabilities with a severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

   • Fix vulnerabilities with an MSRC severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Microsoft Security Response Center (MSRC) is equal to or higher than the value selected in the list (Low, Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

4. On the Applications page, select the applications and application versions for which you want to install updates. By default, all applications are selected.
5. On the Categories of updates page, select the categories of updates to be installed. These categories are the same as in Microsoft Update Catalog. By default, all categories are selected.
6. On the Name page, specify the name for the rule that you are adding. You can later change this name in the Settings section of the properties window of the created task.

After the Rule Creation Wizard completes its operation, the new rule is added and displayed in the rule list in the Add Task Wizard or in the task properties.

To add a new rule for updates of third-party applications:

1. Click the Add button.

   The Rule Creation Wizard starts. Proceed through the Wizard by using the Next button.

2. On the Rule type page, select Rule for third-party updates.
3. On the General criteria page, specify the following settings:
   • Set of updates to install

     Select the updates that must be installed on client devices:

     • Install approved updates only. This installs only approved updates.
     • Install all updates (except declined). This installs updates with the Approved or Undefined approval status.
     • Install all updates (including declined). This installs all updates, regardless of their approval status. Select this option with caution. For example, use this option if you want to check installation of some declined updates in a test infrastructure.
   • Fix vulnerabilities with a severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

4. On the Applications page, select the applications and application versions for which you want to install updates. By default, all applications are selected.
5. On the Name page, specify the name for the rule that you are adding. You can later change this name in the Settings section of the properties window of the created task.

After the Rule Creation Wizard completes its operation, the new rule is added and displayed in the rule list in the Add Task Wizard or in the task properties.

Selecting user fixes for vulnerabilities in third-party software

To use the Fix vulnerabilities task, you must manually specify the software updates to fix the vulnerabilities in third-party software listed in the task settings. The Fix vulnerabilities task uses recommended fixes for Microsoft software and user fixes for other third-party software. User fixes are software updates to fix vulnerabilities that the administrator manually specifies for installation.

To select user fixes for vulnerabilities in third-party software:

1. On the OPERATIONS tab, in the PATCH MANAGEMENT drop-down list, select Software vulnerabilities.

   The page displays the list of software vulnerabilities detected on client devices.

2. In the list of software vulnerabilities, click the link with the name of the software vulnerability for which you want to specify a user fix.

   The properties window of the vulnerability opens.

3. In the left pane, select the User fixes and other fixes section.

   The list of user fixes for the selected software vulnerability is displayed.

4. Click Add.

   The list of available installation packages is displayed. The list of displayed installation packages corresponds to the OPERATIONS → REPOSITORIES → INSTALLATION PACKAGES list. If you have not created an installation package containing a user fix for selected vulnerability, you can create the package now by starting the New Package Wizard.

5. Select an installation package (or packages) containing a user fix (or user fixes) for the vulnerability in third-party software.
6. Click Save.

The installation packages containing user fixes for the software vulnerability are specified. When the Fix vulnerabilities task is started, the installation package will be installed, and the software vulnerability will be fixed.

Viewing information about software vulnerabilities detected on all managed devices

After you have scanned software on managed devices for vulnerabilities, you can view the list of software vulnerabilities detected on all managed devices.

To view the list of software vulnerabilities detected on all managed devices,

On the OPERATIONS tab, in the PATCH MANAGEMENT drop-down list, select Software vulnerabilities.

The page displays the list of software vulnerabilities detected on client devices.

You can also generate and view Report on vulnerabilities.

You can specify a filter to view the list of software vulnerabilities. Click the Filter icon () in the upper right corner of the software vulnerabilities list to manage the filter. You can also select one of preset filters from the Preset filters drop-down list above the software vulnerabilities list.

You can obtain detailed information about any vulnerability from the list.

To obtain information about a software vulnerability:

In the list of software vulnerabilities, click the link with the name of the vulnerability.

The properties window of the software vulnerability opens.

Viewing information about software vulnerabilities detected on the selected managed device

You can view information about software vulnerabilities detected on the selected managed device running Windows.

To view a list of software vulnerabilities detected on the selected managed device:

1. In the main menu, go to DEVICES → MANAGED DEVICES.

   The list of managed devices is displayed.

2. In the list of managed devices, click the link with the name of the device for which you want to view detected software vulnerabilities.

   The properties window of the selected device is displayed.

3. In the properties window of the selected device, select the Advanced tab.
4. In the left pane, select the Software vulnerabilities section.

   If you want to view only software vulnerabilities that can be fixed, select the Show only vulnerabilities that can be fixed option.

The list of software vulnerabilities detected on the selected managed device is displayed.

