landesk management suite 9
TRANSCRIPT
Introduction
..........................................................................................................................
3
Scope .................................................................................................................................... 3
Scanning the Managed Device ............................................................................................. 9
Create a Custom Definition to Use a Batch File .................................................................. 9
Create a Custom Definition to Change a Registry Setting ................................................. 10
Create a Custom Definition to Use a VBScript or Custom Script ...................................... 12
Conclusion ....................................................................................................................... 113
Contents
This document contains confidential and proprietary information of LANDesk Software, Inc. and its affiliates (collectively “LANDesk”) and is provided in connection with the identified LANDesk ® product(s). No part of this document may be
disclosed or copied without the prior written consent of LANDesk. No license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted by this document. Except as provided in LANDesk’s terms and conditions
for the license of such products, LANDesk assumes no liability whatsoever. LANDesk products are not intended for use in medical, life saving, or life sustaining applications. LANDesk does not warrant that this material is error-free, and
LANDesk reserves the right to update, correct, or modify this material, including any specifications and product descriptions, at any time, without notice.
Copyright © 2007, LANDesk Software Ltd. All rights reserved.
LANDesk and Targeted Multicast are trademarks or registered trademarks of LANDesk Software, Ltd. and its affiliated companies in the United States and other countries. Other brands and names may be claimed as the property of others. LSI-
0614 04/07 JBB/NH
Introduction
LANDesk Management Suite 9.0 introduces several changes in Security and Patch Manager. It has now
been broken up into a Security component and a Patch and Compliance component. We will now refer to
Security and Patch Manager as Security and Compliance. Within Security and Compliance, we have
Patch and Compliance. This document will refer to the Security and Compliance window, but will be
compatible for version 8.8 and lower using Security and Patch Manager.
In LANDesk Patch and Compliance the ability to create a “user defined” vulnerability provides an
extremely flexible and powerful tool that can be used to implement and maintain the Management Suite
environment. Create custom vulnerabilities (and detection rules) to scan managed devices for any
operating system, application, single file or registry condition to be termed “Vulnerability.” Then, for
vulnerable devices, there is the ability to remediate that vulnerability by configuring the appropriate
response, such as deploying a patch file, replacing files on the managed devices, or updating installed
applications.
Scope
This document will go over the best known methods for creating a custom definition in LANDesk
Management Suite 9.0
Possible Implementations
Implementations of the custom vulnerabilities are almost limitless. It can be used to update any
application on managed devices. It can also be used to apply a single file executable or MSI to a managed
device based on detection rules defined by the LANDesk Administrator.
Assumptions
This white paper assumes that the reader has the LANDesk Management Suite Core Server and Clients
installed. Managed Devices should be configured with the latest versions of the LANDesk Management
Suite Vulnerability Scanner. It also assumes a strong understanding of how LANDesk Patch Management
functions.
Creating a Custom Definition
This guide will walk through creating a custom vulnerability to determine if Symantec Antivirus is
installed, or is at the desired version on all managed devices.
1. From the Management Suite Console, click Tools | Security and Compliance | Patch and
Compliance
2. From the Security and Compliance Manager tool, click Create Custom Definition
toolbar icon (fourth button from the right on the tool bar.) An editable version of the
“Vulnerabilities Properties” dialog opens.
a. Vulnerability ID: Type a unique ID in the ID field. The default generated Vulnerability
ID code can be edited to a more descriptive title.
b. Publish Date: Default is the date that the vulnerability is created and is not an editable
field.
c. Title: Type a descriptive title for the vulnerability. This is the title that will be displayed
in the vulnerabilities list.
d. Severity: Specify a “Severity” for the vulnerability. For this vulnerability, a severity of
“High” will be used since all machines should have antivirus software installed. Any
option can be selected.
e. Status: Specify the “Status” of the vulnerability. Available options include: Scan, Don’t
Scan, and Unassigned. We will use Scan for this example
Note: When a status is specified, the vulnerability is placed in the corresponding group in
the Security and Patch Manager Tree view. If the vulnerability is to be part of the next
vulnerability scan, select Scan, or it can be moved to the Scan Group after it is created.
f. Language: The Language setting is automatically set to INTL ( International or
Language Neutral), which means the vulnerability can be applied to any language version
of the available operating systems and/or applications.
g. Detection Rules: Displays all the rules to be used by this vulnerability definition. Create
one or more detection rules that the Vulnerability Scanner will use to determine if they
are vulnerable.
