Installing third-party software updates

Kaspersky Security Center allows you to manage updates of software installed on client devices and fix vulnerabilities in Microsoft applications and other software makers' products through installing required updates.

Kaspersky Security Center searches for updates through the update search task and downloads them to the updates repository. After completing the search of updates, the application provides the administrator with information about available updates and vulnerabilities in applications that can be fixed using those updates.

Information about available updates for Microsoft Windows is provided by Windows Update service. Administration Server can be used as Windows Server Update Services (WSUS) server. To use Administration Server as WSUS server, you should configure synchronization of updates with Windows Update. After you have configured data synchronization with Windows Update, Administration Server provides updates to Windows Update services on devices in centralized mode and with the set frequency.

You can also manage software updates through a Network Agent policy. To do this, you should create a Network Agent policy and configure software updating in the corresponding windows of the New Policy Wizard.

The administrator can view a list of available updates in the Software updates subfolder included in the Application management folder. This folder contains a list of updates for Microsoft applications and other software makers' products retrieved by Administration Server that can be distributed to devices. After viewing information about available updates, the administrator can install them to devices.

Kaspersky Security Center updates some applications by removing the previous version of the application and installing the new one.

A user interaction may be required when you update a third-party application or fix a vulnerability in a third-party application on a managed device. For example, the user may be prompted to close the third-party application if it's currently open.

For security reasons, any third-party software updates that you install by using the Vulnerability and Patch Management feature are automatically scanned for malware by Kaspersky technologies. These technologies are used for automatic file check and include anti-virus scan, static analysis, dynamic analysis, behavior analysis in the sandbox environment, and machine learning.

Kaspersky experts do not perform manual analysis of third-party software updates that can be installed by using the Vulnerability and Patch Management feature. In addition, Kaspersky experts do not search for vulnerabilities (known or unknown) or undocumented features in such updates, as well as do not perform other types of analysis of the updates other than the specified in the paragraph above.

Before installing the updates to all of the devices, you can perform a test installation to make sure installed updates will cause no failures to the operation of applications on the devices.

You can find the details of third-party software that can be updated through Kaspersky Security Center by visiting the Technical Support website, on the Kaspersky Security Center page, in the Server Management section.

Scenario: Updating third-party software

This section provides a scenario for updating third-party software installed on the client devices. The third-party software includes applications from Microsoft and other software vendors. Updates for Microsoft applications are provided by the Windows Update service.

Prerequisites

Administration Server must have a connection to the internet to install updates of third-part software other than Microsoft software.

By default, internet connection is not required for Administration Server to install Microsoft software updates on the managed devices. For example, the managed devices can download the Microsoft software updates directly from Microsoft Update servers or from Windows Server with Microsoft Windows Server Update Services (WSUS) deployed in your organization's network. Administration Server must be connected to the internet when you use Administration Server as WSUS server.

Stages

Updating third-party software proceeds in stages:

1. Searching for required updates

   To find the third-party software updates required for the managed devices, run the Find vulnerabilities and required updates task. When this task is complete, Kaspersky Security Center receives the lists of detected vulnerabilities and required updates for the third-party software installed on the devices that you specified in the task properties.

   The Find vulnerabilities and required updates task is created automatically by the Administration Server Quick Start Wizard. If you did not run the Wizard, create the task or run the Quick Start Wizard now.

   How-to instructions:

   • Administration Console: Scanning applications for vulnerabilities, Scheduling the Find vulnerabilities and required updates task
   • Kaspersky Security Center 13.1 Web Console: Creating the Find vulnerabilities and required updates task, Find vulnerabilities and required updates task settings
2. Analyzing the list of found updates

   View the SOFTWARE UPDATES list and decide which updates you want to install. To view detailed information about each update, click the update name in the list. For each update in the list, you can also view the statistics on the update installation on client devices.

   How-to instructions:

   • Administration Console: Viewing information about available updates
   • Kaspersky Security Center 13.1 Web Console: Viewing information about available third-party software updates
3. Configuring installation of updates

   When Kaspersky Security Center received the list of the third-party software updates, you can install them on client devices by using the Install required updates and fix vulnerabilities task or the Install Windows Update updates task. Create one of these tasks. You can create these tasks on the TASKS tab or by using the SOFTWARE UPDATES list.

   The Install required updates and fix vulnerabilities task is used to install updates for Microsoft applications, including the updates provided by the Windows Update service, and updates of other vendors' products. Note that this task can be created only if you have the license for the Vulnerability and Patch Management feature.

   The Install Windows Update updates task does not require a license, but it can be used to install Windows Update updates only.

   To install some software updates you must accept the End User License Agreement (EULA) for the installation software. If you decline the EULA, the software update will not be installed.

   You can start an update installation task by schedule. When specifying the task schedule, make sure that the update installation task starts after the Find vulnerabilities and required updates task is complete.

   How-to instructions:

   • Administration Console: Fixing vulnerabilities in applications, Viewing information about available updates
   • Kaspersky Security Center 13.1 Web Console: Creating the Install required updates and fix vulnerabilities task, Creating the Install Windows Update updates task, Viewing information about available third-party software updates
4. Scheduling the tasks

   To be sure that the update list is always up-to-date, schedule the Find vulnerabilities and required updates task to run the task automatically from time to time. The default frequency is once a week.

