Fixing third-party software vulnerabilities
This section describes the features of Kaspersky Security Center that relate to fixing vulnerabilities in the software installed on managed devices.
Page top
[Topic 52462]
Scenario: Finding and fixing third-party software vulnerabilities
This section provides a scenario for finding and fixing vulnerabilities on the managed devices running Windows. You can find and fix software vulnerabilities in the operating system and in third-party software, including Microsoft software.
Prerequisites
- Kaspersky Security Center is deployed in your organization.
- There are managed devices running Windows in your organization.
- Internet connection is required for Administration Server to perform the following tasks:
- To make a list of recommended fixes for vulnerabilities in Microsoft software. The list is created and regularly updated by Kaspersky specialists.
- To fix vulnerabilities in third-part software other than Microsoft software.
Stages
Finding and fixing software vulnerabilities proceeds in stages:
- Scanning for vulnerabilities in the software installed on the managed devices
To find vulnerabilities in the software installed on the managed devices, run the Find vulnerabilities and required updates task. When this task is complete, Kaspersky Security Center receives the lists of detected vulnerabilities and required updates for the third-party software installed on the devices that you specified in the task properties.
The Find vulnerabilities and required updates task is created automatically by Kaspersky Security Center Quick Start Wizard. If you did not run the Wizard, start it now or create the task manually.
How-to instructions:
- Analyzing the list of detected software vulnerabilities
View the Software vulnerabilities list and decide which vulnerabilities are to be fixed. To view detailed information about each vulnerability, click the vulnerability name in the list. For each vulnerability in the list, you can also view the statistics on the vulnerability on managed devices.
How-to instructions:
- Configuring vulnerabilities fix
When the software vulnerabilities are detected, you can fix the software vulnerabilities on the managed devices by using the Install required updates and fix vulnerabilities task or the Fix vulnerabilities task.
The Install required updates and fix vulnerabilities task is used to update and fix vulnerabilities in third-party software, including Microsoft software, installed on the managed devices. This task allows you to install multiple updates and fix multiple vulnerabilities according to certain rules. Note that this task can be created only if you have the license for the Vulnerability and Patch Management feature. To fix software vulnerabilities the Install required updates and fix vulnerabilities task uses recommended software updates.
The Fix vulnerabilities task does not require the license option for the Vulnerability and Patch Management feature. To use this task, you must manually specify user fixes for vulnerabilities in third-party software listed in the task settings. The Fix vulnerabilities task uses recommended fixes for Microsoft software and user fixes for third-party software.
You can start Vulnerabilities Fix Wizard that creates one of these tasks automatically, or you can create one of these tasks manually.
How-to instructions:
- Scheduling the tasks
To be sure that the vulnerabilities list is always up-to-date, schedule the Find vulnerabilities and required updates task to run it automatically from time to time. The recommended average frequency is once a week.
If you have created the Install required updates and fix vulnerabilities task, you can schedule it to run with the same frequency as the Find vulnerabilities and required updates task or less often. When scheduling the Fix vulnerabilities task, note that you have to select fixes for Microsoft software or specify user fixes for third-party software every time before starting the task.
When scheduling the tasks, make sure that a task to fix vulnerability starts after the Find vulnerabilities and required updates task is complete.
- Ignoring software vulnerabilities (optional)
If you want, you can ignore software vulnerabilities to be fixed on all managed devices or only on the selected managed devices.
How-to instructions:
- Running a vulnerability fix task
Start the Install required updates and fix vulnerabilities task or the Fix vulnerability task. When the task is complete, make sure that it has the Completed successfully status in the task list.
- Create the report on results of fixing software vulnerabilities (optional)
To view detailed statistics on the vulnerabilities fix, generate the Report on vulnerabilities. The report displays information about software vulnerabilities that are not fixed. Thus you can have an idea about finding and fixing vulnerabilities in third-party software, including Microsoft software, in your organization.
How-to instructions:
- Checking configuration of finding and fixing vulnerabilities in third-party software
Be sure that you have done the following:
- Obtained and reviewed the list of software vulnerabilities on managed devices
- Ignored software vulnerabilities if you wanted
- Configured the task to fix vulnerabilities
- Scheduled the tasks to find and to fix software vulnerabilities so that they start sequentially
- Checked that the task to fix software vulnerabilities was run
Results
If you have created and configured the Install required updates and fix vulnerabilities task, the vulnerabilities are fixed on the managed devices automatically. When the task is run, it correlates the list of available software updates to the rules specified in the task settings. All software updates that meet the criteria in the rules will be downloaded to the Administration Server repository and will be installed to fix software vulnerabilities.
If you have created the Fix vulnerabilities task, only software vulnerabilities in Microsoft software are fixed.
Page top
[Topic 184124]
About finding and fixing software vulnerabilities
Kaspersky Security Center detects and fixes software
on managed devices running Microsoft Windows families operating systems. Vulnerabilities are detected in the operating system and in third-party software, including Microsoft software.
Finding software vulnerabilities
To find software vulnerabilities, Kaspersky Security Center uses characteristics from the database of known vulnerabilities. This database is created by Kaspersky specialists. It contains information about vulnerabilities, such as vulnerability description, vulnerability detect date, vulnerability severity level. You can find the details of software vulnerabilities on Kaspersky website.
Kaspersky Security Center uses the Find vulnerabilities and required updates task to find software vulnerabilities.
Fixing software vulnerabilities
To fix software vulnerabilities Kaspersky Security Center uses software updates issued by the software vendors. The software updates metadata is downloaded to the Administration Server repository as a result of the following tasks run:
- Download updates to the Administration Server repository. This task is intended to download updates metadata for Kaspersky and third-party software. This task is created automatically by the Kaspersky Security Center Quick Start Wizard. You can create the Download updates to the Administration Server repository task manually.