Note: For this custom vulnerability, the condition (i.e., “Vulnerability”) to scan for is the
presence and version of an application; in this case the Symantec Antivirus scanner on
managed devices. The easiest way to do this is to create a detection rule that scans for a
specific representative of Symantec client being at a lesser version or not installed.
Creating a Custom Detection Rule
To create a custom detection rule that scans for Symantec Antivirus being installed, and performs the
remediation by updating or installing the desired version.
There are two different sections for a detection rule. The first is the detection to determine if the managed
node is vulnerable. The second is to repair the vulnerability. Also, the repair section logic can be set up to
determine if the fix has already been applied. The first steps will cover setting up logic to determine if a
managed device is vulnerable.
Detection
1. From the Vulnerability Properties Window, click the ADD button under the Detection Rules.
This will bring up the “Properties for Rule 1” window.
a. Affected Platforms: Selecting the Operating Systems listed here can limit this
vulnerability to what Operating Systems will scan for this definition. Select all the
Operating Systems that will need to be scanned. If a client machine does not have the
specified OS selected, it will not be found vulnerable for this definition. More than one
Operating System can be selected. This option can be helpful if there are different install
files for the Operating System versions.
b. Affected Products: This field is optional, and can be used to define a specific application
to begin detection on. To select a product, click on the Edit button and choose the
selected product. For detection to occur, the products in the Affected Products list must
be installed on the client. In our example this can be left blank. Currently Symantec
products are not in this list.
c. Files: Populate this section to determine a vulnerability based on a file or MSI, this
option can be used. These file entries are used by the Vulnerability Scanner to determine
if the install is at the desired level or installed at all.
d. Registry Settings: Populate this section to determine a vulnerability based on a registry
setting. All fields need to be completed for this option to work. You will need to get this
information from the client to ensure that the information is accurate. Registry settings
will not be used in this example.
e. Custom Script: This section can be used to utilize VBScript to perform advanced
vulnerability detection functions.
Click the Add Button and add a file to scan for using these settings:
i. Verify Using: Set to “File Version”. (default)
ii. Path: If the path is known it can be added to speed up the scanning. The default
location for the Symantec executable is: “C:\Program Files\Symantec
Antivirus\VPC32.exe”
If the path is not known or is not in a standard location on all Operating Systems,
supplying the executable name “VPC32.exe” without the path can be used When
supplying only the executable name the box “Search for file recursively” must be
checked.
iii. Min Version: The version used is “10.0.0.359”. Anything lower than this
version will be considered vulnerable.
iv. Requirement: Set at “File Must Exist”. This states that the file must be on the
managed device and must be at the Min Version. This will also detect the
managed devices that do not have Symantec Antivirus installed as vulnerable.
2. After adding the information to scan for, select the Update button to save the rule.
Remediation
This section covers the remediation of the vulnerability. Our example will install the desired version of
antivirus software if the target device is considered vulnerable.
In order to remediate this vulnerability, the install files should be compressed and placed in the patch
directory. (Default location is \%Program Files%\LANDesk\ManagementSuite\LDlogon\patch)
1. Patch information: The patch information item in the tree view settings will tell the definition if
it is repairable or just a detection rule.
a. From the first drop down menu select “Repairing this issue requires downloading a
patch.”
b. Patch URL: For this example, this can be left blank as the files should already be
downloaded and placed in the patch directory. A URL for the patch download can be
supplied to download patch files for other definitions.
c. Auto-Downloadable: This setting tells the content download tool if it should download
the file. For this example, this should be left at “No”. The file should already be manually
copied to the patch directory.
d. Unique Filename: Type the name of the compressed file in the patch directory that
contains the client installation.
e. Generate MD5 Hash button: This ensures the file in the patch directory is the original
file and has not been changed. If the file is changed on the patch location the hash will
need to be re-generated. Once you have entered the Unique Filename, click Generate
MD5 Hash
f. Repair Information: This is informational only. It will show up in the property fields for
this custom definition. Set the Requires Reboot to NO, and the Silent Install to Yes.
