Fixing third-party software vulnerabilities

This section describes the features of Kaspersky Security Center that relate to fixing vulnerabilities in the software installed on managed devices.

Scenario: Finding and fixing third-party software vulnerabilities

This section provides a scenario for finding and fixing vulnerabilities on the managed devices running Windows. You can find and fix software vulnerabilities in the operating system and in third-party software, including Microsoft software.

Prerequisites

• Kaspersky Security Center is deployed in your organization.
• There are managed devices running Windows in your organization.
• Internet connection is required for Administration Server to perform the following tasks:
  • To make a list of recommended fixes for vulnerabilities in Microsoft software. The list is created and regularly updated by Kaspersky specialists.
  • To fix vulnerabilities in third-part software other than Microsoft software.

Stages

Finding and fixing software vulnerabilities proceeds in stages:

1. Scanning for vulnerabilities in the software installed on the managed devices

   To find vulnerabilities in the software installed on the managed devices, run the Find vulnerabilities and required updates task. When this task is complete, Kaspersky Security Center receives the lists of detected vulnerabilities and required updates for the third-party software installed on the devices that you specified in the task properties.

   The Find vulnerabilities and required updates task is created automatically by Kaspersky Security Center Quick Start Wizard. If you did not run the Wizard, start it now or create the task manually.

   How-to instructions:

   • Administration Console: Scanning applications for vulnerabilities, Scheduling the Find vulnerabilities and required updates task
   • Kaspersky Security Center Web Console: Creating the Find vulnerabilities and required updates task, Find vulnerabilities and required updates task settings
2. Analyzing the list of detected software vulnerabilities

   View the Software vulnerabilities list and decide which vulnerabilities are to be fixed. To view detailed information about each vulnerability, click the vulnerability name in the list. For each vulnerability in the list, you can also view the statistics on the vulnerability on managed devices.

   How-to instructions:

   • Administration Console: Viewing information about software vulnerabilities, Viewing statistics of vulnerabilities on managed devices
   • Kaspersky Security Center Web Console: Viewing information about software vulnerabilities, Viewing statistics of vulnerabilities on managed devices
3. Configuring vulnerabilities fix

   When the software vulnerabilities are detected, you can fix the software vulnerabilities on the managed devices by using the Install required updates and fix vulnerabilities task or the Fix vulnerabilities task.

   The Install required updates and fix vulnerabilities task is used to update and fix vulnerabilities in third-party software, including Microsoft software, installed on the managed devices. This task allows you to install multiple updates and fix multiple vulnerabilities according to certain rules. Note that this task can be created only if you have the license for the Vulnerability and Patch Management feature. To fix software vulnerabilities the Install required updates and fix vulnerabilities task uses recommended software updates.

   The Fix vulnerabilities task does not require the license option for the Vulnerability and Patch Management feature. To use this task, you must manually specify user fixes for vulnerabilities in third-party software listed in the task settings. The Fix vulnerabilities task uses recommended fixes for Microsoft software and user fixes for third-party software.

   You can start Vulnerabilities Fix Wizard that creates one of these tasks automatically, or you can create one of these tasks manually.

   How-to instructions:

   • Administration Console: Selecting user fixes for vulnerabilities in third-party software, Fixing vulnerabilities in applications
   • Kaspersky Security Center Web Console: Selecting user fixes for vulnerabilities in third-party software, Fixing vulnerabilities in third-party software, Creating the Install required updates and fix vulnerabilities task
4. Scheduling the tasks

   To be sure that the vulnerabilities list is always up-to-date, schedule the Find vulnerabilities and required updates task to run it automatically from time to time. The recommended average frequency is once a week.

   If you have created the Install required updates and fix vulnerabilities task, you can schedule it to run with the same frequency as the Find vulnerabilities and required updates task or less often. When scheduling the Fix vulnerabilities task, note that you have to select fixes for Microsoft software or specify user fixes for third-party software every time before starting the task.

   When scheduling the tasks, make sure that a task to fix vulnerability starts after the Find vulnerabilities and required updates task is complete.

5. Ignoring software vulnerabilities (optional)

   If you want, you can ignore software vulnerabilities to be fixed on all managed devices or only on the selected managed devices.

   How-to instructions:

   • Administration Console: Ignoring software vulnerabilities
   • Kaspersky Security Center Web Console: Ignoring software vulnerabilities
6. Running a vulnerability fix task

   Start the Install required updates and fix vulnerabilities task or the Fix vulnerability task. When the task is complete, make sure that it has the Completed successfully status in the task list.

7. Create the report on results of fixing software vulnerabilities (optional)

   To view detailed statistics on the vulnerabilities fix, generate the Report on vulnerabilities. The report displays information about software vulnerabilities that are not fixed. Thus you can have an idea about finding and fixing vulnerabilities in third-party software, including Microsoft software, in your organization.

   How-to instructions:

   • Administration Console: Creating and viewing a report
   • Kaspersky Security Center Web Console: Generating and viewing a report
8. Checking configuration of finding and fixing vulnerabilities in third-party software

   Be sure that you have done the following:

   • Obtained and reviewed the list of software vulnerabilities on managed devices
   • Ignored software vulnerabilities if you wanted
   • Configured the task to fix vulnerabilities
   • Scheduled the tasks to find and to fix software vulnerabilities so that they start sequentially
   • Checked that the task to fix software vulnerabilities was run

Results

If you have created and configured the Install required updates and fix vulnerabilities task, the vulnerabilities are fixed on the managed devices automatically. When the task is run, it correlates the list of available software updates to the rules specified in the task settings. All software updates that meet the criteria in the rules will be downloaded to the Administration Server repository and will be installed to fix software vulnerabilities.

If you have created the Fix vulnerabilities task, only software vulnerabilities in Microsoft software are fixed.

About finding and fixing software vulnerabilities

Kaspersky Security Center detects and fixes software

Updates functionality (including providing anti-virus signature updates and codebase updates), as well as KSN functionality may not be available in the software in the U.S.

Finding software vulnerabilities

To find software vulnerabilities, Kaspersky Security Center uses characteristics from the database of known vulnerabilities. This database is created by Kaspersky specialists. It contains information about vulnerabilities, such as vulnerability description, vulnerability detect date, vulnerability severity level. You can find the details of software vulnerabilities on Kaspersky website.

Kaspersky Security Center uses the Find vulnerabilities and required updates task to find software vulnerabilities.

Fixing software vulnerabilities

To fix software vulnerabilities Kaspersky Security Center uses software updates issued by the software vendors. The software updates metadata is downloaded to the Administration Server repository as a result of the following tasks run:

• Download updates to the Administration Server repository. This task is intended to download updates metadata for Kaspersky and third-party software. This task is created automatically by the Kaspersky Security Center Quick Start Wizard. You can create the Download updates to the Administration Server repository task manually.
• Perform Windows Update synchronization. This task is intended to download updates metadata for Microsoft software.

Software updates to fix vulnerabilities can be represented as full distribution packages or patches. Software updates that fix software vulnerabilities are named fixes. Recommended fixes are those that are recommended for installation by Kaspersky specialists. User fixes are those that are manually specified for installation by users. To install a user fix, you have to create an installation package containing this fix.

If you have the Kaspersky Security Center license with the Vulnerability and Patch Management feature, to fix software vulnerabilities you can use Install required updates and fix vulnerabilities task. This task automatically fixes multiple vulnerabilities installing recommended fixes. For this task, you can manually configure certain rules to fix multiple vulnerabilities.

If you do not have the Kaspersky Security Center license with the Vulnerability and Patch Management feature, to fix software vulnerabilities, you can use the Fix vulnerabilities task. By means of this task, you can fix vulnerabilities by installing recommended fixes for Microsoft software and user fixes for other third-party software.

