Third-party software updates

Kaspersky Security Center Cloud Console enables you to manage updates of third-party software installed on managed devices and fix vulnerabilities in Microsoft applications and other software makers' products through installation of required updates.

Kaspersky Security Center Cloud Console searches for updates through the Find vulnerabilities and required updates task. When this task is complete, Administration Server receives the lists of detected vulnerabilities and required updates for the third-party software installed on the devices that you specified in the task properties. After viewing information about available updates, you can install them on devices.

Kaspersky Security Center Cloud Console updates some applications by removing the previous version of the application and installing the new one.

A user interaction may be required when you update a third-party application or fix a vulnerability in a third-party application on a managed device. For example, the user may be prompted to close the third-party application if it is currently open.

For security reasons, any third-party software updates that you install by using the Vulnerability and patch management feature are automatically scanned for malware by Kaspersky technologies. These technologies are used for automatic file checks and include virus scanning, static analysis, dynamic analysis, behavior analysis in the sandbox environment, and machine learning.

Kaspersky experts do not perform manual analysis of third-party software updates that can be installed by using the Vulnerability and patch management feature. In addition, Kaspersky experts do not search for vulnerabilities (known or unknown) or undocumented features in such updates, nor do they perform other types of analysis of the updates other than those specified in the paragraph above.

Tasks for installation of third party software updates

When metadata of the third-party software updates is downloaded to the repository, you can install the updates on client devices by using the following tasks:

• The Install required updates and fix vulnerabilities task

  This task is used to install updates for Microsoft applications, including the updates provided by the Windows Update service, and updates of other vendors' software.

  When this task is complete, the updates are installed on the managed devices automatically. When metadata of new updates is downloaded to the Administration Server repository, Kaspersky Security Center Cloud Console checks whether the updates meet the criteria specified in the update rules. All new updates that meet the criteria will be downloaded and installed automatically at the next task run.

• The Install Windows Update updates task

  This task can be used to install Windows Update updates only.

  When this task is complete, only those updates that are specified in the task properties are installed. In future, if you want to install new updates, you must add the required updates to the list of updates in the existing task or create an Install Windows Update updates task.

The software update installation tasks have a number of limitations. These limitations depend on the license under which you are using Kaspersky Security Center Cloud Console and on the mode in which Kaspersky Security Center Cloud Console is working.

Scenario: Updating third-party software

This section provides a scenario for updating third-party software installed on the client devices. The third-party software includes applications from Microsoft and other software vendors. Updates for Microsoft applications are provided by the Windows Update service.

Stages

Updating third-party software proceeds in stages:

1. Searching for required updates

   To find the third-party software updates required for the managed devices, run the Find vulnerabilities and required updates task. When this task is complete, Kaspersky Security Center Cloud Console receives the lists of detected vulnerabilities and required updates for the third-party software installed on the devices that you specified in the task properties.

   The Find vulnerabilities and required updates task is created automatically by the Administration Server quick start wizard. If you did not run the wizard, create the task or run the quick start wizard now.

   How-to instructions:

   • Creating the Find vulnerabilities and required updates task
   • Find vulnerabilities and required updates task settings
2. Analyzing the list of found updates

   View the Software updates list and decide which updates you want to install. To view detailed information about each update, click the update name in the list. For each update in the list, you can view the statistics about the update installation on managed devices. For example, you can view the number of devices on which the selected update is not installed, will be installed, or on which the update installation has failed.

   How-to instructions: Viewing information about available third-party software updates

3. Configuring installation of updates

   When Kaspersky Security Center Cloud Console received the list of the third-party software updates, you can install them on client devices by using the Install required updates and fix vulnerabilities task or the Install Windows Update updates task. Create one of these tasks. You can create these tasks on the Tasks tab or by using the Software updates list.

   The Install required updates and fix vulnerabilities task is used to install updates for Microsoft applications, including the updates provided by the Windows Update service, and updates of other vendors' software.

   The Install Windows Update updates task can be used to install Windows Update updates only.

   The software update installation tasks have a number of limitations. These limitations depend on the license under which you are using Kaspersky Security Center Cloud Console and on the mode in which Kaspersky Security Center Cloud Console is working.

   To install some software updates you must accept the End User License Agreement (EULA) for the installation software. If you decline the EULA, the software update will not be installed.