   If you have created the Install required updates and fix vulnerabilities task, you can schedule it to run with the same frequency as the Find vulnerabilities and required updates task or less often. When scheduling the Install Windows Update updates task, note that for this task you must define the list of updates every time before starting this task.

   When scheduling the tasks, make sure that an update installation task starts after the Find vulnerabilities and required updates task is complete.

5. Approving and declining software updates (optional)

   If you have created the Install required updates and fix vulnerabilities task, you can specify rules for update installation in the task properties. If you have created the Install Windows Update updates task, skip this step.

   For each rule, you can define the updates to install depending on the update status: Undefined, Approved or Declined. For example, you may want to create a specific task for servers and set a rule for this task to allow installation of only Windows Update updates and only those ones that have Approved status. After that you manually set the Approved status for those updates that you want to install. In this case the Windows Update updates that have the Undefined or Declined status will not be installed on the servers that you specified in the task.

   The usage of the Approved status to manage update installation is efficient for a small amount of updates. To install multiple updates, use the rules that you can configure in the Install required updates and fix vulnerabilities task. We recommend that you set the Approved status for only those specific updates that do not meet the criteria specified in the rules. When you manually approve a large amount of updates, performance of Administration Server decreases and may lead to Administration Server overload.

   By default, the downloaded software updates have the Undefined status. You can change the status to Approved or Declined in the SOFTWARE UPDATES list (OPERATIONS → PATCH MANAGEMENT → SOFTWARE UPDATES).

   How-to instructions:

   • Administration Console: Approving and declining software updates
   • Kaspersky Security Center 13.1 Web Console: Approving and declining third-party software updates
6. Configuring Administration Server to work as Windows Server Update Services (WSUS) server (optional)

   By default, Windows Update updates are downloaded to the managed devices from Microsoft servers. You can change this setting to use the Administration Server as WSUS server. In this case, the Administration Server synchronizes the update data with Windows Update at the specified frequency and provides updates in centralized mode to Windows Update on networked devices.

   To use the Administration Server as WSUS server, create the Perform Windows Update synchronization task and select the Use Administration Server as WSUS server check box in the Network Agent policy.

   How-to instructions:

   • Administration Console: Synchronizing updates from Windows Update with Administration Server, Configuring Windows updates in a Network Agent policy
   • Kaspersky Security Center 13.1 Web Console: Creating the Perform Windows Update synchronization task
7. Running an update installation task

   Start the Install required updates and fix vulnerabilities task or the Install Windows Update updates task. When you start these tasks, updates are downloaded and installed on managed devices. After the task is complete, make sure that it has the Completed successfully status in the task list.

8. Create the report on results of update installation of third-party software (optional)

   To view detailed statistics on the update installation, create the Report on results of installation of third-party software updates.

   How-to instructions:

   • Administration Console: Creating and viewing a report
   • Kaspersky Security Center 13.1 Web Console: Generating and viewing a report

Results

If you have created and configured the Install required updates and fix vulnerabilities task, the updates are installed on the managed devices automatically. When new updates are downloaded to the Administration Server repository, Kaspersky Security Center checks whether they meet the criteria specified in the update rules. All new updates that meet the criteria will be installed automatically at the next task run.

If you have created the Install Windows Update updates task, only those updates specified in the Install Windows Update updates task properties are installed. In future, if you want to install new updates downloaded to the Administration Server repository, you must add the required updates to the list of updates in the existing task or create a new Install Windows Update updates task.

Viewing information about available updates for third-party applications

To view a list of available updates for third-party applications installed on client devices,

In the Advanced → Application management folder in the console tree, select the Software updates subfolder.

In the workspace of the folder, you can view a list of available updates for applications installed on devices.

To view the properties of an update,

In the workspace of the Software updates folder, in the context menu of the update, select Properties.

The following information is available for viewing in the properties window of the update:

• On the General section you can view the Update approval status:
  • Undefined—the update is available in the list of updates, but is not approved for installation.
  • Approved—the update is available in the list of updates and approved for installation.
  • Declined—the update is declined for installation.
• On the Attributes section you can view the values of the Installed automatically field:
  • The Automatically value is displayed if the Install required updates and fix vulnerabilities task can install updates for the application. The task automatically installs new updates from the web address provided by the vendor of third-party software.
  • The Manually value is displayed if Kaspersky Security Center cannot install updates for the application automatically. You can install updates manually.

  The Installed automatically field is not displayed for Windows application updates.

• List of client devices for which the update is intended.
• List of system components (prerequisites) that have to be installed before the update (if any).
• Software vulnerabilities that the update will fix.

Approving and declining software updates

The settings of an update installation task may require approval of updates that are to be installed. You can approve updates that must be installed and decline updates that must not be installed.

For example, you may want to first check the installation of updates in a test environment and make sure that they do not interfere with the operation of devices, and only then allow the installation of these updates on client devices.