2. Detecting the Patch: This section determines whether the patch has been installed. The same
information is set here as detecting if the machine is vulnerable.
a. Files: If using a file in your detection logic, enter the same information as you did in the
Detection Logic section under File.
b. Registry Settings: If using a Registry Settings to detect, please enter the same
information as entered prior in Registry Settings under the Detection Logic section.
Once the Patch information is set, the commands to install the program need to be set in the Patch
Installation and Removal section.
3. Patch Install Commands: There are several commands necessary to install the patch once it is
downloaded. We will add the following:
a. Click Add from the Commands window, the “Choose a Command Type” window
appears. Select “Unzip a file”. Click OK. Click Add again and choose “Execute a
program” from the command type.
You should now have both command options available in the commands window.
b. Unzip a file: Because the file is compressed, it needs to be uncompressed before it can be
executed.
i. Highlight Unzip a file in the Commands window.
ii. Change dest default value of %TempDir% to %Temp%. This will extract the zip
file to the C:\Windows\temp directory.
iii. Leave the source directory default: %SDMCACHE%%PATCHFILENAME%.
This will copy the file to the sdmcache directory on the client device.
c. Execute a Program: In this example, in order to take advantage of command line
options, setup will be launched using the MSI instead of an .Exe file.
i. Path: Set this to call the msiexec.exe
ii. Args: Switches that the msiexec.exe will use to install the msi file. After the
%temp%, add the directory structure of what the zip file extracts. In this example
when the zip file is extracted it is in the SAV directory. The /qn is for silent and
is a switch for the msiexe.exe. The /i gives the install patch for the msi file.
/i “%temp%\sav\Symantec antivirus.msi” /qn
iii. Timeout: can be left at default
iv. Wait: left at default
You have now configured your Custom Definition. Please Click OK to any open windows, and remain at
the Patch and Compliance window.
Scanning the Managed Device
Once the vulnerability and detection rule is created, the managed devices should be scanned to find out
which devices are vulnerable. A Security and Compliance scan will need to be run on the managed
device. The Scan and Repair setting must be configured to scan for Custom Definitions. Please refer to
other articles on setting up a scan and repair setting if you have questions on this process. This will not be
discussed further in this document. Once the Vulnerability is detected the “Patch” will need to be applied
by one of the following methods:
1. Set the patch to Auto-Fix.
2. Using an Application Policy
3. Schedule a repair task to deploy the patch.
Create a Custom Definition to use a Batch File
The same process can be used to install software or complete a task using a Batch Script. Specific batch
scripting examples will not be given. You will need to create the batch file to perform the desired
function. Test thoroughly on devices to ensure that the batch file will run as expected independent of
LANDesk. LANDesk will run the script as LocalSystem.
1. Create a definition as explained in the previous section
2. Under the “Properties for Rule 1” window, you will need to give it a unique file name of your
batch script and then Generate MD5 Hash
3. In Patch Installation and Removal, click Add.
4. Select “Copy a file” from the list and enter the destination and source paths.
a. Destination can be C:\Program Files\LANDesk\LDClient\sdmcache
b. Source path needs to be a location that can be accessed by all. The Patch Directory can
function as this Source Path. Make sure you copy your .bat file to that location.
5. Click Add again on the Patch Install Commands and choose “Execute a Program.” Keep all
defaults.
6. Click OK to save the configuration and then OK again.
This will give you a custom definition that will use a batch script. You will need to once again scan
against this vulnerability by placing this in your scan folder, and then set up a repair task as described.
Create a Custom Definition to Change a Registry Setting
You can also use a custom definition to edit, add or delete a registry setting. In our example we will be
detecting for a registry setting that controls the LANDesk Remote Control security type
(HKLM\SOFTWARE\Intel\LANDesk\WUSER32 | Security Type)
1. Create a new Custom definition by following the example above.
2. Under the Properties for Rule 1 window go to the Detection Logic Tree and select Registry
Settings
3. Click ADD to add a new registry key.
4. Update the information with the preferred values. In our example the following:
a. Key: HKLM\: SOFTWARE\Intel\LANDesk\WUSER32
b. Value name: Security Type
c. Value Data: 9
d. Requirement: Registry value must exist.