   How-to instructions:

   • Creating the Install required updates and fix vulnerabilities task
   • Creating the Install Windows Update updates task
   • Viewing information about available third-party software updates
4. Scheduling the tasks

   To be sure that the update list is always up-to-date, schedule the Find vulnerabilities and required updates task to run the task automatically from time to time. The default frequency is once a week.

   If you have created the Install required updates and fix vulnerabilities task, you can schedule it to run with the same frequency as the Find vulnerabilities and required updates task or less often. When scheduling the Install Windows Update updates task, note that for this task you must define the list of updates every time before starting this task.

   When scheduling the tasks, make sure that a task to fix vulnerability starts after the Find vulnerabilities and required updates task is complete.

   How-to instructions: General task settings

5. Approving and declining software updates (optional)

   If you have created the Install required updates and fix vulnerabilities task, you can specify rules for update installation in the task properties. If you have created the Install Windows Update updates task, skip this step.

   For each rule, you can define the updates to install depending on the update status: Undefined, Approved or Declined. For example, you may want to create a specific task for servers and set a rule for this task to allow installation of only Windows Update updates and only those ones that have Approved status. After that you manually set the Approved status for those updates that you want to install. In this case the Windows Update updates that have the Undefined or Declined status will not be installed on the servers that you specified in the task.

   By default, the downloaded software updates have the Undefined status. You can change the status to Approved or Declined in the Software updates list (Operations → Patch management → Software updates).

   How-to instructions: Approving and declining third-party software updates

6. Running an update installation task

   Start the Install required updates and fix vulnerabilities task or the Install Windows Update updates task. When you start these tasks, updates are downloaded and installed on managed devices. After the task is complete, make sure that it has the Completed successfully status in the task list.

   How-to instructions: Starting a task manually

7. Create the report on results of update installation of third-party software (optional)

   To make sure that the task is created and the updates are installed, create the Report on results of installation of third-party software updates and view detailed statistics on the update installation in this report.

   How-to instructions: Generating and viewing a report

Installing third-party software updates

Expand all | Collapse all

You can install third-party software updates on managed devices by creating and running one of the following tasks:

• Install required updates and fix vulnerabilities

  You can use this task to install both Windows Update updates provided by Microsoft and updates of other vendors' software.

• Install Windows Update updates

  You can use this task to install Windows Update updates only.

The software update installation tasks have a number of limitations. These limitations depend on the license under which you are using Kaspersky Security Center Cloud Console and on the mode in which Kaspersky Security Center Cloud Console is working.

A user interaction may be required when you update a third-party application or fix a vulnerability in a third-party application on a managed device. For example, the user may be prompted to close the third-party application if it is currently open.

As an option, you can create a task to install the required updates in the following ways:

• By opening the update list and specifying which updates to install.

  As a result, a new task to install the selected updates is created. As an option, you can add the selected updates to an existing task.

• By running the Update installation wizard.

  The availability of the Update installation wizard depends on the Kaspersky Security Center Cloud Console mode and your current license.

  The wizard simplifies creation and configuration of an update installation task, and enables you to eliminate the creation of redundant tasks that contain the same updates to install.

Installing third-party software updates by using the update list

To install third-party software updates by using the list of updates:

1. Open one of the lists of updates:
   • To open the general update list, in the main menu, go to Operations → Patch management → Software updates.
   • To open the update list for a managed device, in the main menu, go to Assets (Devices) → Managed devices → <device name> → Advanced → Available updates.
   • To open the update list for a specific application, in the main menu, go to Operations → Third-party applications → Applications registry → <application name> → Available updates.

   A list of available updates appears.

2. Select the check boxes next to the updates that you want to install.
3. Click the Install updates button.

   To install some software updates, you must accept the End User License Agreement (EULA). If you decline the EULA, the software update will not be installed.

4. Select one of the following options:
   • New task

     The New task wizard starts. The Install required updates and fix vulnerabilities task or the Install Windows Update updates task is preselected, depending on the Kaspersky Security Center Cloud Console mode and your current license. Follow the steps of the wizard to complete the task creation.

   • Install update (add rule to specified task)

     Select a task to which you want to add the selected updates. Select an Install required updates and fix vulnerabilities task or an Install Windows Update updates task. If you select an Install required updates and fix vulnerabilities task, a new rule to install the selected updates will be automatically added to the selected task. If you select an Install Windows Update updates task, the selected updates will be added to the task properties.