- Perform Windows Update synchronization. This task is intended to download updates metadata for Microsoft software.
Software updates to fix vulnerabilities can be represented as full distribution packages or patches. Software updates that fix software vulnerabilities are named fixes. Recommended fixes are those that are recommended for installation by Kaspersky specialists. User fixes are those that are manually specified for installation by users. To install a user fix, you have to create an installation package containing this fix.
If you have the Kaspersky Security Center license with the Vulnerability and Patch Management feature, to fix software vulnerabilities you can use Install required updates and fix vulnerabilities task. This task automatically fixes multiple vulnerabilities installing recommended fixes. For this task, you can manually configure certain rules to fix multiple vulnerabilities.
If you do not have the Kaspersky Security Center license with the Vulnerability and Patch Management feature, to fix software vulnerabilities, you can use the Fix vulnerabilities task. By means of this task, you can fix vulnerabilities by installing recommended fixes for Microsoft software and user fixes for other third-party software.
For security reasons, any third-party software updates that you install by using the Vulnerability and Patch Management feature are automatically scanned for malware by Kaspersky technologies. These technologies are used for automatic file check and include anti-virus scan, static analysis, dynamic analysis, behavior analysis in the sandbox environment, and machine learning.
Kaspersky experts do not perform manual analysis of third-party software updates that can be installed by using the Vulnerability and Patch Management feature. In addition, Kaspersky experts do not search for vulnerabilities (known or unknown) or undocumented features in such updates, as well as do not perform other types of analysis of the updates other than the specified in the paragraph above.
A user interaction may be required when you update a third-party application or fix a vulnerability in a third-party application on a managed device. For example, the user may be prompted to close the third-party application if it's currently open.
To fix some software vulnerabilities, you must accept the End User License Agreement (EULA) for installing the software if EULA acceptance is requested. If you decline the EULA, the software vulnerability is not fixed.
Page top
[Topic 183975]
Viewing information about software vulnerabilities
To view a list of vulnerabilities detected on client devices,
In the Advanced → Application management folder in the console tree, select the Software vulnerabilities subfolder.
The page displays a list of vulnerabilities in applications detected on managed devices.
To obtain information about a selected vulnerability,
Select Properties from the context menu of the vulnerability.
The properties window of the vulnerability opens, displaying the following information:
- Application in which the vulnerability has been detected.
- List of devices on which the vulnerability has been detected.
- Information on whether the vulnerability has been fixed.
To view the report on all detected vulnerabilities,
In the Software vulnerabilities folder, click the View report on vulnerabilities link.
A report on vulnerabilities in applications installed on devices will be generated. You can view this report in the node with the name of the relevant Administration Server, by opening the Reports tab.
Page top
[Topic 61501]
Viewing statistics of vulnerabilities on managed devices
You can view statistics for each software vulnerability on managed devices. Statistics is represented as a diagram. The diagram displays the number of devices with the following statuses:
- Ignored on: <number of devices>. The status is assigned if, in the vulnerability properties, you have manually set the option to ignore the vulnerability.
- Fixed on: <number of devices>. The status is assigned if the task to fix the vulnerability has successfully completed.
- Fix scheduled on: <number of devices>. The status is assigned if you have created the task to fix the vulnerability but the task is not performed yet.
- Patch applied on: <number of devices>. The status is assigned if you have manually selected a software update to fix the vulnerability but this software updated has not fixed the vulnerability.
- Fix required on: <number of devices>. The status is assigned if the vulnerability was fixed only on the part of managed devices, and it is required to be fixed on the rest part of managed devices.
To view the statistics of a vulnerability on managed devices:
- In the Advanced → Application management folder in the console tree, select the Software vulnerabilities subfolder.
The page displays a list of vulnerabilities in applications detected on managed devices.
- Select a vulnerability for which you want to view the statistics.
In the block for working with a selected object, a diagram of the vulnerability statuses is displayed. Clicking a status opens a list of devices on which the vulnerability has the selected status.
Page top
[Topic 191658]
Scanning applications for vulnerabilities
Expand all | Collapse all
If you have configured the application through the Quick Start Wizard, the Vulnerability scan task is created automatically. You can view the task in the Managed devices folder, on the Tasks tab.
To create a task for vulnerability scanning in applications installed on client devices:
- In the console tree, select Advanced → Application management, and then select the Software vulnerabilities subfolder.
- In the workspace, select Additional actions → Configure vulnerability scan.
If a task for vulnerability scanning already exists, the Tasks tab of the Managed devices folder is displayed, with the existing task selected. Otherwise, the Find Vulnerabilities and Required Updates Task Creation Wizard starts. Follow the steps of the Wizard.
- In the Select the task type window, select Find vulnerabilities and required updates.
- On the Settings page of the Wizard, specify the task settings as follows:
- Search for vulnerabilities and updates listed by Microsoft
When searching for vulnerabilities and updates, Kaspersky Security Center uses the information about applicable Microsoft updates from the source of Microsoft updates, which are available at the present moment.
For example, you may want to disable this option if you have different tasks with different settings for Microsoft updates and updates of third-party applications.
By default, this option is enabled.
- Connect to the update server to update data
Windows Update Agent on a managed device connects to the source of Microsoft updates. The following servers can act as a source of Microsoft updates:
- Kaspersky Security Center Administration Server (see the settings of Network Agent policy)
- Windows Server with Microsoft Windows Server Update Services (WSUS) deployed in your organization's network
- Microsoft Updates servers
If this option is enabled, Windows Update Agent on a managed device connects to the source of Microsoft updates to refresh the information about applicable Microsoft Windows updates.
If this option is disabled, Windows Update Agent on a managed device uses the information about applicable Microsoft Windows updates that was received from the source of Microsoft updates earlier and that is stored in the device's cache.