5. After entering the registry settings, click Update button to commit the changes
6. Choose Patch Information
7. Change the dropdown to “This issue can be repaired without downloading a patch.”
8. Choose Registry Settings under Detecting the Patch, Click Add
9. Enter the registry settings that will be changed to so you can detect when the change has occurred
on the device. In our example the following:
a. Key: HKLM\: SOFTWARE\Intel\LANDesk\WUSER32
b. Value name: Security Type
c. Value Data: 0
10. Click Update
11. Choose Patch Install Commands, Click Add.
12. Choose command type “Write a value to the registry,” Click Ok
13. Add the following Command Arguments:
a. Key: HKEY_Local_Machine\SOFTWARE\Intel\LANDesk\WUSER32
b. Type: REG_DWORD
14. Click OK, OK.
This will give you a custom definition that will change a registry setting. You will need to once again
scan against this vulnerability by placing this in your scan folder, and then set up a repair task as
described.
Creating a Custom Definition that uses a custom VBScript
The usage of VBScript in the detection and remediation section of a custom vulnerability adds a lot of
versatility to the vulnerability detection and remediation features of LANDesk. This enables the user to
perform complex tasks. We will not discuss how to create a custom VBScript, but will show how to set it
up in your Custom definition.
1. Create a new Custom Definition as explained in this article.
2. In the “Properties for Rule 1” window, choose Custom Script
3. Enter a Description for your Script
4. Use the Editor, or enter your script command arguments in the Script Content pane.
5. Choose Patch Install Commands, under Patch Installation & Removal.
6. Click Add and select Run script
7. Enter your VBScript in the text box and click OK.
This will give you a custom definition that will use a VBScript. You will need to once again scan against
this vulnerability by placing this in your scan folder, and then set up a repair task as described.
Conclusion
There are several ways to create and use custom definitions with Patch and Compliance in LANDesk Management
Suite. Custom definitions can be very helpful. This guide gives an overlay of the basic functions and settings to
create custom definitions. While LANDesk support does not assist in the creating of custom definitions, this
information should allow you to understand the basics of doing so.
For more information on creating custom definitions, or to see examples you can visit a third party website
http://www.droppedpackets.org/security/custom-defintions/
Scope .................................................................................................................................... 3
Scanning the Managed Device ............................................................................................. 9
Create a Custom Definition to Use a Batch File .................................................................. 9
Create a Custom Definition to Change a Registry Setting ................................................. 10
Create a Custom Definition to Use a VBScript or Custom Script ...................................... 12
Conclusion ....................................................................................................................... 113
Contents
This document contains confidential and proprietary information of LANDesk Software, Inc. and its affiliates (collectively “LANDesk”) and is provided in connection with the identified LANDesk ® product(s). No part of this document may be
disclosed or copied without the prior written consent of LANDesk. No license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted by this document. Except as provided in LANDesk’s terms and conditions
for the license of such products, LANDesk assumes no liability whatsoever. LANDesk products are not intended for use in medical, life saving, or life sustaining applications. LANDesk does not warrant that this material is error-free, and
LANDesk reserves the right to update, correct, or modify this material, including any specifications and product descriptions, at any time, without notice.
Copyright © 2007, LANDesk Software Ltd. All rights reserved.
LANDesk and Targeted Multicast are trademarks or registered trademarks of LANDesk Software, Ltd. and its affiliated companies in the United States and other countries. Other brands and names may be claimed as the property of others. LSI-
0614 04/07 JBB/NH
Introduction
LANDesk Management Suite 9.0 introduces several changes in Security and Patch Manager. It has now
been broken up into a Security component and a Patch and Compliance component. We will now refer to
Security and Patch Manager as Security and Compliance. Within Security and Compliance, we have
Patch and Compliance. This document will refer to the Security and Compliance window, but will be
compatible for version 8.8 and lower using Security and Patch Manager.
In LANDesk Patch and Compliance the ability to create a “user defined” vulnerability provides an
extremely flexible and powerful tool that can be used to implement and maintain the Management Suite
environment. Create custom vulnerabilities (and detection rules) to scan managed devices for any
operating system, application, single file or registry condition to be termed “Vulnerability.” Then, for
vulnerable devices, there is the ability to remediate that vulnerability by configuring the appropriate
response, such as deploying a patch file, replacing files on the managed devices, or updating installed
applications.