     The task properties window opens. Click the Save button to save the changes.

If you have chosen to create a task, the task is created and displayed in the task list at Assets (Devices) → Tasks. If you have chosen to add the updates to an existing task, the updates are saved in the task properties.

To install third-party software updates, start the Install required updates and fix vulnerabilities task or the Install Windows Update updates task. You can start any of these tasks manually or specify schedule settings in the properties of the task that you start. When specifying the task schedule, make sure that the update installation task starts after the Find vulnerabilities and required updates task is complete.

Installing third-party software updates by using the Update installation wizard

The availability of this feature depends on the Kaspersky Security Center Cloud Console mode and your current license.

To create a task to install third-party software updates by using the Update installation wizard:

1. In the main menu, go to Operations → Patch management → Software updates.

   A list of available updates appears.

2. Select the check box next to the update that you want to install.
3. Click the Run Update installation wizard button.

   The Update installation wizard starts. The Select the update installation task page displays the list of all existing tasks of the following types:

   • Install required updates and fix vulnerabilities
   • Install Windows Update updates
   • Fix vulnerabilities

   You cannot modify the tasks of the last two types to install new updates. To install new updates, you can only use the Install required updates and fix vulnerabilities tasks.

4. If you want the wizard to display only those tasks that install the update that you selected, then enable the Show only tasks that install this update option.
5. Choose what you want to do:
   • To start a task, select the check box next to the task name, and then click the Start button.
   • To add a new rule to an existing task:
     1. Select the check box next to the task name, and then click the Add rule button.
     2. On the page that opens, configure the new rule:
        • Installation rule for updates of this importance level

          Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

          If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the severity of the selected update (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

          If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

          By default, this option is disabled.

        • Installation rule for updates of this importance level according to MSRC (available only for Windows Update updates)

          Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

          If this option is enabled (available only for Windows Update updates), the updates fix only those vulnerabilities for which the severity level set by Microsoft Security Response Center (MSRC) is equal to or higher than the value selected in the list (Low, Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

          If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

          By default, this option is disabled.

        • Installation rule for updates by this vendor (available only for updates of third-party applications)

          This option is available only for updates of third-party applications. Kaspersky Security Center Cloud Console installs only those updates that relate to the applications made by the same vendor as the selected update. Declined updates and updates to the applications made by other vendors are not installed.

          By default, this option is disabled.

        • Installation rule for updates of the type
        • Installation rule for the selected update
        • Approve selected updates

          The selected update will be approved for installation. Enable this option if some applied rules of update installation allow installation of approved updates only.

          By default, this option is disabled.

        • Automatically install all previous application updates that are required to install the selected updates

          Keep this option enabled if you agree with the installation of interim application versions when this is required for installing the selected updates.

          If this option is disabled, only the selected versions of applications are installed. Disable this option if you want to update applications in a straightforward manner, without attempting to install successive versions incrementally. If installing the selected updates is not possible without installing previous versions of applications, the updating of the application fails.

          For example, you have version 3 of an application installed on a device and you want to update it to version 5, but version 5 of this application can be installed only over version 4. If this option is enabled, the software first installs version 4, and then installs version 5. If this option is disabled, the software fails to update the application.

          By default, this option is enabled.

     3. Click the Add button.
   • To create a task:
     1. Click the New task button.
     2. On the page that opens, configure the new rule:
        • Installation rule for updates of this importance level

          Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

          If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the severity of the selected update (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

          If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

          By default, this option is disabled.

        • Installation rule for updates of this importance level according to MSRC (available only for Windows Update updates)

          Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

          If this option is enabled (available only for Windows Update updates), the updates fix only those vulnerabilities for which the severity level set by Microsoft Security Response Center (MSRC) is equal to or higher than the value selected in the list (Low, Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

          If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

          By default, this option is disabled.

        • Installation rule for updates by this vendor (available only for updates of third-party applications)

          This option is available only for updates of third-party applications. Kaspersky Security Center Cloud Console installs only those updates that relate to the applications made by the same vendor as the selected update. Declined updates and updates to the applications made by other vendors are not installed.

          By default, this option is disabled.

        • Installation rule for updates of the type
        • Installation rule for the selected update
        • Approve selected updates

          The selected update will be approved for installation. Enable this option if some applied rules of update installation allow installation of approved updates only.

          By default, this option is disabled.