Connecting to the source of Microsoft updates can be resource-consuming. You might want to disable this option if you set regular connection to this source of updates in another task or in the properties of Network Agent policy, in the section Software updates and vulnerabilities. If you do not want to disable this option, then, to reduce the Server overload, you can configure the task schedule to randomize delay for task starts within 360 minutes.
By default, this option is enabled.
Combination of the following options of the settings of Network Agent policy defines the mode of getting updates:
- Windows Update Agent on a managed device connects to the Update Server to get updates only if the Connect to the update server to update data option is enabled and the Active option, in the Windows Update search mode settings group, is selected.
- Windows Update Agent on a managed device uses the information about applicable Microsoft Windows updates that was received from the source of Microsoft updates earlier and that is stored in the device's cache, if the Connect to the update server to update data option is enabled and the Passive option, in the Windows Update search mode settings group, is selected, or if the Connect to the update server to update data option is disabled and the Active option, in the Windows Update search mode settings group, is selected.
- Irrespective of the Connect to the update server to update data option's status (enabled or disabled), if Disabled option, in the Windows Update search mode settings group is selected, Kaspersky Security Center does not request any information about updates.
- Search for third-party vulnerabilities and updates listed by Kaspersky
If this option is enabled, Kaspersky Security Center searches for vulnerabilities and required updates for third-party applications (applications made by software vendors other than Kaspersky and Microsoft) in Windows Registry and in the folders specified under Specify paths for advanced search of applications in file system. The full list of supported third-party applications is managed by Kaspersky.
If this option is disabled, Kaspersky Security Center does not search for vulnerabilities and required updates for third-party applications. For example, you may want to disable this option if you have different tasks with different settings for Microsoft Windows updates and updates of third-party applications.
By default, this option is enabled.
- Specify paths for advanced search of applications in file system
The folders in which Kaspersky Security Center searches for third-party applications that require vulnerability fix and update installation. You can use system variables.
Specify the folders to which applications are installed. By default, the list contains system folders to which most of the applications are installed.
- Enable advanced diagnostics
If this feature is enabled, Network Agent writes traces even if tracing is disabled for Network Agent in Kaspersky Security Center Remote Diagnostics Utility. Traces are written to two files in turn; the total size of both files is determined by the Maximum size, in MB, of advanced diagnostics files value. When both files are full, Network Agent starts writing to them again. The files with traces are stored in the %WINDIR%\Temp folder. These files are accessible in the remote diagnostics utility, you can download or delete them there.
If this feature is disabled, Network Agent writes traces according to the settings in Kaspersky Security Center Remote Diagnostics Utility. No additional traces are written.
When creating a task, you do not have to enable advanced diagnostics. You may want to use this feature later if, for example, a task run fails on some of the devices and you want to get additional information during another task run.
By default, this option is disabled.
- Maximum size, in MB, of advanced diagnostics files
The default value is 100 MB, and available values are between 1 MB and 2048 MB. You may be asked to change the default value by Kaspersky Technical Support specialists when information in the advanced diagnostics files sent by you is not enough to troubleshoot the problem.
- On the Configure task schedule page of the Wizard, you can create a schedule for task start. If necessary, specify the following settings:
- Scheduled start:
Select the schedule according to which the task runs, and configure the selected schedule.
- Every N hours
The task runs regularly, with the specified interval in hours, starting from the specified date and time.
By default, the task runs every six hours, starting from the current system date and time.
- Every N days
The task runs regularly, with the specified interval in days. Additionally, you can specify a date and time of the first task run. These additional options become available, if they are supported by the application for which you create the task.
By default, the task runs every day, starting from the current system date and time.
- Every N weeks
The task runs regularly, with the specified interval in weeks, on the specified day of week and at the specified time.
By default, the task runs every Monday at the current system time.
- Every N minutes
The task runs regularly, with the specified interval in minutes, starting from the specified time on the day that the task is created.
By default, the task runs every 30 minutes, starting from the current system time.
- Daily (daylight saving time is not supported)
The task runs regularly, with the specified interval in days. This schedule does not support observance of daylight saving time (DST). It means that when clocks jump one hour forward or backward at the beginning or ending of DST, the actual task start time does not change.
We do not recommend that you use this schedule. It is needed for backward compatibility of Kaspersky Security Center.
By default, the task starts every day at the current system time.
- Weekly
The task runs every week on the specified day and at the specified time.
- By days of week
The task runs regularly, on the specified days of week, at the specified time.
By default, the task runs every Friday at 6:00:00 PM.
- Monthly
The task runs regularly, on the specified day of the month, at the specified time.
In months that lack the specified day, the task runs on the last day.
By default, the task runs on the first day of each month, at the current system time.
- Manually
The task does not run automatically. You can only start it manually.
By default, this option is enabled.
- Every month on specified days of selected weeks
The task runs regularly, on the specified days of each month, at the specified time.
By default, no days of month are selected; the default start time is 6:00:00 PM.
- When new updates are downloaded to the repository
The task runs after updates are downloaded to the repository. For example, you may want to use this schedule for the find vulnerabilities and required updates task.
- On virus outbreak
The task runs after a Virus outbreak event occurs. Select application types that will monitor virus outbreaks. The following application types are available:
- Anti-virus for workstations and file servers
- Anti-virus for perimeter defense
- Anti-virus for mail systems
By default, all application types are selected.
You may want to run different tasks depending on the anti-virus application type that reports a virus outbreak. In this case, remove the selection of the application types that you do not need.
- On completing another task
The current task starts after another task completes. You can select how the previous task must complete (successfully or with error) to trigger the start of the current task. For example, you may want to run the Manage devices task with the Turn on the device option and, after it completes, run the Virus scan task.