For security reasons, any third-party software updates that you install by using the Vulnerability and Patch Management feature are automatically scanned for malware by Kaspersky technologies. These technologies are used for automatic file checks and include virus scanning, static analysis, dynamic analysis, behavior analysis in the sandbox environment, and machine learning.

Kaspersky experts do not perform manual analysis of third-party software updates that can be installed by using the Vulnerability and Patch Management feature. In addition, Kaspersky experts do not search for vulnerabilities (known or unknown) or undocumented features in such updates, as well as do not perform other types of analysis of the updates other than the specified in the paragraph above.

A user interaction may be required when you update a third-party application or fix a vulnerability in a third-party application on a managed device. For example, the user may be prompted to close the third-party application if it is currently open.

To fix some software vulnerabilities, you must accept the End User License Agreement (EULA) for installing the software if EULA acceptance is requested. If you decline the EULA, the software vulnerability is not fixed.

Viewing information about software vulnerabilities

To view a list of vulnerabilities detected on client devices,

In the Advanced → Application management folder in the console tree, select the Software vulnerabilities subfolder.

The page displays a list of vulnerabilities in applications detected on managed devices.

To obtain information about a selected vulnerability,

Select Properties from the context menu of the vulnerability.

The properties window of the vulnerability opens, displaying the following information:

• Application in which the vulnerability has been detected.
• List of devices on which the vulnerability has been detected.
• Information on whether the vulnerability has been fixed.

To view the report on all detected vulnerabilities,

In the Software vulnerabilities folder, click the View report on vulnerabilities link.

A report on vulnerabilities in applications installed on devices will be generated. You can view this report in the node with the name of the relevant Administration Server, by opening the Reports tab.

Viewing statistics of vulnerabilities on managed devices

You can view statistics for each software vulnerability on managed devices. Statistics are represented as a diagram. The diagram displays the number of devices with the following statuses:

• Ignored on: <number of devices>. This status is assigned if, in the vulnerability properties, you have manually set the option to ignore the vulnerability.
• Fixed on: <number of devices>. This status is assigned if the task to fix the vulnerability has successfully completed.
• Fix scheduled on: <number of devices>. This status is assigned if you have created the task to fix the vulnerability, but the task is not performed yet.
• Patch applied on: <number of devices>. This status is assigned if you have manually selected a software update to fix the vulnerability, but this software update has not fixed the vulnerability.
• Fix required on: <number of devices>. This status is assigned if the vulnerability was fixed only on some managed devices, and the vulnerability is required to be fixed on more managed devices.

To view the statistics of a vulnerability on managed devices:

1. In the Advanced → Application management folder in the console tree, select the Software vulnerabilities subfolder.

   The page displays a list of vulnerabilities in applications detected on managed devices.

2. Select a vulnerability for which you want to view the statistics.

   In the block for working with a selected object, a diagram of the vulnerability statuses is displayed. Clicking a status opens a list of devices on which the vulnerability has the selected status.

Scanning applications for vulnerabilities

Expand all | Collapse all

If you have configured the application through the Quick Start Wizard, the Vulnerability scan task is created automatically. You can view the task in the Managed devices folder, on the Tasks tab.

To create a task for vulnerability scanning in applications installed on client devices:

1. In the console tree, select Advanced → Application management, and then select the Software vulnerabilities subfolder.
2. In the workspace, select Additional actions → Configure vulnerability scan.

   If a task for vulnerability scanning already exists, the Tasks tab of the Managed devices folder is displayed, with the existing task selected. Otherwise, the Find Vulnerabilities and Required Updates Task Creation Wizard starts. Follow the steps of the Wizard.

3. In the Select the task type window, select Find vulnerabilities and required updates.
4. On the Settings page of the Wizard, specify the task settings as follows:
   • Search for vulnerabilities and updates listed by Microsoft

     When searching for vulnerabilities and updates, Kaspersky Security Center uses the information about applicable Microsoft updates from the source of Microsoft updates, which are available at the present moment.

     For example, you may want to disable this option if you have different tasks with different settings for Microsoft updates and updates of third-party applications.

     By default, this option is enabled.

     • Connect to the update server to update data

       Windows Update Agent on a managed device connects to the source of Microsoft updates. The following servers can act as a source of Microsoft updates:

       • Kaspersky Security Center Administration Server (see the settings of Network Agent policy)
       • Windows Server with Microsoft Windows Server Update Services (WSUS) deployed in your organization's network
       • Microsoft Updates servers

       If this option is enabled, Windows Update Agent on a managed device connects to the source of Microsoft updates to refresh the information about applicable Microsoft Windows updates.

       If this option is disabled, Windows Update Agent on a managed device uses the information about applicable Microsoft Windows updates that was received from the source of Microsoft updates earlier.

       Connecting to the source of Microsoft updates can be resource-consuming. You might want to disable this option if you set regular connection to this source of updates in another task or in the properties of Network Agent policy, in the section Software updates and vulnerabilities. If you do not want to disable this option, then, to reduce the Server overload, you can configure the task schedule to randomize delay for task starts within 360 minutes.

       By default, this option is enabled.

       Combination of the following options of the settings of Network Agent policy defines the mode of getting updates:

       • Windows Update Agent on a managed device connects to the Update Server to get updates only if the Connect to the update server to update data option is enabled in the properties of the Find vulnerabilities and required updates task and the Windows Update search mode option is set to Active in the settings of Network Agent policy.
       • If you do not need Network Agent to initiate a connection to the Microsoft Windows update source and download updates when performing the Vulnerability scan task, you can set the Windows Update search mode option to Passive, while the Connect to the update server to update data option must remain enabled. This allows for you to save resources and use previously received Windows updates to scan for vulnerabilities. You can use the passive mode if you configure receiving Microsoft Windows updates in a different way. If receiving Microsoft Windows updates is not configured in another way, do not set the Windows Update search mode option to Passive, because in this case, information about updates will never be received.
       • Irrespective of the Connect to the update server to update data option's status (enabled or disabled), if the Windows Update search mode option is set to Disabled, Kaspersky Security Center does not request any information about updates.
   • Search for third-party vulnerabilities and updates listed by Kaspersky

     If this option is enabled, Kaspersky Security Center searches for vulnerabilities and required updates for third-party applications (applications made by software vendors other than Kaspersky and Microsoft) in Windows Registry and in the folders specified under Specify paths for advanced search of applications in file system. The full list of supported third-party applications is managed by Kaspersky.

     If this option is disabled, Kaspersky Security Center does not search for vulnerabilities and required updates for third-party applications. For example, you may want to disable this option if you have different tasks with different settings for Microsoft Windows updates and updates of third-party applications.

     By default, this option is enabled.

   • Specify paths for advanced search of applications in file system

     The folders in which Kaspersky Security Center searches for third-party applications that require vulnerability fix and update installation. You can use system variables.

     Specify the folders to which applications are installed. By default, the list contains system folders to which most of the applications are installed.

   • Enable advanced diagnostics

     If this feature is enabled, Network Agent writes traces even if tracing is disabled for Network Agent in Kaspersky Security Center Remote Diagnostics Utility. Traces are written to two files in turn; the total size of both files is determined by the Maximum size, in MB, of advanced diagnostics files value. When both files are full, Network Agent starts writing to them again. The files with traces are stored in the %WINDIR%\Temp folder. These files are accessible in the remote diagnostics utility, you can download or delete them there.

     If this feature is disabled, Network Agent writes traces according to the settings in Kaspersky Security Center Remote Diagnostics Utility. No additional traces are written.

     When creating a task, you do not have to enable advanced diagnostics. You may want to use this feature later if, for example, a task run fails on some of the devices and you want to get additional information during another task run.