        • Automatically install all previous application updates that are required to install the selected updates

          Keep this option enabled if you agree with the installation of interim application versions when this is required for installing the selected updates.

          If this option is disabled, only the selected versions of applications are installed. Disable this option if you want to update applications in a straightforward manner, without attempting to install successive versions incrementally. If installing the selected updates is not possible without installing previous versions of applications, the updating of the application fails.

          For example, you have version 3 of an application installed on a device and you want to update it to version 5, but version 5 of this application can be installed only over version 4. If this option is enabled, the software first installs version 4, and then installs version 5. If this option is disabled, the software fails to update the application.

          By default, this option is enabled.

     3. Click the Add button.

If you have chosen to start a task, you can close the wizard. The task will complete in background mode. No further actions are required.

If you have chosen to add a rule to an existing task, the task properties window opens. The new rule is already added to the task properties. You can view or modify the rule or other task settings. Click the Save button to save the changes.

If you have chosen to create a task, you continue to create the task in the New task wizard. The new rule that you added in the Update installation wizard is displayed in the New task wizard. When you complete the New task wizard, the Install required updates and fix vulnerabilities task is added to the task list.

Creating the Find vulnerabilities and required updates task

Expand all | Collapse all

Through the Find vulnerabilities and required updates task, Kaspersky Security Center Cloud Console receives the lists of detected vulnerabilities and required updates for the third-party software installed on the managed devices.

The Find vulnerabilities and required updates task is created automatically when the quick start wizard is running. If you did not run the wizard, you can create the task manually.

To create the Find vulnerabilities and required updates task:

1. In the main menu, go to Assets (Devices) → Tasks.
2. Click Add.

   The New task wizard starts. Follow the steps of the wizard.

3. For the Kaspersky Security Center Cloud Console application, select the Find vulnerabilities and required updates task type.
4. Specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
5. Select devices to which the task will be assigned.
6. If you want to modify the default task settings, enable the Open task details when creation is complete option on the Finish task creation page. If you do not enable this option, the task is created with the default settings. You can modify the default settings later, at any time.
7. Click the Create button.

   The task is created and displayed in the list of tasks.

8. Click the name of the created task to open the task properties window.
9. In the task properties window, specify the general task settings.
10. On the Application settings tab, specify the following settings:
    • Search for vulnerabilities and updates listed by Microsoft

      When searching for vulnerabilities and updates, Kaspersky Security Center Cloud Console uses the information about applicable Microsoft updates from the source of Microsoft updates, which are available at the present moment.

      For example, you may want to disable this option if you have different tasks with different settings for Microsoft updates and updates of third-party applications.

      By default, this option is enabled.

      Information about optional Microsoft Windows updates is not being sent to the Administration Server.

    • Connect to the update server to update data

      Windows Update Agent on a managed device connects to the source of Microsoft updates. The following servers can act as a source of Microsoft updates:

      • Kaspersky Security Center Cloud Console Administration Server (see the settings of Network Agent policy)
      • Windows Server with Microsoft Windows Server Update Services (WSUS) deployed in your organization's network
      • Microsoft Updates servers

      If this option is enabled, Windows Update Agent on a managed device connects to the source of Microsoft updates to refresh the information about applicable Microsoft Windows updates.

      If this option is disabled, Windows Update Agent on a managed device uses the information about applicable Microsoft Windows updates that was received from the source of Microsoft updates earlier.

      Connecting to the source of Microsoft updates can be resource-consuming. You might want to disable this option if you set regular connection to this source of updates in another task or in the properties of Network Agent policy, in the section Software updates and vulnerabilities. If you do not want to disable this option, then, to reduce the Server overload, you can configure the task schedule to randomize delay for task starts within 360 minutes.

      By default, this option is enabled.

      Combination of the following options of the settings of Network Agent policy defines the mode of getting updates:

      • Windows Update Agent on a managed device connects to the Update Server to get updates only if the Connect to the update server to update data option is enabled in the properties of the Find vulnerabilities and required updates task and the Windows Update search mode option is set to Active in the settings of Network Agent policy.
      • If you do not need Network Agent to initiate a connection to the Microsoft Windows update source and download updates when performing the Vulnerability scan task, you can set the Windows Update search mode option to Passive, while the Connect to the update server to update data option must remain enabled. This allows for you to save resources and use previously received Windows updates to scan for vulnerabilities. You can use the passive mode if you configure receiving Microsoft Windows updates in a different way. If receiving Microsoft Windows updates is not configured in another way, do not set the Windows Update search mode option to Passive, because in this case, information about updates will never be received.
      • Irrespective of the Connect to the update server to update data option's status (enabled or disabled), if the Windows Update search mode option is set to Disabled, Kaspersky Security Center Cloud Console does not request any information about updates.
    • Search for third-party vulnerabilities and updates listed by Kaspersky