- Run missed tasks
This option determines the behavior of a task if a client device is not visible on the network when the task is about to start.
If this option is enabled, the system attempts to start the task the next time the Kaspersky application is run on the client device. If the task schedule is Manually, Once or Immediately, the task is started immediately after the device becomes visible on the network or immediately after the device is included in the task scope.
If this option is disabled, only scheduled tasks run on client devices; for Manually, Once and Immediately, tasks run only on those client devices that are visible on the network. For example, you may want to disable this option for a resource-consuming task that you want to run only outside of business hours.
By default, this option is enabled.
- Use automatically randomized delay for task starts
If this option is enabled, the task is started on client devices randomly within a specified time interval, that is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.
The distributed start time is calculated automatically when a task is created, depending on the number of client devices to which the task is assigned. Later, the task is always started on the calculated start time. However, when task settings are edited or the task is started manually, the calculated value of the task start time changes.
If this option is disabled, the task starts on client devices according to the schedule.
- Use randomized delay for task starts within an interval of (min)
If this option is enabled, the task is started on client devices randomly within the specified time interval. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.
If this option is disabled, the task starts on client devices according to the schedule.
By default, this option is disabled. The default time interval is one minute.
- On the Define the task name page of the Wizard, specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
- On the Finish task creation page of the Wizard, click the Finish button to close the Wizard.
If you want the task to start as soon as the Wizard finishes, select the Run the task after the Wizard finishes check box.
After the Wizard completes its operation, the Find vulnerabilities and required updates task appears in the list of tasks in the Managed devices folder, on the Tasks tab.
In addition to the settings that you specify during task creation, you can change other properties of a created task.
When the Find vulnerabilities and required updates task is complete, Administration Server displays a list of vulnerabilities found in applications installed on the device; it also displays all software updates required to fix the vulnerabilities detected.
If the task results contain the 0x80240033 "Windows Update Agent error 80240033 ("License terms could not be downloaded.")" error, you can resolve this issue through the Windows Registry.
Administration Server does not display the list of required software updates when you sequentially run two tasks—the Perform Windows Update synchronization task that has the Download express installation files option disabled, and then the Find vulnerabilities and required updates task. In order to view the list of required software updates, you must run the Find vulnerabilities and required updates task again.
Network Agent receives information about any available Windows updates and other Microsoft product updates from Windows Update or the Administration Server, if the Administration Server acts as the WSUS server. Information is transmitted when applications are started (if this is provided for by the policy) and at each routine run of the Find vulnerabilities and required updates task on client devices.
You can find the details of third-party software that can be updated through Kaspersky Security Center by visiting the Technical Support website, on the Kaspersky Security Center page, in the Server Management section.
Page top
[Topic 61502]
Fixing vulnerabilities in applications
Expand all | Collapse all
If you have selected Find and install required updates on the Update management settings page of the Quick Start Wizard, the Install required updates and fix vulnerabilities task is created automatically. The task is displayed in the workspace of the Managed devices folder, on the Tasks tab.
Otherwise, you can do any of the following:
- Create a task for fixing vulnerabilities by installing available updates.
- Add a rule for fixing a vulnerability to an existing vulnerability fix task.
A user interaction may be required when you update a third-party application or fix a vulnerability in a third-party application on a managed device. For example, the user may be prompted to close the third-party application if it's currently open.
Fixing vulnerabilities by creating a vulnerability fix task
You can do any of the following:
- Create a task for fixing multiple vulnerabilities that meet certain rules.
- Select a vulnerability and create a task for fixing it and similar vulnerabilities.
To fix vulnerabilities that meet certain rules:
- In the console tree, select the Managed devices folder.
- In the workspace, select the Tasks tab.
- Click the Create a task button to run the Add Task Wizard. Follow the steps of the Wizard.
- On the Select the task type page of the Wizard, select Install required updates and fix vulnerabilities.
- On the Settings page of the Wizard, specify the task settings as follows:
- Specify rules for installing updates
These rules are applied to installation of updates on client devices. If rules are not specified, the task has nothing to perform. For information about operations with rules, refer to Rules for update installation.
- Start installation at device restart or shutdown
If this option is enabled, updates are installed when the device is restarted or shut down. Otherwise, updates are installed according to a schedule.
Use this option if installing the updates might affect the device performance.
By default, this option is disabled.
- Install required general system components
If this option is enabled, before installing an update the application automatically installs all general system components (prerequisites) that are required to install the update. For example, these prerequisites can be operating system updates
If this option is disabled, you may have to install the prerequisites manually.
By default, this option is disabled.
- Allow installation of new application versions during updates
If this option is enabled, updates are allowed when they result in installation of a new version of a software application.
If this option is disabled, the software is not upgraded. You can then install new versions of the software manually or through another task. For example, you may use this option if your company infrastructure is not supported by a new software version or if you want to check an upgrade in a test infrastructure.
By default, this option is enabled.
Upgrading an application may cause malfunction of dependent applications installed on client devices.
- Download updates to the device without installing them
If this option is enabled, the application downloads updates to the device but does not install them automatically. You can then Install downloaded updates manually.
Microsoft updates are downloaded to the system Windows storage. Updates of third-party applications (applications made by software vendors other than Kaspersky and Microsoft) are downloaded to the folder specified in the Folder for downloading updates field.
If this option is disabled, the updates are installed to the device automatically.
By default, this option is disabled.
- Folder for downloading updates
This folder is used to download updates of third-party applications (applications made by software vendors other than Kaspersky and Microsoft).
- Enable advanced diagnostics
If this feature is enabled, Network Agent writes traces even if tracing is disabled for Network Agent in Kaspersky Security Center Remote Diagnostics Utility. Traces are written to two files in turn; the total size of both files is determined by the Maximum size, in MB, of advanced diagnostics files value. When both files are full, Network Agent starts writing to them again. The files with traces are stored in the %WINDIR%\Temp folder. These files are accessible in the remote diagnostics utility, you can download or delete them there.