Scope
This document will go over the best known methods for creating a custom definition in LANDesk
Management Suite 9.0
Possible Implementations
Implementations of the custom vulnerabilities are almost limitless. It can be used to update any
application on managed devices. It can also be used to apply a single file executable or MSI to a managed
device based on detection rules defined by the LANDesk Administrator.
Assumptions
This white paper assumes that the reader has the LANDesk Management Suite Core Server and Clients
installed. Managed Devices should be configured with the latest versions of the LANDesk Management
Suite Vulnerability Scanner. It also assumes a strong understanding of how LANDesk Patch Management
functions.
Creating a Custom Definition
This guide will walk through creating a custom vulnerability to determine if Symantec Antivirus is
installed, or is at the desired version on all managed devices.
1. From the Management Suite Console, click Tools | Security and Compliance | Patch and
Compliance
2. From the Security and Compliance Manager tool, click Create Custom Definition
toolbar icon (fourth button from the right on the tool bar.) An editable version of the
“Vulnerabilities Properties” dialog opens.
a. Vulnerability ID: Type a unique ID in the ID field. The default generated Vulnerability
ID code can be edited to a more descriptive title.
b. Publish Date: Default is the date that the vulnerability is created and is not an editable
field.
c. Title: Type a descriptive title for the vulnerability. This is the title that will be displayed
in the vulnerabilities list.
d. Severity: Specify a “Severity” for the vulnerability. For this vulnerability, a severity of
“High” will be used since all machines should have antivirus software installed. Any
option can be selected.
e. Status: Specify the “Status” of the vulnerability. Available options include: Scan, Don’t
Scan, and Unassigned. We will use Scan for this example
Note: When a status is specified, the vulnerability is placed in the corresponding group in
the Security and Patch Manager Tree view. If the vulnerability is to be part of the next
vulnerability scan, select Scan, or it can be moved to the Scan Group after it is created.
f. Language: The Language setting is automatically set to INTL ( International or
Language Neutral), which means the vulnerability can be applied to any language version
of the available operating systems and/or applications.
g. Detection Rules: Displays all the rules to be used by this vulnerability definition. Create
one or more detection rules that the Vulnerability Scanner will use to determine if they
are vulnerable.
Note: For this custom vulnerability, the condition (i.e., “Vulnerability”) to scan for is the
presence and version of an application; in this case the Symantec Antivirus scanner on
managed devices. The easiest way to do this is to create a detection rule that scans for a
specific representative of Symantec client being at a lesser version or not installed.
Creating a Custom Detection Rule
To create a custom detection rule that scans for Symantec Antivirus being installed, and performs the
remediation by updating or installing the desired version.
There are two different sections for a detection rule. The first is the detection to determine if the managed
node is vulnerable. The second is to repair the vulnerability. Also, the repair section logic can be set up to
determine if the fix has already been applied. The first steps will cover setting up logic to determine if a
managed device is vulnerable.
Detection
1. From the Vulnerability Properties Window, click the ADD button under the Detection Rules.
This will bring up the “Properties for Rule 1” window.
a. Affected Platforms: Selecting the Operating Systems listed here can limit this
vulnerability to what Operating Systems will scan for this definition. Select all the
Operating Systems that will need to be scanned. If a client machine does not have the
specified OS selected, it will not be found vulnerable for this definition. More than one
Operating System can be selected. This option can be helpful if there are different install
files for the Operating System versions.
b. Affected Products: This field is optional, and can be used to define a specific application
to begin detection on. To select a product, click on the Edit button and choose the
selected product. For detection to occur, the products in the Affected Products list must
be installed on the client. In our example this can be left blank. Currently Symantec
products are not in this list.
c. Files: Populate this section to determine a vulnerability based on a file or MSI, this
option can be used. These file entries are used by the Vulnerability Scanner to determine
if the install is at the desired level or installed at all.
d. Registry Settings: Populate this section to determine a vulnerability based on a registry
setting. All fields need to be completed for this option to work. You will need to get this
information from the client to ensure that the information is accurate. Registry settings
will not be used in this example.
e. Custom Script: This section can be used to utilize VBScript to perform advanced
vulnerability detection functions.