      If this option is enabled, Kaspersky Security Center Cloud Console searches for vulnerabilities and required updates for third-party applications (applications made by software vendors other than Kaspersky and Microsoft) in Windows Registry and in the folders specified under Specify paths for advanced search of applications in file system. The full list of supported third-party applications is managed by Kaspersky.

      If this option is disabled, Kaspersky Security Center Cloud Console does not search for vulnerabilities and required updates for third-party applications. For example, you may want to disable this option if you have different tasks with different settings for Microsoft Windows updates and updates of third-party applications.

      By default, this option is enabled.

    • Specify paths for advanced search of applications across the file system

      The folders in which Kaspersky Security Center Cloud Console searches for third-party applications that require vulnerability fix and update installation. You can use system variables.

      Specify the folders to which applications are installed. By default, the list is empty.

    • Enable advanced diagnostics

      If this feature is enabled, Network Agent writes traces even if tracing is disabled for Network Agent in Kaspersky Security Center Cloud Console Remote Diagnostics Utility. Traces are written to two files in turn; the total size of both files is determined by the Maximum size, in MB, of advanced diagnostics files value. When both files are full, Network Agent starts writing to them again. The files with traces are stored in the %WINDIR%\Temp folder. These files are accessible in the remote diagnostics utility, you can download or delete them there.

      If this feature is disabled, Network Agent writes traces according to the settings in Kaspersky Security Center Cloud Console Remote Diagnostics Utility. No additional traces are written.

      When creating a task, you do not have to enable advanced diagnostics. You may want to use this feature later if, for example, a task run fails on some of the devices and you want to get additional information during another task run.

      By default, this option is disabled.

    • Maximum size, in MB, of advanced diagnostics files

      The default value is 100 MB, and available values are between 1 MB and 2048 MB. You may be asked to change the default value by Kaspersky Technical Support specialists when information in the advanced diagnostics files sent by you is not enough to troubleshoot the problem.

11. Click the Save button.

The task is created and configured.

If the task results contain a warning of the 0x80240033 "Windows Update Agent error 80240033 ("License terms could not be downloaded.")" error, you can resolve this issue through the Windows Registry.

Find vulnerabilities and required updates task settings

Expand all | Collapse all

The Find vulnerabilities and required updates task is created automatically when the quick start wizard is running. If you did not run the wizard, you can create the task manually.

In addition to the general task settings, you can specify the following settings when creating the Find vulnerabilities and required updates task or later, when configuring the properties of the created task:

• Search for vulnerabilities and updates listed by Microsoft

  When searching for vulnerabilities and updates, Kaspersky Security Center Cloud Console uses the information about applicable Microsoft updates from the source of Microsoft updates, which are available at the present moment.

  For example, you may want to disable this option if you have different tasks with different settings for Microsoft updates and updates of third-party applications.

  By default, this option is enabled.

  Information about optional Microsoft Windows updates is not being sent to the Administration Server.

• Connect to the update server to update data

  Windows Update Agent on a managed device connects to the source of Microsoft updates. The following servers can act as a source of Microsoft updates:

  • Kaspersky Security Center Cloud Console Administration Server (see the settings of Network Agent policy)
  • Windows Server with Microsoft Windows Server Update Services (WSUS) deployed in your organization's network
  • Microsoft Updates servers

  If this option is enabled, Windows Update Agent on a managed device connects to the source of Microsoft updates to refresh the information about applicable Microsoft Windows updates.

  If this option is disabled, Windows Update Agent on a managed device uses the information about applicable Microsoft Windows updates that was received from the source of Microsoft updates earlier.

  Connecting to the source of Microsoft updates can be resource-consuming. You might want to disable this option if you set regular connection to this source of updates in another task or in the properties of Network Agent policy, in the section Software updates and vulnerabilities. If you do not want to disable this option, then, to reduce the Server overload, you can configure the task schedule to randomize delay for task starts within 360 minutes.

  By default, this option is enabled.