The usage of the Approved status to manage third-party update installation is efficient for a small amount of updates. To install multiple third-party updates, use the rules that you can configure in the Install required updates and fix vulnerabilities task. We recommend that you set the Approved status for only those specific updates that do not meet the criteria specified in the rules. When you manually approve a large amount of updates, performance of Administration Server decreases and may lead to Administration Server overload.

To approve or decline one or several updates:

1. In the console tree, select the Advanced → Application management → Software updates node.
2. In the workspace of the Software updates folder, click the Refresh button in the upper right corner. A list of updates appears.
3. Select the updates that you want to approve or decline.

   The information box for the selected objects appears on the right side of the workspace.

4. In the Update approval status drop-down list, select Approved to approve the selected updates or Declined to decline the selected updates.

   The default value is Undefined.

The updates for which you set the Approved status are placed in a queue for installation.

The updates for which you set the Declined status are uninstalled (if possible) from all devices on which they were previously installed. Also, they will not be installed on other devices in future.

Some updates for Kaspersky applications cannot be uninstalled. If you set the Declined status for them, Kaspersky Security Center will not uninstall these updates from the devices on which they were previously installed. However, these updates will never be installed on other devices in future. If an update for Kaspersky applications cannot be uninstalled, this property is displayed in the update properties window: in the Sections pane select General, and in the workspace the property will appear under Installation requirements. If you set the Declined status for third-party software updates, these updates will not be installed on devices for which they were planned but have not yet been installed. Updates will still remain on devices on which they were already installed. If you have to delete them, you can manually delete them locally.

Synchronizing updates from Windows Update with Administration Server

If you have selected Use Administration Server as a WSUS server in the Update management settings window of the Quick Start Wizard, the Windows Update synchronization task is created automatically. You can run the task in the Tasks folder. The functionality of a Microsoft software update is only available after the Perform Windows Update synchronization task is successfully completed.

The Perform Windows Update synchronization task only downloads metadata from Microsoft servers. If the network does not use a WSUS server, each client device downloads Microsoft updates from external servers independently.

To create a task for synchronizing Windows Updates with Administration Server:

1. In the Advanced → Application management folder in the console tree, select the Software updates subfolder.
2. Click the Additional actions button and select Configure Windows Update synchronization in the drop-down list.

   The Wizard creates the Perform Windows Update synchronization task displayed in the Tasks folder.

   The Windows Update Center Data Retrieval Task Creation Wizard starts. Follow the instructions of the Wizard.

You can also create the Windows Update synchronization task in the Tasks folder by clicking Create a task.

Microsoft regularly deletes outdated updates from the company's servers so the number of current updates is always between 200,000 and 300,000. In Kaspersky Security Center 10 Service Pack 2 Maintenance Release 1 and earlier versions, all updates were retained: no outdated updates were deleted. As a result, the database continuously grew in size. To reduce disk space usage and database size, deletion of outdated updates that are no longer present on Microsoft update servers has been implemented in Kaspersky Security Center 10 Service Pack 3.

When running the Perform Windows Update synchronization task, the application receives a list of current updates from a Microsoft update server. Next, Kaspersky Security Center compiles a list of updates that have become outdated. At the next start of the Find vulnerabilities and required updates task, Kaspersky Security Center flags all outdated updates and sets the deletion time for them. At the next start of the Perform Windows Update synchronization task, all updates flagged for deletion 30 days ago are deleted. Kaspersky Security Center also checks for outdated updates that were flagged for deletion more than 180 days ago, and then deletes those older updates.

When the Perform Windows Update synchronization task completes and outdated updates are deleted, the database may still have the hash codes pertaining to the files of deleted updates, as well as corresponding files in the %AllUsersProfile%\Application Data\KasperskyLab\adminkit\1093\.working\wusfiles files (if they were downloaded earlier). You can run the Administration Server maintenance task to delete these outdated records from the database and corresponding files.

Step 1. Defining whether to reduce traffic

When Kaspersky Security Center synchronizes updates with Microsoft Windows Update Servers, information about all files is saved in the Administration Server database. All files required for an update are also downloaded to the drive during interaction with the Windows Update Agent. In particular, Kaspersky Security Center saves information about express update files to the database and downloads them when necessary. Downloading express update files leads to decreased free space on the drive.

To avoid a decrease in disk space volume and to reduce traffic, you can disable the Download express installation files option.

If this option is selected, express update files are downloaded when running the task. By default, this option is not selected.

Step 2. Applications

In this section you can select applications for which updates will be downloaded.

If the All applications check box is selected, updates will be downloaded for all existing applications, and for all applications that may be released in the future.

By default, the All applications check box is selected.

Step 3. Update categories

In this section, you can select categories of updates that will be downloaded to the Administration Server.

If the All categories check box is selected, updates will be downloaded for all existing updates categories, and for all categories that may appear in the future.

By default, the All categories check box is selected.

Step 4. Updates languages

Expand all | Collapse all

In this window you can select localization languages of updates that will be downloaded to Administration Server. Select one of the following options for downloading localization languages of updates:

• Download all languages, including new ones

  If this option is selected, all the available localization languages of updates will be downloaded to Administration Server. By default, this option is selected.