Click the Add Button and add a file to scan for using these settings:
i. Verify Using: Set to “File Version”. (default)
ii. Path: If the path is known it can be added to speed up the scanning. The default
location for the Symantec executable is: “C:\Program Files\Symantec
Antivirus\VPC32.exe”
If the path is not known or is not in a standard location on all Operating Systems,
supplying the executable name “VPC32.exe” without the path can be used When
supplying only the executable name the box “Search for file recursively” must be
checked.
iii. Min Version: The version used is “10.0.0.359”. Anything lower than this
version will be considered vulnerable.
iv. Requirement: Set at “File Must Exist”. This states that the file must be on the
managed device and must be at the Min Version. This will also detect the
managed devices that do not have Symantec Antivirus installed as vulnerable.
2. After adding the information to scan for, select the Update button to save the rule.
Remediation
This section covers the remediation of the vulnerability. Our example will install the desired version of
antivirus software if the target device is considered vulnerable.
In order to remediate this vulnerability, the install files should be compressed and placed in the patch
directory. (Default location is \%Program Files%\LANDesk\ManagementSuite\LDlogon\patch)
1. Patch information: The patch information item in the tree view settings will tell the definition if
it is repairable or just a detection rule.
a. From the first drop down menu select “Repairing this issue requires downloading a
patch.”
b. Patch URL: For this example, this can be left blank as the files should already be
downloaded and placed in the patch directory. A URL for the patch download can be
supplied to download patch files for other definitions.
c. Auto-Downloadable: This setting tells the content download tool if it should download
the file. For this example, this should be left at “No”. The file should already be manually
copied to the patch directory.
d. Unique Filename: Type the name of the compressed file in the patch directory that
contains the client installation.
e. Generate MD5 Hash button: This ensures the file in the patch directory is the original
file and has not been changed. If the file is changed on the patch location the hash will
need to be re-generated. Once you have entered the Unique Filename, click Generate
MD5 Hash
f. Repair Information: This is informational only. It will show up in the property fields for
this custom definition. Set the Requires Reboot to NO, and the Silent Install to Yes.
2. Detecting the Patch: This section determines whether the patch has been installed. The same
information is set here as detecting if the machine is vulnerable.
a. Files: If using a file in your detection logic, enter the same information as you did in the
Detection Logic section under File.
b. Registry Settings: If using a Registry Settings to detect, please enter the same
information as entered prior in Registry Settings under the Detection Logic section.
Once the Patch information is set, the commands to install the program need to be set in the Patch
Installation and Removal section.
3. Patch Install Commands: There are several commands necessary to install the patch once it is
downloaded. We will add the following:
a. Click Add from the Commands window, the “Choose a Command Type” window
appears. Select “Unzip a file”. Click OK. Click Add again and choose “Execute a
program” from the command type.
You should now have both command options available in the commands window.
b. Unzip a file: Because the file is compressed, it needs to be uncompressed before it can be
executed.
i. Highlight Unzip a file in the Commands window.
ii. Change dest default value of %TempDir% to %Temp%. This will extract the zip
file to the C:\Windows\temp directory.
iii. Leave the source directory default: %SDMCACHE%%PATCHFILENAME%.
This will copy the file to the sdmcache directory on the client device.
c. Execute a Program: In this example, in order to take advantage of command line
options, setup will be launched using the MSI instead of an .Exe file.
i. Path: Set this to call the msiexec.exe
ii. Args: Switches that the msiexec.exe will use to install the msi file. After the
%temp%, add the directory structure of what the zip file extracts. In this example
when the zip file is extracted it is in the SAV directory. The /qn is for silent and
is a switch for the msiexe.exe. The /i gives the install patch for the msi file.
/i “%temp%\sav\Symantec antivirus.msi” /qn
iii. Timeout: can be left at default
iv. Wait: left at default
You have now configured your Custom Definition. Please Click OK to any open windows, and remain at
the Patch and Compliance window.