  Combination of the following options of the settings of Network Agent policy defines the mode of getting updates:

  • Windows Update Agent on a managed device connects to the Update Server to get updates only if the Connect to the update server to update data option is enabled in the properties of the Find vulnerabilities and required updates task and the Windows Update search mode option is set to Active in the settings of Network Agent policy.
  • If you do not need Network Agent to initiate a connection to the Microsoft Windows update source and download updates when performing the Vulnerability scan task, you can set the Windows Update search mode option to Passive, while the Connect to the update server to update data option must remain enabled. This allows for you to save resources and use previously received Windows updates to scan for vulnerabilities. You can use the passive mode if you configure receiving Microsoft Windows updates in a different way. If receiving Microsoft Windows updates is not configured in another way, do not set the Windows Update search mode option to Passive, because in this case, information about updates will never be received.
  • Irrespective of the Connect to the update server to update data option's status (enabled or disabled), if the Windows Update search mode option is set to Disabled, Kaspersky Security Center Cloud Console does not request any information about updates.
• Search for third-party vulnerabilities and updates listed by Kaspersky

  If this option is enabled, Kaspersky Security Center Cloud Console searches for vulnerabilities and required updates for third-party applications (applications made by software vendors other than Kaspersky and Microsoft) in Windows Registry and in the folders specified under Specify paths for advanced search of applications in file system. The full list of supported third-party applications is managed by Kaspersky.

  If this option is disabled, Kaspersky Security Center Cloud Console does not search for vulnerabilities and required updates for third-party applications. For example, you may want to disable this option if you have different tasks with different settings for Microsoft Windows updates and updates of third-party applications.

  By default, this option is enabled.

• Specify paths for advanced search of applications across the file system

  The folders in which Kaspersky Security Center Cloud Console searches for third-party applications that require vulnerability fix and update installation. You can use system variables.

  Specify the folders to which applications are installed. By default, the list is empty.

• Enable advanced diagnostics

  If this feature is enabled, Network Agent writes traces even if tracing is disabled for Network Agent in Kaspersky Security Center Cloud Console Remote Diagnostics Utility. Traces are written to two files in turn; the total size of both files is determined by the Maximum size, in MB, of advanced diagnostics files value. When both files are full, Network Agent starts writing to them again. The files with traces are stored in the %WINDIR%\Temp folder. These files are accessible in the remote diagnostics utility, you can download or delete them there.

  If this feature is disabled, Network Agent writes traces according to the settings in Kaspersky Security Center Cloud Console Remote Diagnostics Utility. No additional traces are written.

  When creating a task, you do not have to enable advanced diagnostics. You may want to use this feature later if, for example, a task run fails on some of the devices and you want to get additional information during another task run.

  By default, this option is disabled.

• Maximum size, in MB, of advanced diagnostics files

  The default value is 100 MB, and available values are between 1 MB and 2048 MB. You may be asked to change the default value by Kaspersky Technical Support specialists when information in the advanced diagnostics files sent by you is not enough to troubleshoot the problem.

Recommendations on the task schedule

When scheduling the Find vulnerabilities and required updates task, make sure that two options—Run missed tasks and Use automatically randomized delay for task starts—are enabled.

By default, the Find vulnerabilities and required updates task is set to start manually. If the organization's workplace rules provide for shutting down all devices at this time, the Find vulnerabilities and required updates task will run after the devices are turned on again, that is, in the morning of the next day. Such activity may be undesirable because a vulnerability scan may increase the load on CPUs and disk subsystems. You must set up the most convenient schedule for the task based on the workplace rules adopted in the organization.

Creating the Install required updates and fix vulnerabilities task

Expand all | Collapse all

The availability of the Install required updates and fix vulnerabilities task depends on the Kaspersky Security Center Cloud Console mode and your current license.

The Install required updates and fix vulnerabilities task is used to update and fix vulnerabilities in third-party software, including Microsoft software, installed on the managed devices. This task enables you to install multiple updates and fix multiple vulnerabilities according to certain rules.

To install updates or fix vulnerabilities by using the Install required updates and fix vulnerabilities task, you can do one of the following:

• Run the Update installation wizard or the Vulnerability fix wizard.
• Create an Install required updates and fix vulnerabilities task.
• Add a rule for update installation to an existing Install required updates and fix vulnerabilities task.