     By default, this option is disabled.

   • Maximum size, in MB, of advanced diagnostics files

     The default value is 100 MB, and available values are between 1 MB and 2048 MB. You may be asked to change the default value by Kaspersky Technical Support specialists when information in the advanced diagnostics files sent by you is not enough to troubleshoot the problem.

5. On the Configure task schedule page of the Wizard, you can create a schedule for task start. If necessary, specify the following settings:
   • Scheduled start:

     Select the schedule according to which the task runs, and configure the selected schedule.

     • Every N hours

       The task runs regularly, with the specified interval in hours, starting from the specified date and time.

       By default, the task runs every 6 hours, starting from the current system date and time.

     • Every N days

       The task runs regularly, with the specified interval in days. Additionally, you can specify a date and time of the first task run. These additional options become available, if they are supported by the application for which you create the task.

       By default, the task runs every day, starting from the current system date and time.

     • Every N weeks

       The task runs regularly, with the specified interval in weeks, on the specified day of week and at the specified time.

       By default, the task runs every Monday at the current system time.

     • Every N minutes

       The task runs regularly, with the specified interval in minutes, starting from the specified time on the day that the task is created.

       By default, the task runs every 30 minutes, starting from the current system time.

     • Daily (daylight saving time is not supported)

       The task runs regularly, with the specified interval in days. This schedule does not support observance of daylight saving time (DST). It means that when clocks jump one hour forward or backward at the beginning or ending of DST, the actual task start time does not change.

       We do not recommend that you use this schedule. It is needed for backward compatibility of Kaspersky Security Center.

       By default, the task starts every day at the current system time.

     • Weekly

       The task runs every week on the specified day and at the specified time.

     • By days of week

       The task runs regularly, on the specified days of the week, at the specified time.

       By default, the task runs every Friday at 6:00:00 PM.

     • Monthly

       The task runs regularly, on the specified day of the month, at the specified time.

       In months that lack the specified day, the task runs on the last day.

       By default, the task runs on the first day of each month, at the current system time.

     • Manually

       The task does not run automatically. You can only start it manually.

       By default, this option is selected.

     • Every month on specified days of selected weeks

       The task runs regularly, on the specified days of each month, at the specified time.

       By default, no days of month are selected. The default start time is 18:00.

     • When new updates are downloaded to the repository

       The task runs after updates are downloaded to the repository. For example, you may want to use this schedule for the find vulnerabilities and required updates task.

     • On virus outbreak

       The task runs after a Virus outbreak event occurs. Select application types that will monitor virus outbreaks. The following application types are available:

       • Anti-virus for workstations and file servers
       • Anti-virus for perimeter defense
       • Anti-virus for mail systems

       By default, all application types are selected.

       You may want to run different tasks depending on the security application type that reports a virus outbreak. In this case, remove the selection of the application types that you do not need.

     • On completing another task

       The current task starts after another task completes. You can select how the previous task must complete (successfully or with error) to trigger the start of the current task. For example, you may want to run the Manage devices task with the Turn on the device option and, after it completes, run the Virus scan task. This parameter only works if both tasks are assigned to the same devices.

   • Run missed tasks

     This option determines the behavior of a task if a client device is not visible on the network when the task is about to start.

     If this option is enabled, the system attempts to start the task the next time the Kaspersky application is run on the client device. If the task schedule is Manually, Once or Immediately, the task is started immediately after the device becomes visible on the network or immediately after the device is included in the task scope.

     If this option is disabled, only scheduled tasks run on client devices. For Manually, Once and Immediately schedule, tasks run only on those client devices that are visible on the network. For example, you may want to disable this option for a resource-consuming task that you want to run only outside of business hours.

     By default, this option is disabled.

   • Use automatically randomized delay for task starts

     If this option is enabled, the task is started on client devices randomly within a specified time interval, that is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

     The distributed start time is calculated automatically when a task is created, depending on the number of client devices to which the task is assigned. Later, the task is always started on the calculated start time. However, when task settings are edited or the task is started manually, the calculated value of the task start time changes.

     If this option is disabled, the task starts on client devices according to the schedule.

   • Use randomized delay for task starts within an interval of (min)

     If this option is enabled, the task is started on client devices randomly within the specified time interval. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

     If this option is disabled, the task starts on client devices according to the schedule.

     By default, this option is disabled. The default time interval is one minute.

6. On the Define the task name page of the Wizard, specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
7. On the Finish task creation page of the Wizard, click the Finish button to close the Wizard.

   If you want the task to start as soon as the Wizard finishes, select the Run the task after the Wizard finishes check box.

After the Wizard completes its operation, the Find vulnerabilities and required updates task appears in the list of tasks in the Managed devices folder, on the Tasks tab.

In addition to the settings that you specify during task creation, you can change other properties of a created task.

When the Find vulnerabilities and required updates task is complete, Administration Server displays a list of vulnerabilities found in applications installed on the device; it also displays all software updates required to fix the vulnerabilities detected.

If the task results contain the 0x80240033 "Windows Update Agent error 80240033 ("License terms could not be downloaded.")" error, you can resolve this issue through the Windows Registry.

Administration Server does not display the list of required software updates when you sequentially run two tasks—the Perform Windows Update synchronization task that has the Download express installation files option disabled, and then the Find vulnerabilities and required updates task. In order to view the list of required software updates, you must run the Find vulnerabilities and required updates task again.

Network Agent receives information about any available Windows updates and other Microsoft product updates from Windows Update or the Administration Server, if the Administration Server acts as the WSUS server. Information is transmitted when applications are started (if this is provided for by the policy) and at each routine run of the Find vulnerabilities and required updates task on client devices.

You can find the details of third-party software that can be updated through Kaspersky Security Center by visiting the Technical Support website, on the Kaspersky Security Center page, in the Server Management section.

Fixing vulnerabilities in applications

Expand all | Collapse all

If you have selected Find and install required updates on the Update management settings page of the Quick Start Wizard, the Install required updates and fix vulnerabilities task is created automatically. The task is displayed in the workspace of the Managed devices folder, on the Tasks tab.

Otherwise, you can do any of the following:

• Create a task for fixing vulnerabilities by installing available updates.
• Add a rule for fixing a vulnerability to an existing vulnerability fix task.

A user interaction may be required when you update a third-party application or fix a vulnerability in a third-party application on a managed device. For example, the user may be prompted to close the third-party application if it is currently open.

Fixing vulnerabilities by creating a vulnerability fix task

You can do any of the following:

• Create a task for fixing multiple vulnerabilities that meet certain rules.
• Select a vulnerability and create a task for fixing it and similar vulnerabilities.

To fix vulnerabilities that meet certain rules:

1. In the console tree, select Administration Server on devices for which you want to fix vulnerabilities.
2. In the View menu of the main application window, select Configure interface.
3. In the window that opens, select the Display Vulnerability and Patch Management check box, and then click OK.
4. In the window with the application message, click OK.
5. Restart the Administration Console, so the changes take effect.
6. In the console tree, select the Managed devices folder.
7. In the workspace, select the Tasks tab.
8. Click the Create a task button to run the Add Task Wizard. Follow the steps of the Wizard.
9. On the Select the task type page of the Wizard, select the Install required updates and fix vulnerabilities task.

   If the task is not displayed, check whether your account has the Read, Modify, and Execute rights for the System management: Vulnerability and patch management functional area. You cannot create and configure the Install required updates and fix vulnerabilities task without these access rights.

10. On the Settings page of the Wizard, specify the task settings as follows:
    • Specify rules for installing updates

      These rules are applied to installation of updates on client devices. If rules are not specified, the task has nothing to perform. For information about operations with rules, refer to Rules for update installation.