If this feature is disabled, Network Agent writes traces according to the settings in Kaspersky Security Center Remote Diagnostics Utility. No additional traces are written.
When creating a task, you do not have to enable advanced diagnostics. You may want to use this feature later if, for example, a task run fails on some of the devices and you want to get additional information during another task run.
By default, this option is disabled.
- Maximum size, in MB, of advanced diagnostics files
The default value is 100 MB, and available values are between 1 MB and 2048 MB. You may be asked to change the default value by Kaspersky Technical Support specialists when information in the advanced diagnostics files sent by you is not enough to troubleshoot the problem.
- On the Selecting an operating system restart option page of the Wizard, select the action to perform when the operating system on client devices must be restarted after the operation:
- Do not restart the device
Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.
- Restart the device
Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).
- Prompt user for action
The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.
By default, this option is selected.
- Repeat prompt every (min)
If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.
By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.
If this option is disabled, the prompt is displayed only once.
- Restart after (min)
After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.
By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.
- Force closure of applications in blocked sessions
Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.
If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.
If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.
By default, this option is disabled.
- On the Configure task schedule page of the Wizard, you can create a schedule for task start. If necessary, specify the following settings:
- Scheduled start:
Select the schedule according to which the task runs, and configure the selected schedule.
- Every N hours
The task runs regularly, with the specified interval in hours, starting from the specified date and time.
By default, the task runs every six hours, starting from the current system date and time.
- Every N days
The task runs regularly, with the specified interval in days. Additionally, you can specify a date and time of the first task run. These additional options become available, if they are supported by the application for which you create the task.
By default, the task runs every day, starting from the current system date and time.
- Every N weeks
The task runs regularly, with the specified interval in weeks, on the specified day of week and at the specified time.
By default, the task runs every Monday at the current system time.
- Every N minutes
The task runs regularly, with the specified interval in minutes, starting from the specified time on the day that the task is created.
By default, the task runs every 30 minutes, starting from the current system time.
- Daily (daylight saving time is not supported)
The task runs regularly, with the specified interval in days. This schedule does not support observance of daylight saving time (DST). It means that when clocks jump one hour forward or backward at the beginning or ending of DST, the actual task start time does not change.
We do not recommend that you use this schedule. It is needed for backward compatibility of Kaspersky Security Center.
By default, the task starts every day at the current system time.
- Weekly
The task runs every week on the specified day and at the specified time.
- By days of week
The task runs regularly, on the specified days of week, at the specified time.
By default, the task runs every Friday at 6:00:00 PM.
- Monthly
The task runs regularly, on the specified day of the month, at the specified time.
In months that lack the specified day, the task runs on the last day.
By default, the task runs on the first day of each month, at the current system time.
- Manually
The task does not run automatically. You can only start it manually.
By default, this option is enabled.
- Every month on specified days of selected weeks
The task runs regularly, on the specified days of each month, at the specified time.
By default, no days of month are selected; the default start time is 6:00:00 PM.
- On virus outbreak
The task runs after a Virus outbreak event occurs. Select application types that will monitor virus outbreaks. The following application types are available:
- Anti-virus for workstations and file servers
- Anti-virus for perimeter defense
- Anti-virus for mail systems
By default, all application types are selected.
You may want to run different tasks depending on the anti-virus application type that reports a virus outbreak. In this case, remove the selection of the application types that you do not need.
- On completing another task
The current task starts after another task completes. You can select how the previous task must complete (successfully or with error) to trigger the start of the current task. For example, you may want to run the Manage devices task with the Turn on the device option and, after it completes, run the Virus scan task.
- Run missed tasks
This option determines the behavior of a task if a client device is not visible on the network when the task is about to start.
If this option is enabled, the system attempts to start the task the next time the Kaspersky application is run on the client device. If the task schedule is Manually, Once or Immediately, the task is started immediately after the device becomes visible on the network or immediately after the device is included in the task scope.
If this option is disabled, only scheduled tasks run on client devices; for Manually, Once and Immediately, tasks run only on those client devices that are visible on the network. For example, you may want to disable this option for a resource-consuming task that you want to run only outside of business hours.
By default, this option is enabled.
- Use automatically randomized delay for task starts
If this option is enabled, the task is started on client devices randomly within a specified time interval, that is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.
The distributed start time is calculated automatically when a task is created, depending on the number of client devices to which the task is assigned. Later, the task is always started on the calculated start time. However, when task settings are edited or the task is started manually, the calculated value of the task start time changes.
If this option is disabled, the task starts on client devices according to the schedule.
- Use randomized delay for task starts within an interval of (min)
If this option is enabled, the task is started on client devices randomly within the specified time interval. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.
If this option is disabled, the task starts on client devices according to the schedule.
By default, this option is disabled. The default time interval is one minute.
- On the Define the task name page of the Wizard, specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
- On the Finish task creation page of the Wizard, click the Finish button to close the Wizard.
If you want the task to start as soon as the Wizard finishes, select the Run the task after the Wizard finishes check box.
After the Wizard completes its operation, the Install required updates and fix vulnerabilities task is created and displayed in the Tasks folder.
In addition to the settings that you specify during task creation, you can change other properties of a created task.
If the task results contain the 0x80240033 "Windows Update Agent error 80240033 ("License terms could not be downloaded.")" error, you can resolve this issue through the Windows Registry.
To fix a specific vulnerability and similar ones:
- In the Advanced → Application management folder in the console tree, select the Software vulnerabilities subfolder.
- Select the vulnerability that you want to fix.
- Click the Run Vulnerability Fix Wizard button.