• Download selected languages

  If this option is selected, you can select from the list localization languages of updates that should be downloaded to Administration Server.

Step 5. Selecting the account to start the task

Expand all | Collapse all

In the Selecting an account to run the task window, you can specify which account to use when running the task. Select one of the following options:

• Default account

  The task will be run under the same account as the application that performs this task.

  By default, this option is selected.

• Specify account

  Fill in the Account and Password fields to specify the details of an account under which the task is run. The account must have sufficient rights for this task.

  • Account

    Account under which the task is run.

  • Password

    Password of the account under which the task will be run.

Step 6. Configuring a task start schedule

Expand all | Collapse all

On the Configure task schedule Wizard page, you can create a schedule for task start. If necessary, specify the following settings:

• Scheduled start:

  Select the schedule according to which the task runs, and configure the selected schedule.

  • Every N hours

    The task runs regularly, with the specified interval in hours, starting from the specified date and time.

    By default, the task runs every six hours, starting from the current system date and time.

  • Every N days

    The task runs regularly, with the specified interval in days. Additionally, you can specify a date and time of the first task run. These additional options become available, if they are supported by the application for which you create the task.

    By default, the task runs every day, starting from the current system date and time.

  • Every N weeks

    The task runs regularly, with the specified interval in weeks, on the specified day of week and at the specified time.

    By default, the task runs every Monday at the current system time.

  • Every N minutes

    The task runs regularly, with the specified interval in minutes, starting from the specified time on the day that the task is created.

    By default, the task runs every 30 minutes, starting from the current system time.

  • Daily (daylight saving time is not supported)

    The task runs regularly, with the specified interval in days. This schedule does not support observance of daylight saving time (DST). It means that when clocks jump one hour forward or backward at the beginning or ending of DST, the actual task start time does not change.

    We do not recommend that you use this schedule. It is needed for backward compatibility of Kaspersky Security Center.

    By default, the task starts every day at the current system time.

  • Weekly

    The task runs every week on the specified day and at the specified time.

  • By days of week

    The task runs regularly, on the specified days of week, at the specified time.

    By default, the task runs every Friday at 6:00:00 PM.

  • Monthly

    The task runs regularly, on the specified day of the month, at the specified time.

    In months that lack the specified day, the task runs on the last day.

    By default, the task runs on the first day of each month, at the current system time.

  • Manually

    The task does not run automatically. You can only start it manually.

    By default, this option is enabled.

  • Once

    The task runs once, on the specified date and time.

  • Every month on specified days of selected weeks

    The task runs regularly, on the specified days of each month, at the specified time.

    By default, no days of month are selected; the default start time is 6:00:00 PM.

  • On virus outbreak

    The task runs after a Virus outbreak event occurs. Select application types that will monitor virus outbreaks. The following application types are available:

    • Anti-virus for workstations and file servers
    • Anti-virus for perimeter defense
    • Anti-virus for mail systems

    By default, all application types are selected.

    You may want to run different tasks depending on the anti-virus application type that reports a virus outbreak. In this case, remove the selection of the application types that you do not need.

  • On completing another task

    The current task starts after another task completes. You can select how the previous task must complete (successfully or with error) to trigger the start of the current task. For example, you may want to run the Manage devices task with the Turn on the device option and, after it completes, run the Virus scan task.

• Run missed tasks

  This option determines the behavior of a task if a client device is not visible on the network when the task is about to start.

  If this option is enabled, the system attempts to start the task the next time the Kaspersky application is run on the client device. If the task schedule is Manually, Once or Immediately, the task is started immediately after the device becomes visible on the network or immediately after the device is included in the task scope.

  If this option is disabled, only scheduled tasks run on client devices; for Manually, Once and Immediately, tasks run only on those client devices that are visible on the network. For example, you may want to disable this option for a resource-consuming task that you want to run only outside of business hours.

  By default, this option is enabled.

• Use automatically randomized delay for task starts

  If this option is enabled, the task is started on client devices randomly within a specified time interval, that is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

  The distributed start time is calculated automatically when a task is created, depending on the number of client devices to which the task is assigned. Later, the task is always started on the calculated start time. However, when task settings are edited or the task is started manually, the calculated value of the task start time changes.

  If this option is disabled, the task starts on client devices according to the schedule.

• Use randomized delay for task starts within an interval of (min)

  If this option is enabled, the task is started on client devices randomly within the specified time interval. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

  If this option is disabled, the task starts on client devices according to the schedule.

  By default, this option is disabled. The default time interval is one minute.

Step 7. Defining the task name

In the Define the task name window, specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).The default value is Perform Windows Update synchronization.

Step 8. Completing creation of the task

In the Finish task creation window, click the Finish button to finish the wizard.

If you want the task to start as soon as the wizard finishes, select the Run the task after the Wizard finishes check box.

The newly created Windows Update synchronization task will appear in the list of tasks in the Tasks folder of the console tree.

Installing updates on devices manually

Expand all | Collapse all

If you have selected Find and install required updates on the Update management settings page of the Quick Start Wizard, the install required updates and fix vulnerabilities task is created automatically. You can run or stop the task in the Managed devices folder on the Tasks tab.