    • Start installation at device restart or shutdown

      If this option is enabled, updates are installed when the device is restarted or shut down. Otherwise, updates are installed according to a schedule.

      Use this option if installing the updates might affect the device performance.

      By default, this option is disabled.

    • Install required general system components

      If this option is enabled, before installing an update the application automatically installs all general system components (prerequisites) that are required to install the update. For example, these prerequisites can be operating system updates.

      If this option is disabled, you may have to install the prerequisites manually.

      By default, this option is disabled.

    • Allow installation of new application versions during updates

      If this option is enabled, updates are allowed when they result in installation of a new version of a software application.

      If this option is disabled, the software is not upgraded. You can then install new versions of the software manually or through another task. For example, you may use this option if your company infrastructure is not supported by a new software version or if you want to check an upgrade in a test infrastructure.

      By default, this option is enabled.

      Upgrading an application may cause malfunction of dependent applications installed on client devices.

    • Download updates to the device without installing them

      If this option is enabled, the application downloads updates to the device but does not install them automatically. You can then Install downloaded updates manually.

      Microsoft updates are downloaded to the system Windows storage. Updates of third-party applications (applications made by software vendors other than Kaspersky and Microsoft) are downloaded to the folder specified in the Folder for downloading updates field.

      If this option is disabled, the updates are installed to the device automatically.

      By default, this option is disabled.

      • Folder for downloading updates

        This folder is used to download updates of third-party applications (applications made by software vendors other than Kaspersky and Microsoft).

    • Enable advanced diagnostics

      If this feature is enabled, Network Agent writes traces even if tracing is disabled for Network Agent in Kaspersky Security Center Remote Diagnostics Utility. Traces are written to two files in turn; the total size of both files is determined by the Maximum size, in MB, of advanced diagnostics files value. When both files are full, Network Agent starts writing to them again. The files with traces are stored in the %WINDIR%\Temp folder. These files are accessible in the remote diagnostics utility, you can download or delete them there.

      If this feature is disabled, Network Agent writes traces according to the settings in Kaspersky Security Center Remote Diagnostics Utility. No additional traces are written.

      When creating a task, you do not have to enable advanced diagnostics. You may want to use this feature later if, for example, a task run fails on some of the devices and you want to get additional information during another task run.

      By default, this option is disabled.

      • Maximum size, in MB, of advanced diagnostics files

        The default value is 100 MB, and available values are between 1 MB and 2048 MB. You may be asked to change the default value by Kaspersky Technical Support specialists when information in the advanced diagnostics files sent by you is not enough to troubleshoot the problem.

11. On the Selecting an operating system restart option page of the Wizard, select the action to perform when the operating system on client devices must be restarted after the operation:
    • Do not restart the device

      Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.

    • Restart the device

      Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).

    • Prompt user for action

      The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

      By default, this option is selected.

      • Repeat prompt every (min)

        If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.

        By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.

        If this option is disabled, the prompt is displayed only once.

      • Restart after (min)

        After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.

        By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.

    • Force closure of applications in blocked sessions

      Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.

      If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.

      If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.

      By default, this option is disabled.

12. On the Configure task schedule page of the Wizard, you can create a schedule for task start. If necessary, specify the following settings:
    • Scheduled start:

      Select the schedule according to which the task runs, and configure the selected schedule.

      • Every N hours

        The task runs regularly, with the specified interval in hours, starting from the specified date and time.

        By default, the task runs every 6 hours, starting from the current system date and time.

      • Every N days

        The task runs regularly, with the specified interval in days. Additionally, you can specify a date and time of the first task run. These additional options become available, if they are supported by the application for which you create the task.

        By default, the task runs every day, starting from the current system date and time.

      • Every N weeks

        The task runs regularly, with the specified interval in weeks, on the specified day of week and at the specified time.

        By default, the task runs every Monday at the current system time.

      • Every N minutes

        The task runs regularly, with the specified interval in minutes, starting from the specified time on the day that the task is created.

        By default, the task runs every 30 minutes, starting from the current system time.

      • Daily (daylight saving time is not supported)

        The task runs regularly, with the specified interval in days. This schedule does not support observance of daylight saving time (DST). It means that when clocks jump one hour forward or backward at the beginning or ending of DST, the actual task start time does not change.

        We do not recommend that you use this schedule. It is needed for backward compatibility of Kaspersky Security Center.

        By default, the task starts every day at the current system time.

      • Weekly

        The task runs every week on the specified day and at the specified time.

      • By days of week

        The task runs regularly, on the specified days of the week, at the specified time.

        By default, the task runs every Friday at 6:00:00 PM.

      • Monthly

        The task runs regularly, on the specified day of the month, at the specified time.

        In months that lack the specified day, the task runs on the last day.

        By default, the task runs on the first day of each month, at the current system time.

      • Manually

        The task does not run automatically. You can only start it manually.

        By default, this option is selected.

      • Every month on specified days of selected weeks

        The task runs regularly, on the specified days of each month, at the specified time.

        By default, no days of month are selected. The default start time is 18:00.

      • On virus outbreak

        The task runs after a Virus outbreak event occurs. Select application types that will monitor virus outbreaks. The following application types are available:

        • Anti-virus for workstations and file servers
        • Anti-virus for perimeter defense
        • Anti-virus for mail systems

        By default, all application types are selected.

        You may want to run different tasks depending on the security application type that reports a virus outbreak. In this case, remove the selection of the application types that you do not need.

      • On completing another task

        The current task starts after another task completes. You can select how the previous task must complete (successfully or with error) to trigger the start of the current task. For example, you may want to run the Manage devices task with the Turn on the device option and, after it completes, run the Virus scan task. This parameter only works if both tasks are assigned to the same devices.

    • Run missed tasks

      This option determines the behavior of a task if a client device is not visible on the network when the task is about to start.

      If this option is enabled, the system attempts to start the task the next time the Kaspersky application is run on the client device. If the task schedule is Manually, Once or Immediately, the task is started immediately after the device becomes visible on the network or immediately after the device is included in the task scope.

      If this option is disabled, only scheduled tasks run on client devices. For Manually, Once and Immediately schedule, tasks run only on those client devices that are visible on the network. For example, you may want to disable this option for a resource-consuming task that you want to run only outside of business hours.

      By default, this option is disabled.

    • Use automatically randomized delay for task starts

      If this option is enabled, the task is started on client devices randomly within a specified time interval, that is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

      The distributed start time is calculated automatically when a task is created, depending on the number of client devices to which the task is assigned. Later, the task is always started on the calculated start time. However, when task settings are edited or the task is started manually, the calculated value of the task start time changes.

      If this option is disabled, the task starts on client devices according to the schedule.

    • Use randomized delay for task starts within an interval of (min)

      If this option is enabled, the task is started on client devices randomly within the specified time interval. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

      If this option is disabled, the task starts on client devices according to the schedule.

      By default, this option is disabled. The default time interval is one minute.

13. On the Define the task name page of the Wizard, specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
14. On the Finish task creation page of the Wizard, click the Finish button to close the Wizard.

    If you want the task to start as soon as the Wizard finishes, select the Run the task after the Wizard finishes check box.

After the Wizard completes its operation, the Install required updates and fix vulnerabilities task is created and displayed in the Tasks folder.

In addition to the settings that you specify during task creation, you can change other properties of a created task.

If the task results contain the 0x80240033 "Windows Update Agent error 80240033 ("License terms could not be downloaded.")" error, you can resolve this issue through the Windows Registry.

To fix a specific vulnerability and similar ones:

1. In the Advanced → Application management folder in the console tree, select the Software vulnerabilities subfolder.
2. Select the vulnerability that you want to fix.
3. Click the Run Vulnerability Fix Wizard button.

   The Vulnerability Fix Wizard starts.