The Vulnerability Fix Wizard starts.
The Vulnerability Fix Wizard features are only available under the Vulnerability and Patch Management license.
Follow the steps of the Wizard.
- In the Search for existing vulnerability fix tasks window, specify the following parameters:
- Show only tasks that fix this vulnerability
If this option is enabled, the Vulnerability Fix Wizard searches for existing tasks that fix the selected vulnerability.
If this option is disabled or if the search yields no applicable tasks, the Vulnerability Fix Wizard prompts you to create a rule or task for fixing the vulnerability.
By default, this option is enabled.
- Approve updates that fix this vulnerability
Updates that fix a vulnerability will be approved for installation. Enable this option if some applied rules of update installation only allow the installation of approved updates.
By default, this option is disabled.
- If you choose to search for existing vulnerability fix tasks and if the search retrieves some tasks, you can view properties of these tasks or start them manually. No further actions are required.
Otherwise, click the New vulnerability fix task button.
- Select the type of the vulnerability fix rule to be added to the new task, and then click the Finish button.
- Make your choice in the displayed prompt about installing all previous application updates. Click Yes if you agree to the installation of successive application versions incrementally if this is required for installing the selected updates. Click No if you want to update applications in a straightforward fashion, without installing successive versions. If installing the selected updates is not possible without installing previous versions of applications, the updating of the application fails.
The Updates Installation and Vulnerabilities Fix Task Creation Wizard starts. Follow the steps of the Wizard.
- On the Selecting an operating system restart option page of the Wizard, select the action to perform when the operating system on client devices must be restarted after the operation:
- Do not restart the device
Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.
- Restart the device
Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).
- Prompt user for action
The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.
By default, this option is selected.
- Repeat prompt every (min)
If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.
By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.
If this option is disabled, the prompt is displayed only once.
- Restart after (min)
After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.
By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.
- Force closure of applications in blocked sessions
Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.
If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.
If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.
By default, this option is disabled.
- On the Select devices to which the task will be assigned page of the Wizard, select one of the following options:
- Select networked devices detected by Administration Server
The task is assigned to specific devices. The specific devices can include devices in administration groups as well as unassigned devices.
For example, you may want to use this option in a task of installing Network Agent on unassigned devices.
- Specify device addresses manually or import addresses from a list
You can specify NetBIOS names, DNS names, IP addresses, and IP subnets of devices to which you want to assign the task.
You may want to use this option to execute a task for a specific subnet. For example, you may want to install a certain application on devices of accountants or to scan devices in a subnet that is probably infected.
- Assign task to a device selection
The task is assigned to devices included in a device selection. You can specify one of the existing selections.
For example, you may want to use this option to run a task on devices with a specific operating system version.
- Assign task to an administration group
The task is assigned to devices included in an administration group. You can specify one of the existing groups or create a new one.
For example, you may want to use this option to run a task of sending a message to users if the message is specific for devices included in a specific administration group.
- On the Configure task schedule page of the Wizard, you can create a schedule for task start. If necessary, specify the following settings:
- Scheduled start:
Select the schedule according to which the task runs, and configure the selected schedule.
- Every N hours
The task runs regularly, with the specified interval in hours, starting from the specified date and time.
By default, the task runs every six hours, starting from the current system date and time.
- Every N days
The task runs regularly, with the specified interval in days. Additionally, you can specify a date and time of the first task run. These additional options become available, if they are supported by the application for which you create the task.
By default, the task runs every day, starting from the current system date and time.
- Every N weeks
The task runs regularly, with the specified interval in weeks, on the specified day of week and at the specified time.
By default, the task runs every Monday at the current system time.
- Every N minutes
The task runs regularly, with the specified interval in minutes, starting from the specified time on the day that the task is created.
By default, the task runs every 30 minutes, starting from the current system time.
- Daily (daylight saving time is not supported)
The task runs regularly, with the specified interval in days. This schedule does not support observance of daylight saving time (DST). It means that when clocks jump one hour forward or backward at the beginning or ending of DST, the actual task start time does not change.
We do not recommend that you use this schedule. It is needed for backward compatibility of Kaspersky Security Center.
By default, the task starts every day at the current system time.
- Weekly
The task runs every week on the specified day and at the specified time.
- By days of week
The task runs regularly, on the specified days of week, at the specified time.
By default, the task runs every Friday at 6:00:00 PM.
- Monthly
The task runs regularly, on the specified day of the month, at the specified time.
In months that lack the specified day, the task runs on the last day.
By default, the task runs on the first day of each month, at the current system time.
- Manually
The task does not run automatically. You can only start it manually.
By default, this option is enabled.
- Every month on specified days of selected weeks
The task runs regularly, on the specified days of each month, at the specified time.
By default, no days of month are selected; the default start time is 6:00:00 PM.
- On virus outbreak
The task runs after a Virus outbreak event occurs. Select application types that will monitor virus outbreaks. The following application types are available:
- Anti-virus for workstations and file servers
- Anti-virus for perimeter defense
- Anti-virus for mail systems
By default, all application types are selected.
You may want to run different tasks depending on the anti-virus application type that reports a virus outbreak. In this case, remove the selection of the application types that you do not need.
- On completing another task
The current task starts after another task completes. You can select how the previous task must complete (successfully or with error) to trigger the start of the current task. For example, you may want to run the Manage devices task with the Turn on the device option and, after it completes, run the Virus scan task.
- Run missed tasks
This option determines the behavior of a task if a client device is not visible on the network when the task is about to start.
If this option is enabled, the system attempts to start the task the next time the Kaspersky application is run on the client device. If the task schedule is Manually, Once or Immediately, the task is started immediately after the device becomes visible on the network or immediately after the device is included in the task scope.