If you have selected Search for required updates in the Quick Start Wizard, you can install software updates on client devices through the Install required updates and fix vulnerabilities task.

You can do any of the following:

• Create a task for installing updates.
• Add a rule for installing an update to an existing update installation task.
• In the settings of an existing update installation task, configure a test installation of updates.

A user interaction may be required when you update a third-party application or fix a vulnerability in a third-party application on a managed device. For example, the user may be prompted to close the third-party application if it's currently open.

Installing updates by creating an installation task

You can do any of the following:

• Create a task for installing certain updates.
• Select an update and create a task for installing it and similar updates.

To install specific updates:

1. In the Advanced → Application management folder in the console tree, select the Software updates subfolder.
2. In the workspace, select the updates that you want to install.
3. Do any of the following:
   • Right-click one of the selected updates in the list, and then select Install update → New task.
   • Click the Install update (create task) link in the information box for the selected updates.
4. Make your choice in the displayed prompt about installing all previous application updates. Click Yes if you agree to the installation of successive application versions incrementally if this is required for installing the selected updates. Click No if you want to update applications in a straightforward fashion, without installing successive versions. If installing the selected updates is not possible without installing previous versions of applications, the updating of the application fails.

   The Updates Installation and Vulnerabilities Fix Task Creation Wizard starts. Follow the steps of the Wizard.

5. On the Selecting an operating system restart option page of the Wizard, select the action to perform when the operating system on client devices must be restarted after the operation:
   • Do not restart the device

     Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.

   • Restart the device

     Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).

   • Prompt user for action

     The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

     By default, this option is selected.

     • Repeat prompt every (min)

       If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.

       By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.

       If this option is disabled, the prompt is displayed only once.

     • Restart after (min)

       After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.

       By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.

   • Force closure of applications in blocked sessions

     Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.

     If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.

     If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.

     By default, this option is disabled.

6. On the Configure task schedule page of the Wizard, you can create a schedule for task start. If necessary, specify the following settings:
   • Scheduled start:

     Select the schedule according to which the task runs, and configure the selected schedule.

     • Every N hours

       The task runs regularly, with the specified interval in hours, starting from the specified date and time.

       By default, the task runs every six hours, starting from the current system date and time.

     • Every N days

       The task runs regularly, with the specified interval in days. Additionally, you can specify a date and time of the first task run. These additional options become available, if they are supported by the application for which you create the task.

       By default, the task runs every day, starting from the current system date and time.

     • Every N weeks

       The task runs regularly, with the specified interval in weeks, on the specified day of week and at the specified time.

       By default, the task runs every Monday at the current system time.

     • Every N minutes

       The task runs regularly, with the specified interval in minutes, starting from the specified time on the day that the task is created.

       By default, the task runs every 30 minutes, starting from the current system time.

     • Daily (daylight saving time is not supported)

       The task runs regularly, with the specified interval in days. This schedule does not support observance of daylight saving time (DST). It means that when clocks jump one hour forward or backward at the beginning or ending of DST, the actual task start time does not change.

       We do not recommend that you use this schedule. It is needed for backward compatibility of Kaspersky Security Center.

       By default, the task starts every day at the current system time.

     • Weekly

       The task runs every week on the specified day and at the specified time.

     • By days of week

       The task runs regularly, on the specified days of week, at the specified time.

       By default, the task runs every Friday at 6:00:00 PM.

     • Monthly

       The task runs regularly, on the specified day of the month, at the specified time.

       In months that lack the specified day, the task runs on the last day.

       By default, the task runs on the first day of each month, at the current system time.

     • Manually

       The task does not run automatically. You can only start it manually.

       By default, this option is enabled.

     • Every month on specified days of selected weeks

       The task runs regularly, on the specified days of each month, at the specified time.

       By default, no days of month are selected; the default start time is 6:00:00 PM.

     • On virus outbreak

       The task runs after a Virus outbreak event occurs. Select application types that will monitor virus outbreaks. The following application types are available:

       • Anti-virus for workstations and file servers
       • Anti-virus for perimeter defense
       • Anti-virus for mail systems

       By default, all application types are selected.

       You may want to run different tasks depending on the anti-virus application type that reports a virus outbreak. In this case, remove the selection of the application types that you do not need.

     • On completing another task

       The current task starts after another task completes. You can select how the previous task must complete (successfully or with error) to trigger the start of the current task. For example, you may want to run the Manage devices task with the Turn on the device option and, after it completes, run the Virus scan task.

   • Run missed tasks

     This option determines the behavior of a task if a client device is not visible on the network when the task is about to start.

     If this option is enabled, the system attempts to start the task the next time the Kaspersky application is run on the client device. If the task schedule is Manually, Once or Immediately, the task is started immediately after the device becomes visible on the network or immediately after the device is included in the task scope.

     If this option is disabled, only scheduled tasks run on client devices; for Manually, Once and Immediately, tasks run only on those client devices that are visible on the network. For example, you may want to disable this option for a resource-consuming task that you want to run only outside of business hours.

     By default, this option is enabled.