   The Vulnerability Fix Wizard features are only available under the Vulnerability and Patch Management license.

   Follow the steps of the Wizard.

4. In the Search for existing vulnerability fix tasks window, specify the following parameters:
   • Show only tasks that fix this vulnerability

     If this option is enabled, the Vulnerability Fix Wizard searches for existing tasks that fix the selected vulnerability.

     If this option is disabled or if the search yields no applicable tasks, the Vulnerability Fix Wizard prompts you to create a rule or task for fixing the vulnerability.

     By default, this option is enabled.

   • Approve updates that fix this vulnerability

     Updates that fix a vulnerability will be approved for installation. Enable this option if some applied rules of update installation only allow the installation of approved updates.

     By default, this option is disabled.

5. If you choose to search for existing vulnerability fix tasks and if the search retrieves some tasks, you can view properties of these tasks or start them manually. No further actions are required.

   Otherwise, click the New vulnerability fix task button.

6. Select the type of the vulnerability fix rule to be added to the new task, and then click the Finish button.
7. Make your choice in the displayed prompt about installing all previous application updates. Click Yes if you agree to the installation of successive application versions incrementally if this is required for installing the selected updates. Click No if you want to update applications in a straightforward fashion, without installing successive versions. If installing the selected updates is not possible without installing previous versions of applications, the updating of the application fails.

   The Updates Installation and Vulnerabilities Fix Task Creation Wizard starts. Follow the steps of the Wizard.

8. On the Selecting an operating system restart option page of the Wizard, select the action to perform when the operating system on client devices must be restarted after the operation:
   • Do not restart the device

     Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.

   • Restart the device

     Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).

   • Prompt user for action

     The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

     By default, this option is selected.

     • Repeat prompt every (min)

       If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.

       By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.

       If this option is disabled, the prompt is displayed only once.

     • Restart after (min)

       After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.

       By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.

   • Force closure of applications in blocked sessions

     Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.

     If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.

     If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.

     By default, this option is disabled.

9. On the Select devices to which the task will be assigned page of the Wizard, select one of the following options:
   • Select networked devices detected by Administration Server

     The task is assigned to specific devices. The specific devices can include devices in administration groups as well as unassigned devices.

     For example, you may want to use this option in a task of installing Network Agent on unassigned devices.

   • Specify device addresses manually or import addresses from a list

     You can specify NetBIOS names, DNS names, IP addresses, and IP subnets of devices to which you want to assign the task.

     You may want to use this option to execute a task for a specific subnet. For example, you may want to install a certain application on devices of accountants or to scan devices in a subnet that is probably infected.

   • Assign task to a device selection

     The task is assigned to devices included in a device selection. You can specify one of the existing selections.

     For example, you may want to use this option to run a task on devices with a specific operating system version.

   • Assign task to an administration group

     The task is assigned to devices included in an administration group. You can specify one of the existing groups or create a new one.

     For example, you may want to use this option to run a task of sending a message to users if the message is specific for devices included in a specific administration group.

     If a task is assigned to an administration group, the Security tab is not displayed in the task properties window because group tasks are subject to the security settings of the groups to which they apply.

10. On the Configure task schedule page of the Wizard, you can create a schedule for task start. If necessary, specify the following settings:
    • Scheduled start:

      Select the schedule according to which the task runs, and configure the selected schedule.

      • Every N hours

        The task runs regularly, with the specified interval in hours, starting from the specified date and time.

        By default, the task runs every 6 hours, starting from the current system date and time.

      • Every N days

        The task runs regularly, with the specified interval in days. Additionally, you can specify a date and time of the first task run. These additional options become available, if they are supported by the application for which you create the task.

        By default, the task runs every day, starting from the current system date and time.

      • Every N weeks

        The task runs regularly, with the specified interval in weeks, on the specified day of week and at the specified time.

        By default, the task runs every Monday at the current system time.

      • Every N minutes

        The task runs regularly, with the specified interval in minutes, starting from the specified time on the day that the task is created.

        By default, the task runs every 30 minutes, starting from the current system time.

      • Daily (daylight saving time is not supported)

        The task runs regularly, with the specified interval in days. This schedule does not support observance of daylight saving time (DST). It means that when clocks jump one hour forward or backward at the beginning or ending of DST, the actual task start time does not change.

        We do not recommend that you use this schedule. It is needed for backward compatibility of Kaspersky Security Center.

        By default, the task starts every day at the current system time.

      • Weekly

        The task runs every week on the specified day and at the specified time.

      • By days of week

        The task runs regularly, on the specified days of the week, at the specified time.

        By default, the task runs every Friday at 6:00:00 PM.

      • Monthly

        The task runs regularly, on the specified day of the month, at the specified time.

        In months that lack the specified day, the task runs on the last day.

        By default, the task runs on the first day of each month, at the current system time.

      • Manually

        The task does not run automatically. You can only start it manually.

        By default, this option is selected.

      • Every month on specified days of selected weeks

        The task runs regularly, on the specified days of each month, at the specified time.

        By default, no days of month are selected. The default start time is 18:00.

      • On virus outbreak

        The task runs after a Virus outbreak event occurs. Select application types that will monitor virus outbreaks. The following application types are available:

        • Anti-virus for workstations and file servers
        • Anti-virus for perimeter defense
        • Anti-virus for mail systems

        By default, all application types are selected.

        You may want to run different tasks depending on the security application type that reports a virus outbreak. In this case, remove the selection of the application types that you do not need.

      • On completing another task

        The current task starts after another task completes. You can select how the previous task must complete (successfully or with error) to trigger the start of the current task. For example, you may want to run the Manage devices task with the Turn on the device option and, after it completes, run the Virus scan task. This parameter only works if both tasks are assigned to the same devices.

    • Run missed tasks

      This option determines the behavior of a task if a client device is not visible on the network when the task is about to start.

      If this option is enabled, the system attempts to start the task the next time the Kaspersky application is run on the client device. If the task schedule is Manually, Once or Immediately, the task is started immediately after the device becomes visible on the network or immediately after the device is included in the task scope.

      If this option is disabled, only scheduled tasks run on client devices. For Manually, Once and Immediately schedule, tasks run only on those client devices that are visible on the network. For example, you may want to disable this option for a resource-consuming task that you want to run only outside of business hours.

      By default, this option is disabled.

    • Use automatically randomized delay for task starts

      If this option is enabled, the task is started on client devices randomly within a specified time interval, that is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

      The distributed start time is calculated automatically when a task is created, depending on the number of client devices to which the task is assigned. Later, the task is always started on the calculated start time. However, when task settings are edited or the task is started manually, the calculated value of the task start time changes.

      If this option is disabled, the task starts on client devices according to the schedule.

    • Use randomized delay for task starts within an interval of (min)

      If this option is enabled, the task is started on client devices randomly within the specified time interval. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

      If this option is disabled, the task starts on client devices according to the schedule.

      By default, this option is disabled. The default time interval is one minute.

11. On the Define the task name page of the Wizard, specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
12. On the Finish task creation page of the Wizard, click the Finish button to close the Wizard.

    If you want the task to start as soon as the Wizard finishes, select the Run the task after the Wizard finishes check box.

When the Wizard completes, the Install required updates and fix vulnerabilities task is created and displayed in the Tasks folder.

In addition to the settings that you specify during task creation, you can change other properties of a created task.

Fixing a vulnerability by adding a rule to an existing vulnerability fix task

To fix a vulnerability by adding a rule to an existing vulnerability fix task:

1. In the Advanced → Application management folder in the console tree, select the Software vulnerabilities subfolder.
2. Select the vulnerability that you want to fix.
3. Click the Run Vulnerability Fix Wizard button.

   The Vulnerability Fix Wizard starts.