If this option is disabled, only scheduled tasks run on client devices; for Manually, Once and Immediately, tasks run only on those client devices that are visible on the network. For example, you may want to disable this option for a resource-consuming task that you want to run only outside of business hours.
By default, this option is enabled.
- Use automatically randomized delay for task starts
If this option is enabled, the task is started on client devices randomly within a specified time interval, that is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.
The distributed start time is calculated automatically when a task is created, depending on the number of client devices to which the task is assigned. Later, the task is always started on the calculated start time. However, when task settings are edited or the task is started manually, the calculated value of the task start time changes.
If this option is disabled, the task starts on client devices according to the schedule.
- Use randomized delay for task starts within an interval of (min)
If this option is enabled, the task is started on client devices randomly within the specified time interval. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.
If this option is disabled, the task starts on client devices according to the schedule.
By default, this option is disabled. The default time interval is one minute.
- On the Define the task name page of the Wizard, specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
- On the Finish task creation page of the Wizard, click the Finish button to close the Wizard.
If you want the task to start as soon as the Wizard finishes, select the Run the task after the Wizard finishes check box.
When the Wizard completes, the Install required updates and fix vulnerabilities task is created and displayed in the Tasks folder.
In addition to the settings that you specify during task creation, you can change other properties of a created task.
Fixing a vulnerability by adding a rule to an existing vulnerability fix task
To fix a vulnerability by adding a rule to an existing vulnerability fix task:
- In the Advanced → Application management folder in the console tree, select the Software vulnerabilities subfolder.
- Select the vulnerability that you want to fix.
- Click the Run Vulnerability Fix Wizard button.
The Vulnerability Fix Wizard starts.
The Vulnerability Fix Wizard features are only available under the Vulnerability and Patch Management license.
Follow the steps of the Wizard.
- In the Search for existing vulnerability fix tasks window, specify the following parameters:
- Show only tasks that fix this vulnerability
If this option is enabled, the Vulnerability Fix Wizard searches for existing tasks that fix the selected vulnerability.
If this option is disabled or if the search yields no applicable tasks, the Vulnerability Fix Wizard prompts you to create a rule or task for fixing the vulnerability.
By default, this option is enabled.
- Approve updates that fix this vulnerability
Updates that fix a vulnerability will be approved for installation. Enable this option if some applied rules of update installation only allow the installation of approved updates.
By default, this option is disabled.
- If you choose to search for existing vulnerability fix tasks and if the search retrieves some tasks, you can view properties of these tasks or start them manually. No further actions are required.
Otherwise, click the Add vulnerability fix rule to existing task button.
- Select the task to which you want to add a rule, and then click the Add rule button.
Also, you can view properties of the existing tasks, start them manually, or create a new task.
- Select the type of rule to be added to the selected task, and then click the Finish button.
- Make your choice in the displayed prompt about installing all previous application updates. Click Yes if you agree to the installation of successive application versions incrementally if this is required for installing the selected updates. Click No if you want to update applications in a straightforward fashion, without installing successive versions. If installing the selected updates is not possible without installing previous versions of applications, the updating of the application fails.
A new rule for fixing the vulnerability is added to the existing Install required updates and fix vulnerabilities task.
Page top
[Topic 61947]
Ignoring software vulnerabilities
You can ignore software vulnerabilities to be fixed. The reasons to ignore software vulnerabilities might be, for example, the following:
- You do not consider the software vulnerability critical to your organization.
- You understand that the software vulnerability fix can damage data related to the software that required the vulnerability fix.
- You are sure that the software vulnerability is not dangerous for your organization's network because you use other measures to protect your managed devices.
You can ignore a software vulnerability on all managed devices or only on selected managed devices.
To ignore a software vulnerability on all managed devices:
- In the Advanced → Application management folder in the console tree, select the Software vulnerabilities subfolder.
The workspace of the folder displays a list of vulnerabilities in applications detected on devices by the Network Agent installed on them.
- Select the vulnerability you want to ignore.
- Select Properties from the context menu of the vulnerability.
The properties window of the vulnerability opens.
- On the General section, select the Ignore vulnerability option.
- Click OK.
The software vulnerability properties window is closed.
The software vulnerability is ignored on all managed devices.
To ignore a software vulnerability on the selected managed device:
- Open the properties window of the selected managed device and select the Software vulnerabilities section.
- Select a software vulnerability.
- Ignore selected vulnerability.
The software vulnerability is ignored on the selected device.
The ignored software vulnerability will not be fixed after completion of the Fix vulnerabilities task or Install required updates and fix vulnerabilities task. You can exclude ignored software vulnerabilities from the list of vulnerabilities by means of the filter.
Page top
[Topic 191582]
Selecting user fixes for vulnerabilities in third-party software
To use the Fix vulnerabilities task, you must manually specify the software updates to fix the vulnerabilities in third-party software listed in the task settings. The Fix vulnerabilities task uses recommended fixes for Microsoft software and user fixes for other third-party software. User fixes are software updates to fix vulnerabilities that the administrator manually specifies for installation.
To select user fixes for vulnerabilities in third-party software:
- In the Advanced → Application management folder in the console tree, select the Software vulnerabilities subfolder.
The workspace of the folder displays a list of vulnerabilities in applications detected on devices by the Network Agent installed on them.
- Select the vulnerability for which you want to specify a user fix.
- Select Properties from the context menu of the vulnerability.
The properties window of the vulnerability opens.
- In the User fixes and other fixes section, click the Add button.
The list of available installation packages is displayed. The list of displayed installation packages corresponds to the Remote installation → Installation packages list. If you have not created an installation package containing a user fix for selected vulnerability, you can create the package now by starting the New Package Wizard.
- Select an installation package (or packages) containing a user fix (or user fixes) for the vulnerability in third-party software.
- Click OK.