   • Use automatically randomized delay for task starts

     If this option is enabled, the task is started on client devices randomly within a specified time interval, that is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

     The distributed start time is calculated automatically when a task is created, depending on the number of client devices to which the task is assigned. Later, the task is always started on the calculated start time. However, when task settings are edited or the task is started manually, the calculated value of the task start time changes.

     If this option is disabled, the task starts on client devices according to the schedule.

   • Use randomized delay for task starts within an interval of (min)

     If this option is enabled, the task is started on client devices randomly within the specified time interval. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

     If this option is disabled, the task starts on client devices according to the schedule.

     By default, this option is disabled. The default time interval is one minute.

7. On the Define the task name page of the Wizard, specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
8. On the Finish task creation page of the Wizard, click the Finish button to close the Wizard.

   If you want the task to start as soon as the Wizard finishes, select the Run the task after the Wizard finishes check box.

After the Wizard completes its operation, Install required updates and fix vulnerabilities appears in the Tasks folder.

You can enable automatic installation of system components (prerequisites) prior to installation of an update in the Install required updates and fix vulnerabilities task properties. When this option is enabled, all required system components are installed before the update. A list of the required components can be found in properties of the update.

In the properties of Install required updates and fix vulnerabilities task, you can allow installation of updates that upgrade application to a new version.

If the task settings provide rules for installation of third-party updates, the Administration Server downloads all relevant updates from their vendors' websites. Updates are saved to the Administration Server repository and then distributed and installed on devices where they are applicable.

If the task settings provide rules for installation of Microsoft updates and the Administration Server acts as a WSUS server, the Administration Server downloads all relevant updates to the repository and then distributes them to managed devices. If the network does not use a WSUS server, each client device downloads Microsoft updates from external servers independently.

To install a certain update and similar ones:

1. In the Advanced → Application management folder in the console tree, select the Software updates subfolder.
2. In the workspace, select the update that you want to install.
3. Click the Run Update Installation Wizard button.

   The Update Installation Wizard starts.

   The Update Installation Wizard features are only available under the Vulnerability and Patch Management license.

   Follow the steps of the Wizard.

4. On the Search for existing update installation tasks page, specify the following settings:
   • Search for tasks that install this update

     If this option is enabled, the Update Installation Wizard searches for existing tasks that install the selected update.

     If this option is disabled or if the search retrieves no applicable tasks, the Update Installation Wizard prompts you to create a rule or task for installing the update.

     By default, this option is enabled.

   • Approve update installation

     The selected update will be approved for installation. Enable this option if some applied rules of update installation allow installation of approved updates only.

     By default, this option is disabled.

5. If you choose to search for existing update installation tasks and if the search retrieves some tasks, you can view properties of these tasks or start them manually. No further actions are required.

   Otherwise, click the New update installation task button.

6. Select the type of the installation rule to be added to the new task, and then click the Finish button.
7. Make your choice in the displayed prompt about installing all previous application updates. Click Yes if you agree to the installation of successive application versions incrementally if this is required for installing the selected updates. Click No if you want to update applications in a straightforward fashion, without installing successive versions. If installing the selected updates is not possible without installing previous versions of applications, the updating of the application fails.

   The Updates Installation and Vulnerabilities Fix Task Creation Wizard starts. Follow the steps of the Wizard.

8. On the Selecting an operating system restart option page of the Wizard, select the action to perform when the operating system on client devices must be restarted after the operation:
   • Do not restart the device

     Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.

   • Restart the device

     Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).

   • Prompt user for action

     The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

     By default, this option is selected.

     • Repeat prompt every (min)

       If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.

       By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.

       If this option is disabled, the prompt is displayed only once.

     • Restart after (min)

       After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.

       By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.

   • Force closure of applications in blocked sessions

     Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.

     If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.

     If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.

     By default, this option is disabled.

9. On the Select devices to which the task will be assigned page of the Wizard, select one of the following options:
   • Select networked devices detected by Administration Server

     The task is assigned to specific devices. The specific devices can include devices in administration groups as well as unassigned devices.

     For example, you may want to use this option in a task of installing Network Agent on unassigned devices.

   • Specify device addresses manually or import addresses from a list

     You can specify NetBIOS names, DNS names, IP addresses, and IP subnets of devices to which you want to assign the task.

     You may want to use this option to execute a task for a specific subnet. For example, you may want to install a certain application on devices of accountants or to scan devices in a subnet that is probably infected.

   • Assign task to a device selection

     The task is assigned to devices included in a device selection. You can specify one of the existing selections.

     For example, you may want to use this option to run a task on devices with a specific operating system version.

   • Assign task to an administration group

     The task is assigned to devices included in an administration group. You can specify one of the existing groups or create a new one.

     For example, you may want to use this option to run a task of sending a message to users if the message is specific for devices included in a specific administration group.

10. On the Configure task schedule page of the Wizard, you can create a schedule for task start. If necessary, specify the following settings:
    • Scheduled start:

      Select the schedule according to which the task runs, and configure the selected schedule.

      • Every N hours

        The task runs regularly, with the specified interval in hours, starting from the specified date and time.