Scanning the Managed Device
Once the vulnerability and detection rule is created, the managed devices should be scanned to find out
which devices are vulnerable. A Security and Compliance scan will need to be run on the managed
device. The Scan and Repair setting must be configured to scan for Custom Definitions. Please refer to
other articles on setting up a scan and repair setting if you have questions on this process. This will not be
discussed further in this document. Once the Vulnerability is detected the “Patch” will need to be applied
by one of the following methods:
1. Set the patch to Auto-Fix.
2. Using an Application Policy
3. Schedule a repair task to deploy the patch.
Create a Custom Definition to use a Batch File
The same process can be used to install software or complete a task using a Batch Script. Specific batch
scripting examples will not be given. You will need to create the batch file to perform the desired
function. Test thoroughly on devices to ensure that the batch file will run as expected independent of
LANDesk. LANDesk will run the script as LocalSystem.
1. Create a definition as explained in the previous section
2. Under the “Properties for Rule 1” window, you will need to give it a unique file name of your
batch script and then Generate MD5 Hash
3. In Patch Installation and Removal, click Add.
4. Select “Copy a file” from the list and enter the destination and source paths.
a. Destination can be C:\Program Files\LANDesk\LDClient\sdmcache
b. Source path needs to be a location that can be accessed by all. The Patch Directory can
function as this Source Path. Make sure you copy your .bat file to that location.
5. Click Add again on the Patch Install Commands and choose “Execute a Program.” Keep all
defaults.
6. Click OK to save the configuration and then OK again.
This will give you a custom definition that will use a batch script. You will need to once again scan
against this vulnerability by placing this in your scan folder, and then set up a repair task as described.
Create a Custom Definition to Change a Registry Setting
You can also use a custom definition to edit, add or delete a registry setting. In our example we will be
detecting for a registry setting that controls the LANDesk Remote Control security type
(HKLM\SOFTWARE\Intel\LANDesk\WUSER32 | Security Type)
1. Create a new Custom definition by following the example above.
2. Under the Properties for Rule 1 window go to the Detection Logic Tree and select Registry
Settings
3. Click ADD to add a new registry key.
4. Update the information with the preferred values. In our example the following:
a. Key: HKLM\: SOFTWARE\Intel\LANDesk\WUSER32
b. Value name: Security Type
c. Value Data: 9
d. Requirement: Registry value must exist.
5. After entering the registry settings, click Update button to commit the changes
6. Choose Patch Information
7. Change the dropdown to “This issue can be repaired without downloading a patch.”
8. Choose Registry Settings under Detecting the Patch, Click Add
9. Enter the registry settings that will be changed to so you can detect when the change has occurred
on the device. In our example the following:
a. Key: HKLM\: SOFTWARE\Intel\LANDesk\WUSER32
b. Value name: Security Type
c. Value Data: 0
10. Click Update
11. Choose Patch Install Commands, Click Add.
12. Choose command type “Write a value to the registry,” Click Ok
13. Add the following Command Arguments:
a. Key: HKEY_Local_Machine\SOFTWARE\Intel\LANDesk\WUSER32
b. Type: REG_DWORD
14. Click OK, OK.
This will give you a custom definition that will change a registry setting. You will need to once again
scan against this vulnerability by placing this in your scan folder, and then set up a repair task as
described.
Creating a Custom Definition that uses a custom VBScript
The usage of VBScript in the detection and remediation section of a custom vulnerability adds a lot of
versatility to the vulnerability detection and remediation features of LANDesk. This enables the user to
perform complex tasks. We will not discuss how to create a custom VBScript, but will show how to set it
up in your Custom definition.
1. Create a new Custom Definition as explained in this article.
2. In the “Properties for Rule 1” window, choose Custom Script
3. Enter a Description for your Script
4. Use the Editor, or enter your script command arguments in the Script Content pane.
5. Choose Patch Install Commands, under Patch Installation & Removal.
6. Click Add and select Run script
7. Enter your VBScript in the text box and click OK.
This will give you a custom definition that will use a VBScript. You will need to once again scan against
this vulnerability by placing this in your scan folder, and then set up a repair task as described.
Conclusion
There are several ways to create and use custom definitions with Patch and Compliance in LANDesk Management
Suite. Custom definitions can be very helpful. This guide gives an overlay of the basic functions and settings to
create custom definitions. While LANDesk support does not assist in the creating of custom definitions, this
information should allow you to understand the basics of doing so.
For more information on creating custom definitions, or to see examples you can visit a third party website
http://www.droppedpackets.org/security/custom-defintions/