   The Vulnerability Fix Wizard features are only available under the Vulnerability and Patch Management license.

   Follow the steps of the Wizard.

4. In the Search for existing vulnerability fix tasks window, specify the following parameters:
   • Show only tasks that fix this vulnerability

     If this option is enabled, the Vulnerability Fix Wizard searches for existing tasks that fix the selected vulnerability.

     If this option is disabled or if the search yields no applicable tasks, the Vulnerability Fix Wizard prompts you to create a rule or task for fixing the vulnerability.

     By default, this option is enabled.

   • Approve updates that fix this vulnerability

     Updates that fix a vulnerability will be approved for installation. Enable this option if some applied rules of update installation only allow the installation of approved updates.

     By default, this option is disabled.

5. If you choose to search for existing vulnerability fix tasks and if the search retrieves some tasks, you can view properties of these tasks or start them manually. No further actions are required.

   Otherwise, click the Add vulnerability fix rule to existing task button.

6. Select the task to which you want to add a rule, and then click the Add rule button.

   Also, you can view properties of the existing tasks, start them manually, or create a new task.

7. Select the type of rule to be added to the selected task, and then click the Finish button.
8. Make your choice in the displayed prompt about installing all previous application updates. Click Yes if you agree to the installation of successive application versions incrementally if this is required for installing the selected updates. Click No if you want to update applications in a straightforward fashion, without installing successive versions. If installing the selected updates is not possible without installing previous versions of applications, the updating of the application fails.

A new rule for fixing the vulnerability is added to the existing Install required updates and fix vulnerabilities task.

Fixing vulnerabilities in an isolated network

This section describes the steps that you can take to fix third-party software vulnerabilities on managed devices connected to Administration Servers that do not have internet access.

Scenario: Fixing third-party software vulnerabilities in an isolated network

You can install updates and fix vulnerabilities of the third-party software installed on managed devices in an isolated network. Such networks include Administration Servers and managed devices connected to them that have no internet access. To fix vulnerabilities in this kind of network, you need an Administration Server connected to the internet. Then, you will be able to download patches (required updates) by using the Administration Server with internet access, and then transmit the patches to isolated Administration Servers.

You can download the third-party software updates issued by software vendors, but you cannot download updates for Microsoft software on isolated Administration Servers by using Kaspersky Security Center.

To find out how the process of fixing vulnerabilities in an isolated network works, see the description and scheme of this process.

Prerequisites

Before you start, do the following:

1. Allocate one device for connecting to the internet and downloading patches. This device will be counted as the Administration Server with internet access.
2. Install Kaspersky Security Center, no earlier than version 14, on the following devices:
   • Allocated device, which will act as the Administration Server with internet access
   • Isolated devices, which will act as the Administration Servers isolated from the internet (hereinafter referred to as isolated Administration Servers)
3. Make sure that every Administration Server has enough disk space for downloading and storing updates and patches.

Stages

Installing updates and fixing third-party software vulnerabilities on managed devices of isolated Administration Servers has the following stages:

1. Configuring the Administration Server with internet access

   Prepare your Administration Server with internet access to handle requests on required third-party software updates and to download patches.

2. Configuring isolated Administration Servers

   Prepare your isolated Administration Servers so they can regularly form lists of required updates and handle patches downloaded by the Administration Server with internet access. After configuring, isolated Administration Servers do not try to download patches from the internet anymore. Instead, they get updates through patches.

3. Transmitting patches and installing updates on isolated Administration Servers

   After you finished configuring Administration Servers, you can transmit the required updates lists and patches between the Administration Server with internet access and isolated Administration Servers. Next, updates from patches will be installed on managed devices by using the Install required updates and fix vulnerabilities task.

Results

Thus, the third-party software updates are transmitted to isolated Administration Servers and installed on connected managed devices by using Kaspersky Security Center. It is enough to configure Administration Servers once, and after that you can get updates as often as you need, for example, once or several times per day.

About fixing third-party software vulnerabilities in an isolated network

The process of fixing third-party software vulnerabilities in an isolated network is shown in the figure and described below. You can repeat this process periodically.

The process of transmitting patches and the list of required updates between the Administration Server with internet access and isolated Administration Servers

Every Administration Server isolated from the internet (hereinafter referred to as an isolated Administration Server) generates a list of updates that are required to be installed on managed devices connected to this Administration Server. The list of required updates is stored in a specific folder and presents a set of binary files. Each file has a name that contains the ID of the patch with the required update. As a result, every file in the list points to a specific patch.

By using an external device, you transfer the list of required updates from the isolated Administration Server to the allocated Administration Server with internet access. After that, the allocated Administration Server downloads patches from the internet and puts them in a separate folder.

When all patches are downloaded and located in the special folder for them, you move the patches to every isolated Administration Server from which you took a list of required updates. You save patches to the folder created especially for them on the isolated Administration Server. As a result, the Install required updates and fix vulnerabilities task runs patches and installs updates on managed devices of the isolated Administration Servers.

Configuring the Administration Server with internet access to fix vulnerabilities in an isolated network

To prepare for fixing vulnerabilities and transmitting patches in an isolated network, first configure an Administration Server with internet access, and then configure the isolated Administration Servers.

To configure an Administration Server with internet access:

1. Create two folders on a disk where Administration Server is installed:
   • Folder for the list of required updates
   • Folder for patches

   You can name these folders whatever you like.

2. Grant the Modify access rights to the KLAdmins group in the created folders, by using the standard administrative tools of the operating system.
3. Use the klscflag utility to write the paths to the folders in the Administration Server properties.

   Run the Windows command prompt by using administrator rights, and then change your current directory to the directory with the klscflag utility. The klscflag utility is located in the folder where Administration Server is installed. The default installation path is <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.

4. Enter the following commands at the Windows command prompt:
   • To set the path to the folder for patches:

     klscflag -fset -pv klserver -n VAPM_DATA_EXPORT_PATH -t s -v "<path to the folder>"

   • To set the path to the folder for the list of required updates:

     klscflag -fset -pv klserver -n VAPM_REQ_IMPORT_PATH -t s -v "<path to the folder>"

   Example: klscflag -fset -pv klserver -n VAPM_DATA_EXPORT_PATH -t s -v "C:\FolderForPatches"

5. If necessary, use the klscflag utility to specify how often the Administration Server should check for new patch requests:

   klscflag -fset -pv klserver -n VAPM_DATA_EXPORT_PERIOD_SEC -t d -v <value in seconds>

   The default value is 120 seconds.

   Example: klscflag -fset -pv klserver -n VAPM_DATA_EXPORT_PERIOD_SEC -t d -v 150

6. Create the Find vulnerabilities and required updates task to obtain information about patches for the third-party software installed on the managed devices, and then set the task schedule.
7. Create the Fix vulnerabilities task to specify patches for the third-party software used to fix vulnerabilities, and then set the task schedule.

   Run tasks manually if you want them to run earlier than it is specified in the schedule. The order in which tasks are started is important. The Fix vulnerabilities task must be run after finishing the Find vulnerabilities and required updates task.

8. Restart the Administration Server service.

Now, the Administration Server with internet access is ready to download and transmit updates to isolated Administration Servers. Before you start fixing vulnerabilities, configure the isolated Administration Servers.

Configuring isolated Administration Servers to fix vulnerabilities in an isolated network

After you finished configuring the Administration Server with internet access, prepare every isolated Administration Server in your network, so you can fix vulnerabilities and install updates on managed devices connected to isolated Administration Servers.

To configure isolated Administration Servers, perform the following actions on every Administration Server:

1. Activate a license key for the Vulnerability and Patch Management (VAPM) feature.
2. Create two folders on a disk where Administration Server is installed:
   • Folder where the list of required updates will appear
   • Folder for patches

   You can name these folders whatever you like.