        By default, the task runs every six hours, starting from the current system date and time.

      • Every N days

        The task runs regularly, with the specified interval in days. Additionally, you can specify a date and time of the first task run. These additional options become available, if they are supported by the application for which you create the task.

        By default, the task runs every day, starting from the current system date and time.

      • Every N weeks

        The task runs regularly, with the specified interval in weeks, on the specified day of week and at the specified time.

        By default, the task runs every Monday at the current system time.

      • Every N minutes

        The task runs regularly, with the specified interval in minutes, starting from the specified time on the day that the task is created.

        By default, the task runs every 30 minutes, starting from the current system time.

      • Daily (daylight saving time is not supported)

        The task runs regularly, with the specified interval in days. This schedule does not support observance of daylight saving time (DST). It means that when clocks jump one hour forward or backward at the beginning or ending of DST, the actual task start time does not change.

        We do not recommend that you use this schedule. It is needed for backward compatibility of Kaspersky Security Center.

        By default, the task starts every day at the current system time.

      • Weekly

        The task runs every week on the specified day and at the specified time.

      • By days of week

        The task runs regularly, on the specified days of week, at the specified time.

        By default, the task runs every Friday at 6:00:00 PM.

      • Monthly

        The task runs regularly, on the specified day of the month, at the specified time.

        In months that lack the specified day, the task runs on the last day.

        By default, the task runs on the first day of each month, at the current system time.

      • Manually (selected by default)

        The task does not run automatically. You can only start it manually.

        By default, this option is enabled.

      • Every month on specified days of selected weeks

        The task runs regularly, on the specified days of each month, at the specified time.

        By default, no days of month are selected; the default start time is 6:00:00 PM.

      • On virus outbreak

        The task runs after a Virus outbreak event occurs. Select application types that will monitor virus outbreaks. The following application types are available:

        • Anti-virus for workstations and file servers
        • Anti-virus for perimeter defense
        • Anti-virus for mail systems

        By default, all application types are selected.

        You may want to run different tasks depending on the anti-virus application type that reports a virus outbreak. In this case, remove the selection of the application types that you do not need.

      • On completing another task

        The current task starts after another task completes. You can select how the previous task must complete (successfully or with error) to trigger the start of the current task. For example, you may want to run the Manage devices task with the Turn on the device option and, after it completes, run the Virus scan task.

    • Run missed tasks

      This option determines the behavior of a task if a client device is not visible on the network when the task is about to start.

      If this option is enabled, the system attempts to start the task the next time the Kaspersky application is run on the client device. If the task schedule is Manually, Once or Immediately, the task is started immediately after the device becomes visible on the network or immediately after the device is included in the task scope.

      If this option is disabled, only scheduled tasks run on client devices; for Manually, Once and Immediately, tasks run only on those client devices that are visible on the network. For example, you may want to disable this option for a resource-consuming task that you want to run only outside of business hours.

      By default, this option is enabled.

    • Use randomized delay for task starts within an interval of (min)

      If this option is enabled, the task is started on client devices randomly within a specified time interval, that is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

      The distributed start time is calculated automatically when a task is created, depending on the number of client devices to which the task is assigned. Later, the task is always started on the calculated start time. However, when task settings are edited or the task is started manually, the calculated value of the task start time changes.

      If this option is disabled, the task starts on client devices according to the schedule.

    • Use randomized delay for task starts within an interval of (min)

      If this option is enabled, the task is started on client devices randomly within the specified time interval. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

      If this option is disabled, the task starts on client devices according to the schedule.

      By default, this option is disabled. The default time interval is one minute.

11. On the Define the task name page of the Wizard, specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
12. On the Finish task creation page of the Wizard, click the Finish button to close the Wizard.

    If you want the task to start as soon as the Wizard finishes, select the Run the task after the Wizard finishes check box.

When the Wizard finishes, the Install required updates and fix vulnerabilities task is created and displayed in the Tasks folder.

In addition to the settings that you specify during task creation, you can change other properties of a created task.

Upgrading to a new version of the application may cause a malfunction of dependent applications on devices.

Installing an update by adding a rule to an existing installation task

To install an update by adding a rule to an existing installation task:

1. In the Advanced → Application management folder in the console tree, select the Software updates subfolder.
2. In the workspace, select the update that you want to install.
3. Click the Run Update Installation Wizard button.

   The Update Installation Wizard starts.

   The Update Installation Wizard features are only available under the Vulnerability and Patch Management license.

   Follow the steps of the Wizard.

4. On the Search for existing update installation tasks page, specify the following settings:
   • Search for tasks that install this update

     If this option is enabled, the Update Installation Wizard searches for existing tasks that install the selected update.

     If this option is disabled or if the search retrieves no applicable tasks, the Update Installation Wizard prompts you to create a rule or task for installing the update.

     By default, this option is enabled.

   • Approve update installation

     The selected update will be approved for installation. Enable this option if some applied rules of update installation allow installation of approved updates only.

     By default, this option is disabled.

5. If you choose to search for existing update installation tasks and if the search retrieves some tasks, you can view properties of these tasks or start them manually. No further actions are required.

