interchange patch manager
Post on 11-Feb-2017
37 Views
Preview:
TRANSCRIPT
Customer tools for the road ahead
SHIFT YOUR LANDESK INVESTMENT
INTO OVERDRIVELearn more at
Momentum.LANDESK.com
C a r s o n P l a t e r oC o n s u l t a n tL A N D E S K P r o f e s s i o n a l S e r v i c e s
LANDESK Patch Manager 2016
Agenda
What’s new in LANDESK Patch Manager 2016 Getting started How we scan and remediate Understanding the Patch and Compliance Tool Configure devices Managing Security Content Scanning devices Patching devices
LDMS Improvements to Patch Manager - Summary
Improved Charts Improved Patch Definition Group
options Ability to provide Tags for Definitions Integration with Rollout Projects tool Improved Icons
Dashboards and charts
Double-click to create a related query
Chart colors – can choose from different themes
Display the dashboard in a separate window
Copy to clipboard as an image
Download updates improvements
Apply group settings by Definition Type and Severity
Actions available: Assign Scan Status Assign Autofix Status Add to Custom Groups Assign Tags Add to rollout projects
Definition Tagging
Add one or more tags to patch definitions
Add specifics tags based on Download Updates Definition group filter criteria
Integration with Rollout Projects Tool
LANDESK Patch and Compliance“Why”
Main tasks for configuration Patch and Compliance
o Configure the LANDESK Agent Security and Compliance Settingso Download vulnerability definitions from a LANDESK Content Servero Create a scan job to detect vulnerabilities in your environmento Use the scan results to determine what you are going to patch in your
environmento Download patches for detected vulnerabilitieso Repair detected vulnerabilities by installing patches to affected deviceso View reports to see patch status and repair history
Managing ContentWhat is the definition of a definition?
Understand LANDESK Content typeso Linux: Security Threats and Vulnerabilities
o Mac: Security Threats, Antivirus (Kaspersky, LANDESK, McAfee and Symantec)
o Windows:
o Antivirus updates for LANDESK Antivirus and for 3rd party Antivirus vendors.
(Avast, AVG, Avira, Bitdefender, Bullguard, eScan, ESET, eTrust, Gdata, Kaspersky, McAfee, Microsoft Forefront, Windows Defender, Panda, Shavlik, Sophos, Symantec, Trend Micro, and Vipre)
o Driver Updates: Dell Poweredge Servers, HP Client, Lenovo Think Client, Lenovo Thinkserver, Microsoft
o Applications to block (Malware, Hacking Tools, Etc)
o LANDESK File Reputation
o Microsoft Windows Security Threats
o Microsoft Windows Spyware
o SCAP (Secure Content Automation Tool)
o Software Updates (Intel, LANDESK, Lenovo, Thinkvantage)
o Vulnerabilities
(7-zip, Acro Software, Adobe, AOL, Apple, Box, Cisco, Citrix, Filezilla, Foxit, GlavSoft Google, HP, IAC, IBM, ICQ, IDM, Intel, LibreOffice, McAfee, Microsoft, Mozilla, Notepad++, Nuance, Nullsoft, OpenOffice, Opera, Oracle, Pidgin, Qualcomm, RealNetworks, RealVNC, Skype, Sun, TechSmith, The Gimp Team, TortoiseSVN, TightVNC, Trend Micro, UltraVNC, VideoLAN, VMWare, Winzip, Wireshark, Xmind, Yahoo)
Content scanning and remediation behavior
Selecting and downloading content types
Vulnerability Content LANDESK Content comes in different categories. A regular schedule should be configured to
download Security and Patch content at regular intervals.
Different content types can have separate download tasks.
Managing downloaded content
Many customers patch monthly. Definition Group Setting can be used to sort definitions into groups and rollout projects.
New distribution group settings options in LDMS 2016
LDMS 2016 offers great flexibility in organizing downloaded content automatically
New tabbed interface in the Download Updates tool
Filter Scan Autofix Groups and Tags Rollout Projects
Patch Group Examples
0 New Patches 1 Pilot Baseline
Year
“I’ve downloaded content… Now what?”
Which Patches Should I Deploy?
11,000+ Windows Vulnerabilities Severity
Microsoft NA – carefully review before deploying Use Filters
Suffixes _Manual _Upgrade _Fixit _Detect_Only _All_Updates
Patch Definition Review
Replaced By Repairable Detected Multiple Versions Upgrade Product
Disable Replaced Rules
Check once in a while Scan – Replaced or Partial Replaced
Agent ConfigurationAgent Settings
Configuring Agent Settings
The Agent Configuration settings are in the Agent Configuration Tool These settings control the behaviors of the settings when scanning and repairing vulnerabilities on the client.
These settings include such things as whether or not the user will see the Vulnerability Scanner interface, options to defer repairs, reboot behaviors, scanning and repair schedules, etc.
Patch Maintenance
Meaningful Name State AND Time Windows Only Scan and Download
Now Repair\Reboot
in Window Reboot Settings
Must Agree
Pre-Repair / Post-Repair
Succeeded=true Or Zero (0)
Message=“Hello World” If running script depends on file being there or access to
share
Scanning and RepairGetting the work done
Scanning Devices
Scanning of your devices can be started in several ways:
1. Right-click computer and select “Patch and Compliance scan now…”2. Regular schedule driven by the local scheduler on the client3. Running Vulscan.exe (Vulnerability scanner) from the command line4. As part of a repair by right-clicking on a group and clicking “Repair”
(In this case the scan and the repair will both be run in succession)
Typically vulnerability scans should be run daily.
Reviewing scan results
After scanning your environment, those vulnerabilities that have been found will show up in the Detected section of the tree.
You can then take action on them by multi-selecting and then choosing right-click repair, or drag them into a group, etc.
Repairing vulnerabilities
Repairing vulnerabilities can be initiated in several ways including the following:
Right-click definitions and choose “Repair” (Up to 100 at a time) Right-click a group and choose “Repair” (Can be greater than 100) Autofix (or Autofix by Scope) As part of a rollout project
Repair by Group
Dynamic Can contain more than 100 definitions Will repair definitions at that level or below
Useful for repairing baseline plus recent tested patches
TroubleShootingWhat to do if reboot and retry fail
Clean Repair History
Right-Click Device -> Security and Patch Information Clean/Repair History
Lookup Wusa.exe and MSIExec errors Patch Download – make sure core has downloaded patch
Reboot and Try Again (Why!)
Detection is often based upon file scanning Without a reboot old file is still in place
If after a reboot a definition is still detected, try running it manually on the workstation. Possibly a more useful error message will display
Custom DefinitionsPlagiarism is Good
Custom Definitions Made Easy
Take what’s there and make it new again! Right Click Definition Clone -> Change -> Save
Custom Variables
Change Install Behavior of Patches
Close Browsers and Apps Used by Install Actions
Query Filter
Only Used in Custom Defs Target Double Check Does Hit Database
Stop Processes
Distribution and Patch Setting must be set to Kill Processes
Install Actions
Use Reuse Change
Hands on Lab
Thank youYour feedback is welcome. Please fill out the survey for this session in the interchange 16 app.
top related