3. Grant the Modify permission to the KLAdmins group in the created folders, by using the standard administrative tools of the operating system.
4. Use the klscflag utility to write the paths to the folders in the Administration Server properties.

   Run the Windows command prompt by using administrator rights, and then change your current directory to the directory with the klscflag utility. The klscflag utility is located in the folder where Administration Server is installed. The default installation path is <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.

5. Enter the following commands at the Windows command prompt:
   • To set the path to the folder for patches:

     klscflag -fset -pv klserver -n VAPM_DATA_IMPORT_PATH -t s -v "<path to the folder>"

   • To set the path to the folder for the list of required updates:

     klscflag -fset -pv klserver -n VAPM_REQ_EXPORT_PATH -t s -v "<path to the folder>"

   Example: klscflag -fset -pv klserver -n VAPM_DATA_IMPORT_PATH -t s -v "C:\FolderForPatches"

6. If necessary, use the klscflag utility to specify how often the isolated Administration Server should check for new patches:

   klscflag -fset -pv klserver -n VAPM_DATA_IMPORT_PERIOD_SEC -t d -v <value in seconds>

   The default value is 120 seconds.

   Example: klscflag -fset -pv klserver -n VAPM_DATA_IMPORT_PERIOD_SEC -t d -v 150

7. If necessary, use the klscflag utility to calculate the SHA256 hashes of patches:

   klscflag -fset -pv klserver -n VAPM_DATA_IMPORT_VERIFY_HASH -t d -v 1

   If you enter this command, you can make sure that the patches have not been modified during their transfer to the isolated Administration Server and that you have received the correct patches containing the required updates.

   By default, Kaspersky Security Center does not calculate the SHA256 hashes of patches. If you enable this option, after the isolated Administration Server receives patches, Kaspersky Security Center computes their hashes and compares the acquired values with the hashes stored in the Administration Server database. If the calculated hash does not match the hash in the database, an error occurs and you have to replace the incorrect patches.

8. Create the Find vulnerabilities and required updates task to obtain information about patches for the third-party software installed on the managed devices, and then set the task schedule.
9. Create the Fix vulnerabilities task to specify patches for the third-party software used to fix vulnerabilities, and then set the task schedule.

   Run tasks manually if you want them to run earlier than it is specified in the schedule. The order in which tasks are started is important. The Fix vulnerabilities task must be run after finishing the Find vulnerabilities and required updates task.

10. Restart the Administration Server service.

After configuring all Administration Servers, you can move patches and lists of required updates, and fix third-party software vulnerabilities on managed devices in the isolated network.

Transmitting patches and installing updates in an isolated network

After you have finished configuring Administration Servers, you can transfer patches containing the required updates from the Administration Server with internet access to isolated Administration Servers. You can transmit and install updates as often as you need, for example, once or several times per day.

You need an external device, such as a removable drive, to transfer patches and the list of required updates between Administration Servers. Therefore, make sure that the external device has enough disk space for downloading and storing patches.

The process of transmitting patches and the list of required updates is shown in the figure and described below:

The process of transmitting patches and the list of required updates between the Administration Server with internet access and isolated Administration Servers

To install updates and fix vulnerabilities on managed devices connected to isolated Administration Servers:

1. Start the Install required updates and fix vulnerabilities task if it is not yet running.
2. Connect an external device to any isolated Administration Server.
3. Create two folders on the external device: one for the list of required updates and one for patches. You can name these folders whatever you like.

   If you created these folders earlier, clear them.

4. Copy the list of required updates from every isolated Administration Server and paste this list into the folder for the list of required updates on the external device.

   As a result, you unite all lists acquired from all isolated Administration Servers into one folder. This folder contains binary files with the IDs of patches required for all isolated Administration Servers.

5. Connect the external device to the Administration Server with internet access.
6. Copy the list of required updates from the external device and paste this list into the folder for the list of required updates on the Administration Server with internet access.

   All required patches are automatically downloaded from the internet to the folder for patches on the Administration Server. This can take several hours.

7. Make sure that all required patches are downloaded. For this purpose, you can do one of the following:
   • Check the folder for patches on the Administration Server with internet access. All patches that were specified in the list of required updates should be downloaded to the necessary folder. This is more convenient if a small number of patches is required.
   • Prepare a special script, for example, a shell script. If you get a large number of patches, this will be difficult to check on your own that all patches have been downloaded. In such cases, it is better to automate the check.
8. Copy the patches from the Administration Server with internet access and paste them into the corresponding folder on your external device.
9. Transfer the patches to every isolated Administration Server. Put the patches into a specific folder for them.

As a result, every isolated Administration Server creates an actual list of updates that are required for managed devices connected to the current Administration Server. After the Administration Server with internet access receives the list of required updates, the Administration Server downloads patches from the internet. When these patches appear on isolated Administration Servers, the Install required updates and fix vulnerabilities task handles the patches. Thus, updates are installed on managed devices and third-party software vulnerabilities are fixed.

When the Install required updates and fix vulnerabilities task is running, do not reboot the Administration Server device and do not run the Backup of Administration Server data task (it will also cause a reboot). As a result, the Install required updates and fix vulnerabilities task is interrupted, and updates are not installed. In this case, you have to restart this task manually or wait for the task to start according to the configured schedule.

Disabling the option to transmit patches and install updates in an isolated network

You can disable transmitting patches on isolated Administration Servers, for example, if you decided to take one or more Administration Servers out of an isolated network. Thus, you can reduce the number of patches and time to download them.

To disable the option to transmit patches on isolated Administration Servers:

1. If you want to take all Administration Servers out of isolation, in the properties of the Administration Server with internet access, delete the paths to the folders for patches and the list of required updates. If you want to keep some Administration Servers in an isolated network, skip this step.

   Run the Windows command prompt by using administrator rights, and then change your current directory to the directory with the klscflag utility. The klscflag utility is located in the folder where Administration Server is installed. The default installation path is <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.

   Enter the following commands at the command prompt:

   • To delete the path to the folder for patches:

     klscflag -fset -pv klserver -n VAPM_DATA_EXPORT_PATH -t s -v ""

   • To delete the path to the folder for the list of required updates:

     klscflag -fset -pv klserver -n VAPM_REQ_IMPORT_PATH -t s -v ""

2. Restart the Administration Server service if you deleted the paths to the folders on this Administration Server.
3. In the properties of every Administration Server that you want to take out of isolation, delete the paths to the folders for patches and the list of required updates.

   Enter the following commands at the Windows command prompt, using administrator rights:

   • To delete the path to the folder for patches:

     klscflag -fset -pv klserver -n VAPM_DATA_IMPORT_PATH -t s -v ""

   • To delete the path to the folder for the list of required updates:

     klscflag -fset -pv klserver -n VAPM_REQ_EXPORT_PATH -t s -v ""

4. Restart the service of every Administration Server on which you deleted the paths to the folders.

As a result, if you reconfigured the Administration Server with internet access, you will no longer receive patches through Kaspersky Security Center. If you reconfigured only some isolated Administration Servers, for example, taking some of them out of the isolated network, you will get patches only for the remaining isolated Administration Servers.

If you want to start fixing vulnerabilities on disabled isolated Administration Servers in the future, you have to configure these Administration Servers and the Administration Server with internet access once again.

Ignoring software vulnerabilities

You can ignore software vulnerabilities to be fixed. The reasons to ignore software vulnerabilities might be, for example, the following:

• You do not consider the software vulnerability to be critical to your organization.
• You understand that the software vulnerability fix can damage data related to the software that required the vulnerability fix.
• You are sure that the software vulnerability is not dangerous for your organization's network because you use other measures to protect your managed devices.