   Otherwise, click the Add an update installation rule button.

6. Select the task to which you want to add a rule, and then click the Add rule button.

   Also, you can view properties of the existing tasks, start them manually, or create a new task.

7. Select the type of the rule to be added to the selected task, and then click the Finish button.
8. Make your choice in the displayed prompt about installing all previous application updates. Click Yes if you agree to the installation of successive application versions incrementally if this is required for installing the selected updates. Click No if you want to update applications in a straightforward fashion, without installing successive versions. If installing the selected updates is not possible without installing previous versions of applications, the updating of the application fails.

A new rule for installing the update is added to the existing Install required updates and fix vulnerabilities task.

Configuring a test installation of updates

To configure a test installation of updates:

1. In the console tree, select the Install required updates and fix vulnerabilities task in the Managed devices folder on the Tasks tab.
2. In the context menu of the task, select Properties.

   The properties window of the Install required updates and fix vulnerabilities task opens.

3. In the properties window of the task, in the Test installation section select one of the available options for test installation:
   • Do not scan. Select this option if you do not want to perform a test installation of updates.
   • Run scan on selected devices. Select this option if you want to test updates installation on selected devices. Click the Add button and select devices on which you need to perform test installation of updates.
   • Run scan on devices in the specified group. Select this option if you want to test updates installation on a group of devices. In the Specify a test group field, specify a group of devices on which you want to perform a test installation.
   • Run scan on specified percentage of devices. Select this option if you want to test updates installation on some portion of devices. In the Percentage of test devices out of all target devices field, specify the percentage of devices on which you want to perform a test installation of updates.
4. Upon selecting any option except Do not scan, in the Amount of time to make the decision if the installation is to be continued, in hours field specify the number of hours that must elapse from the test installation of updates until the start of installation of the updates on all devices.

Configuring Windows updates in a Network Agent policy

Expand all | Collapse all

To configure Windows Updates in a Network Agent policy:

1. In the console tree, select Managed devices.
2. In the workspace, select the Policies tab.
3. Select a Network Agent policy.
4. In the context menu of the policy, select Properties.

   The properties window for the Network Agent policy opens.

5. In the Sections pane, select Software updates and vulnerabilities.
6. Select the Use Administration Server as a WSUS server option to download Windows updates to the Administration Server and then distribute them to client devices through Network Agent.

   If this option is not selected, Windows updates are not downloaded to the Administration Server. In this case, client devices receive Windows updates directly from Microsoft servers.

7. Select the set of updates that the users can install on their devices manually by using Windows Update.

   On devices running Windows 10, if Windows Update has already found updates for the device, the new option that you select under Allow users to manage installation of Windows Update updates will be applied only after the updates found are installed.

   Select an item in the drop-down list:

   • Allow users to install all applicable Windows Update updates

     Users can install all of the Microsoft Windows Update updates that are applicable to their devices.

     Select this option if you do not want to interfere in the installation of updates.

     When the user installs Microsoft Windows Update updates manually, the updates may be downloaded from Microsoft servers rather than from Administration Server. This is possible if Administration Server has not yet downloaded these updates. Downloading updates from Microsoft servers results in extra traffic.

   • Allow users to install only approved Windows Update updates

     Users can install all of the Microsoft Windows Update updates that are applicable to their devices and that are approved by you.

     For example, you may want to first check the installation of updates in a test environment and make sure that they do not interfere with the operation of devices, and only then allow the installation of these approved updates on client devices.

     When the user installs Microsoft Windows Update updates manually, the updates may be downloaded from Microsoft servers rather than from Administration Server. This is possible if Administration Server has not yet downloaded these updates. Downloading updates from Microsoft servers results in extra traffic.

   • Do not allow users to install Windows Update updates

     Users cannot install Microsoft Windows Update updates on their devices manually. All of the applicable updates are installed as configured by you.

     Select this option if you want to manage the installation of updates centrally.

     For example, you may want to optimize the update schedule so that the network does not become overloaded. You can schedule after-hours updates, so that they do not interfere with user productivity.

8. Select the Windows Update search mode:
   • Active

     If this option is selected, Administration Server with support from Network Agent initiates a request from Windows Update Agent on the client device to the update source: Windows Update Servers or WSUS. Next, Network Agent passes information received from Windows Update Agent to Administration Server.

     The option takes effect only if Connect to the update server to update data option of the Find vulnerabilities and required updates task is selected.

     By default, this option is selected.

   • Passive

     If you select this option, Network Agent periodically passes Administration Server information about updates retrieved at the last synchronization of Windows Update Agent with the update source. If no synchronization of Windows Update Agent with an update source is performed, information about updates on Administration Server becomes out-of-date.

     Select this option if you want to get updates from the memory cache of the update source.

   • Disabled

     If this option is selected, Administration Server does not request any information about updates.

     Select this option if, for example, you want to test the updates on your local device first.

9. Select the Scan executable files for vulnerabilities when running them option if you want to scan executable files for vulnerabilities while the files are being run.
10. Make sure that editing is locked for all the settings that you have changed. Otherwise, the changes do not apply.
11. Click Apply.