To view the properties of the selected software vulnerability,

Click the link with the name of the software vulnerability in the list of software vulnerabilities.

The properties window of the selected software vulnerability is displayed.

Viewing statistics of vulnerabilities on managed devices

You can view statistics for each software vulnerability on managed devices. Statistics is represented as a diagram. The diagram displays the number of devices with the following statuses:

• Ignored on: <number of devices>. The status is assigned if, in the vulnerability properties, you have manually set the option to ignore the vulnerability.
• Fixed on: <number of devices>. The status is assigned if the task to fix the vulnerability has successfully completed.
• Fix scheduled on: <number of devices>. The status is assigned if you have created the task to fix the vulnerability but the task is not performed yet.
• Patch applied on: <number of devices>. The status is assigned if you have manually selected a software update to fix the vulnerability but this software updated has not fixed the vulnerability.
• Fix required on: <number of devices>. The status is assigned if the vulnerability was fixed only on the part of managed devices, and it is required to be fixed on the rest part of managed devices.

To view the statistics of a vulnerability on managed devices:

1. On the OPERATIONS tab, in the PATCH MANAGEMENT drop-down list, select Software vulnerabilities.

   The page displays a list of vulnerabilities in applications detected on managed devices.

2. Select the check box next to the required vulnerability.
3. Click the Statistics of vulnerability on devices button.

A diagram of the vulnerability statuses is displayed. Clicking a status opens a list of devices on which the vulnerability has the selected status.

Exporting the list of software vulnerabilities to a file

You can export the displayed list of vulnerabilities to the CSV or TXT files. You can use these files, for example, to send them to your information security manager or to store them for purposes of statistics.

To export the list of software vulnerabilities detected on all managed devices to a text file:

1. On the OPERATIONS tab, in the PATCH MANAGEMENT drop-down list, select Software vulnerabilities.

   The page displays a list of vulnerabilities in applications detected on managed devices.

2. Click the Export rows to TXT file or Export rows to CSV file button, depending on the format you prefer for export.

The file containing the list of software vulnerabilities is downloaded to the device that you use at the moment.

To export the list of software vulnerabilities detected on selected managed device to a text file:

1. Open the list of software vulnerabilities detected on selected managed device.
2. Select the software vulnerabilities you want to export.

   Skip this step if you want to export a complete list of software vulnerabilities detected on the managed device.

   If you want to export complete list of software vulnerabilities detected on the managed device, only vulnerabilities displaying on the current page will be exported.

3. Click the Export rows to TXT file or Export rows to CSV file button, depending on the format you prefer for export.

The file containing the list of software vulnerabilities detected on the selected managed device is downloaded to the device you are using at the moment.

Ignoring software vulnerabilities

You can ignore software vulnerabilities to be fixed. The reasons to ignore software vulnerabilities might be, for example, the following:

• You do not consider the software vulnerability critical to your organization.
• You understand that the software vulnerability fix can damage data related to the software that required the vulnerability fix.
• You are sure that the software vulnerability is not dangerous for your organization's network because you use other measures to protect your managed devices.

You can ignore a software vulnerability on all managed devices or only on selected managed devices.

To ignore a software vulnerability on all managed devices:

1. On the OPERATIONS tab, in the PATCH MANAGEMENT drop-down list, select Software vulnerabilities.

   The page displays the list of software vulnerabilities detected on managed devices.

2. In the list of software vulnerabilities, click the link with the name of the software vulnerability you want to ignore.

   The software vulnerability properties window opens.

3. On the General tab, enable the Ignore vulnerability option.
4. Click the Save button.

   The software vulnerability properties window closes.

The software vulnerability is ignored on all managed devices.

To ignore a software vulnerability on the selected managed device:

1. On the DEVICES tab, select the MANAGED DEVICES tab.

   The list of managed devices is displayed.

2. In the list of managed devices, click the link with the name of the device on which you want to ignore a software vulnerability.

   The device properties window is opened.

3. In the device properties window, select the Advanced tab.
4. In the left pane, select the Software vulnerabilities section.

   The list of software vulnerabilities detected on the device is displayed.

5. In the list of software vulnerabilities, select the vulnerability you want to ignore on the selected device.

   The software vulnerability properties window opens.

6. In the software vulnerability properties window, on the General tab, enable the Ignore vulnerability option.
7. Click the Save button.

   The software vulnerability properties window closes.

8. Close the device properties window.

The software vulnerability is ignored on the selected device.

The ignored software vulnerability will not be fixed after completion of the Fix vulnerabilities task or Install required updates and fix vulnerabilities task. You can exclude ignored software vulnerabilities from the list of vulnerabilities by means of the filter.