The installation packages containing user fixes for the software vulnerability are specified. When the Fix vulnerabilities task is started, the installation package will be installed, and the software vulnerability will be fixed.
Page top
[Topic 191616]
Rules for update installation
Expand all | Collapse all
When fixing vulnerabilities in applications, you must specify rules for update installation. These rules determine updates to install and vulnerabilities to fix.
The exact settings depend on whether you create a rule for updates of Microsoft applications, of third-party applications (applications made by software vendors other than Kaspersky and Microsoft), or of all applications. When creating a rule for Microsoft applications or third-party applications, you can select specific applications and application versions for which you want to install updates. When creating a rule for all applications, you can select specific updates that you want to install and vulnerabilities that you want to fix by means of installing updates.
To create a new rule for updates of all applications:
- On the Settings page of the Add Task Wizard, click the Add button.
The Rule Creation Wizard starts. Follow the steps of the Wizard.
- On the Rule type page, select Rule for all updates.
- On the General criteria page, use the drop-down lists to specify the following settings:
- Set of updates to install
Select the updates that must be installed on client devices:
- Install approved updates only. This installs only approved updates.
- Install all updates (except declined). This installs updates with the Approved or Undefined approval status.
- Install all updates (including declined). This installs all updates, regardless of their approval status. Select this option with caution. For example, use this option if you want to check installation of some declined updates in a test infrastructure.
- Fix vulnerabilities with a severity level equal to or higher than
Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.
If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.
If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.
By default, this option is disabled.
- On the Updates page, select the updates to be installed:
- Install all suitable updates
Install all software updates that meet the criteria specified on the General criteria page of the Wizard. Selected by default.
- Install only updates from the list
Install only software updates that you select manually from the list. This list contains all available software updates.
For example, you may want to select specific updates in the following cases: to check their installation in a test environment, to update only critical applications, or to update only specific applications.
- Automatically install all previous application updates that are required to install the selected updates
Keep this option enabled if you agree with the installation of interim application versions when this is required for installing the selected updates.
If this option is disabled, only the selected versions of applications are installed. Disable this option if you want to update applications in a straightforward manner, without attempting to install successive versions incrementally. If installing the selected updates is not possible without installing previous versions of applications, the updating of the application fails.
For example, you have version 3 of an application installed on a device and you want to update it to version 5, but version 5 of this application can be installed only over version 4. If this option is enabled, the software first installs version 4, and then installs version 5. If this option is disabled, the software fails to update the application.
By default, this option is enabled.
- On the Vulnerabilities page, select vulnerabilities that will be fixed by installing the selected updates:
- Fix all vulnerabilities that match other criteria
Fix all vulnerabilities that meet the criteria specified on the General criteria page of the Wizard. Selected by default.
- Fix only vulnerabilities from the list
Fix only vulnerabilities that you select manually from the list. This list contains all detected vulnerabilities.
For example, you may want to select specific vulnerabilities in the following cases: to check their fix in a test environment, to fix vulnerabilities only in critical applications, or to fix vulnerabilities only in specific applications.
- On the Name page, specify the name for the rule that you are creating. You can later change this name in the Settings section of the properties window of the created task.
After the Rule Creation Wizard completes its operation, the new rule is created and displayed in the Specify rules for installing updates field of the Add Task Wizard.
To create a new rule for updates of Microsoft applications:
- On the Settings page of the Add Task Wizard, click the Add button.
The Rule Creation Wizard starts. Follow the steps of the Wizard.
- On the Rule type page, select Rule for Windows Update.
- On the General criteria page, specify the following settings:
- Set of updates to install
Select the updates that must be installed on client devices:
- Install approved updates only. This installs only approved updates.
- Install all updates (except declined). This installs updates with the Approved or Undefined approval status.
- Install all updates (including declined). This installs all updates, regardless of their approval status. Select this option with caution. For example, use this option if you want to check installation of some declined updates in a test infrastructure.
- Fix vulnerabilities with a severity level equal to or higher than
Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.
If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.
If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.
By default, this option is disabled.
- Fix vulnerabilities with an MSRC severity level equal to or higher than
Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.
If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Microsoft Security Response Center (MSRC) is equal to or higher than the value selected in the list (Low, Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.
If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.
By default, this option is disabled.
- On the Applications page, select the applications and application versions for which you want to install updates. By default, all applications are selected.
- On the Categories of updates page, select the categories of updates to be installed. These categories are the same as in Microsoft Update Catalog. By default, all categories are selected.
- On the Name page, specify the name for the rule that you are creating. You can later change this name in the Settings section of the properties window of the created task.
After the Wizard completes its operation, the new rule is created and displayed in the Specify rules for installing updates field of the Add Task Wizard.
To create a new rule for updates of third-party applications:
- On the Settings page of the Add Task Wizard, click the Add button.
The Rule Creation Wizard starts. Follow the steps of the Wizard.
- On the Rule type page, select Rule for third-party updates.
- On the General criteria page, specify the following settings:
- Set of updates to install
Select the updates that must be installed on client devices:
- Install approved updates only. This installs only approved updates.
- Install all updates (except declined). This installs updates with the Approved or Undefined approval status.
- Install all updates (including declined). This installs all updates, regardless of their approval status. Select this option with caution. For example, use this option if you want to check installation of some declined updates in a test infrastructure.
- Fix vulnerabilities with a severity level equal to or higher than
Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.
If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.
If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.
By default, this option is disabled.
- On the Applications page, select the applications and application versions for which you want to install updates. By default, all applications are selected.
- On the Name page, specify the name for the rule that you are creating. You can later change this name in the Settings section of the properties window of the created task.
After the Wizard completes its operation, the new rule is created and displayed in the Specify rules for installing updates field of the Add Task Wizard.
Page top
[Topic 172909]