You can ignore a software vulnerability on all managed devices or only on selected managed devices.

To ignore a software vulnerability on all managed devices:

1. In the Advanced → Application management folder in the console tree, select the Software vulnerabilities subfolder.

   The workspace of the folder displays a list of vulnerabilities in applications detected on devices by the Network Agent installed on them.

2. Select the vulnerability you want to ignore.
3. Select Properties from the context menu of the vulnerability.

   The properties window of the vulnerability opens.

4. On the General section, select the Ignore vulnerability option.
5. Click OK.

   The software vulnerability properties window is closed.

The software vulnerability is ignored on all managed devices.

To ignore a software vulnerability on the selected managed device:

1. Open the properties window of the selected managed device and select the Software vulnerabilities section.
2. Select a software vulnerability.
3. Ignore selected vulnerability.

The software vulnerability is ignored on the selected device.

The ignored software vulnerability will not be fixed after the completion of the Fix vulnerabilities task or Install required updates and fix vulnerabilities task. You can exclude ignored software vulnerabilities from the list of vulnerabilities by using a filter.

Selecting user fixes for vulnerabilities in third-party software

To use the Fix vulnerabilities task, you must manually specify the software updates to fix the vulnerabilities in third-party software listed in the task settings. The Fix vulnerabilities task uses recommended fixes for Microsoft software and user fixes for other third-party software. User fixes are software updates to fix vulnerabilities that the administrator manually specifies for installation.

To select user fixes for vulnerabilities in third-party software:

1. In the Advanced → Application management folder in the console tree, select the Software vulnerabilities subfolder.

   The workspace of the folder displays a list of vulnerabilities in applications detected on devices by the Network Agent installed on them.

2. Select the vulnerability for which you want to specify a user fix.
3. Select Properties from the context menu of the vulnerability.

   The properties window of the vulnerability opens.

4. In the User fixes and other fixes section, click the Add button.

   The list of available installation packages is displayed. The list of displayed installation packages corresponds to the Remote installation → Installation packages list. If you have not created an installation package containing a user fix for selected vulnerability, you can create the package now by starting the New Package Wizard.

5. Select an installation package (or packages) containing a user fix (or user fixes) for the vulnerability in third-party software.
6. Click OK.

The installation packages containing user fixes for the software vulnerability are specified. When the Fix vulnerabilities task is started, the installation package will be installed, and the software vulnerability will be fixed.

Rules for update installation

Expand all | Collapse all

When fixing vulnerabilities in applications, you must specify rules for update installation. These rules determine updates to install and vulnerabilities to fix.

The exact settings depend on whether you create a rule for updates of Microsoft applications, of third-party applications (applications made by software vendors other than Kaspersky and Microsoft), or of all applications. When creating a rule for Microsoft applications or third-party applications, you can select specific applications and application versions for which you want to install updates. When creating a rule for all applications, you can select specific updates that you want to install and vulnerabilities that you want to fix by means of installing updates.

To create a new rule for updates of all applications:

1. On the Settings page of the Add Task Wizard, click the Add button.

   The Rule Creation Wizard starts. Follow the steps of the Wizard.

2. On the Rule type page, select Rule for all updates.
3. On the General criteria page, use the drop-down lists to specify the following settings:
   • Set of updates to install

     Select the updates that must be installed on client devices:

     • Install approved updates only. This installs only approved updates.
     • Install all updates (except declined). This installs updates with the Approved or Undefined approval status.
     • Install all updates (including declined). This installs all updates, regardless of their approval status. Select this option with caution. For example, use this option if you want to check installation of some declined updates in a test infrastructure.
   • Fix vulnerabilities with a severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

4. On the Updates page, select the updates to be installed:
   • Install all suitable updates

     Install all software updates that meet the criteria specified on the General criteria page of the Wizard. Selected by default.

   • Install only updates from the list

     Install only software updates that you select manually from the list. This list contains all available software updates.

     For example, you may want to select specific updates in the following cases: to check their installation in a test environment, to update only critical applications, or to update only specific applications.

     • Automatically install all previous application updates that are required to install the selected updates

       Keep this option enabled if you agree with the installation of interim application versions when this is required for installing the selected updates.

       If this option is disabled, only the selected versions of applications are installed. Disable this option if you want to update applications in a straightforward manner, without attempting to install successive versions incrementally. If installing the selected updates is not possible without installing previous versions of applications, the updating of the application fails.

       For example, you have version 3 of an application installed on a device and you want to update it to version 5, but version 5 of this application can be installed only over version 4. If this option is enabled, the software first installs version 4, and then installs version 5. If this option is disabled, the software fails to update the application.

       By default, this option is enabled.

5. On the Vulnerabilities page, select vulnerabilities that will be fixed by installing the selected updates:
   • Fix all vulnerabilities that match other criteria

     Fix all vulnerabilities that meet the criteria specified on the General criteria page of the Wizard. Selected by default.

   • Fix only vulnerabilities from the list

     Fix only vulnerabilities that you select manually from the list. This list contains all detected vulnerabilities.

     For example, you may want to select specific vulnerabilities in the following cases: to check their fix in a test environment, to fix vulnerabilities only in critical applications, or to fix vulnerabilities only in specific applications.

6. On the Name page, specify the name for the rule that you are creating. You can later change this name in the Settings section of the properties window of the created task.

After the Rule Creation Wizard completes its operation, the new rule is created and displayed in the Specify rules for installing updates field of the Add Task Wizard.

To create a new rule for updates of Microsoft applications:

1. On the Settings page of the Add Task Wizard, click the Add button.

   The Rule Creation Wizard starts. Follow the steps of the Wizard.

2. On the Rule type page, select Rule for Windows Update.
3. On the General criteria page, specify the following settings:
   • Set of updates to install

     Select the updates that must be installed on client devices:

     • Install approved updates only. This installs only approved updates.
     • Install all updates (except declined). This installs updates with the Approved or Undefined approval status.
     • Install all updates (including declined). This installs all updates, regardless of their approval status. Select this option with caution. For example, use this option if you want to check installation of some declined updates in a test infrastructure.
   • Fix vulnerabilities with a severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

   • Fix vulnerabilities with an MSRC severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Microsoft Security Response Center (MSRC) is equal to or higher than the value selected in the list (Low, Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

4. On the Applications page, select the applications and application versions for which you want to install updates. By default, all applications are selected.
5. On the Categories of updates page, select the categories of updates to be installed. These categories are the same as in Microsoft Update Catalog. By default, all categories are selected.
6. On the Name page, specify the name for the rule that you are creating. You can later change this name in the Settings section of the properties window of the created task.

After the Rule Creation Wizard completes its operation, the new rule is created and displayed in the Specify rules for installing updates field of the Add Task Wizard.

To create a new rule for updates of third-party applications:

1. On the Settings page of the Add Task Wizard, click the Add button.

   The Rule Creation Wizard starts. Follow the steps of the Wizard.

2. On the Rule type page, select Rule for third-party updates.
3. On the General criteria page, specify the following settings:
   • Set of updates to install

     Select the updates that must be installed on client devices:

     • Install approved updates only. This installs only approved updates.
     • Install all updates (except declined). This installs updates with the Approved or Undefined approval status.
     • Install all updates (including declined). This installs all updates, regardless of their approval status. Select this option with caution. For example, use this option if you want to check installation of some declined updates in a test infrastructure.
   • Fix vulnerabilities with a severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

4. On the Applications page, select the applications and application versions for which you want to install updates. By default, all applications are selected.
5. On the Name page, specify the name for the rule that you are creating. You can later change this name in the Settings section of the properties window of the created task.

After the Rule Creation Wizard completes its operation, the new rule is created and displayed in the Specify rules for installing updates field of the Add Task Wizard.