The software update installation tasks have a number of limitations. These limitations depend on the license under which you are using Kaspersky Security Center Cloud Console and on the mode in which Kaspersky Security Center Cloud Console is working.

To create the Install required updates and fix vulnerabilities task:

1. In the main menu, go to Assets (Devices) → Tasks.
2. Click Add.

   The New task wizard starts. Follow the steps of the wizard.

3. For the Kaspersky Security Center Cloud Console application, select the Install required updates and fix vulnerabilities task type.
4. Specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
5. Select devices to which the task will be assigned.
6. Specify the rules for update installation, and then specify the following settings:
   • Start installation at device restart or shutdown

     If this option is enabled, updates are installed when the device is restarted or shut down. Otherwise, updates are installed according to a schedule.

     Use this option if installing the updates might affect the device performance.

     By default, this option is disabled.

   • Install the required general system components

     If this option is enabled, before installing an update the application automatically installs all general system components (prerequisites) that are required to install the update. For example, these prerequisites can be operating system updates.

     If this option is disabled, you may have to install the prerequisites manually.

     By default, this option is disabled.

   • Allow installation of new application versions during updates

     If this option is enabled, updates are allowed when they result in installation of a new version of a software application.

     If this option is disabled, the software is not upgraded. You can then install new versions of the software manually or through another task. For example, you may use this option if your company infrastructure is not supported by a new software version or if you want to check an upgrade in a test infrastructure.

     By default, this option is enabled.

     Upgrading an application may cause malfunction of dependent applications installed on client devices.

   • Download updates to the device without installing them

     If this option is enabled, the application downloads updates to the device but does not install them automatically. You can then Install downloaded updates manually.

     Microsoft updates are downloaded to the system Windows storage. Updates of third-party applications (applications made by software vendors other than Kaspersky and Microsoft) are downloaded to the folder specified in the Download updates to field.

     If this option is disabled, the updates are installed to the device automatically.

     By default, this option is disabled.

   • Download updates to

     This folder is used to download updates of third-party applications (applications made by software vendors other than Kaspersky and Microsoft).

   • Enable advanced diagnostics

     If this feature is enabled, Network Agent writes traces even if tracing is disabled for Network Agent in Kaspersky Security Center Cloud Console Remote Diagnostics Utility. Traces are written to two files in turn; the total size of both files is determined by the Maximum size, in MB, of advanced diagnostics files value. When both files are full, Network Agent starts writing to them again. The files with traces are stored in the %WINDIR%\Temp folder. These files are accessible in the remote diagnostics utility, you can download or delete them there.

     If this feature is disabled, Network Agent writes traces according to the settings in Kaspersky Security Center Cloud Console Remote Diagnostics Utility. No additional traces are written.

     When creating a task, you do not have to enable advanced diagnostics. You may want to use this feature later if, for example, a task run fails on some of the devices and you want to get additional information during another task run.

     By default, this option is disabled.

   • Maximum size, in MB, of advanced diagnostics files

     The default value is 100 MB, and available values are between 1 MB and 2048 MB. You may be asked to change the default value by Kaspersky Technical Support specialists when information in the advanced diagnostics files sent by you is not enough to troubleshoot the problem.

7. Specify operating system restart settings:
   • Do not restart the device

     Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.

   • Restart the device

     Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).

   • Prompt user for action

     The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

     By default, this option is selected.

   • Repeat prompt every (min)

     If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.

     By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.

     If this option is disabled, the prompt is displayed only once.

   • Restart after (min)

     After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.

     By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.

   • Wait time before forced closure of applications in blocked sessions (min)

     Applications are forced to close when the user's device goes locked (automatically after a specified interval of inactivity, or manually).

     If this option is enabled, applications are forced to close on the locked device upon expiration of the time interval specified in the entry field.

     If this option is disabled, applications do not close on the locked device.

     By default, this option is disabled.

8. If on the Finish task creation page you enable the Open task details when creation is complete option, you can modify the default task settings. If you do not enable this option, the task is created with the default settings. You can modify the default settings later, at any time.
9. Click the Finish button.

   The task is created and displayed in the list of tasks.

10. Click the name of the created task to open the task properties window.
11. In the task properties window, specify the general task settings according to your needs.
12. Click the Save button.

    The task is created and configured.

If the task results contain a warning of the 0x80240033 "Windows Update Agent error 80240033 ("License terms could not be downloaded.")" error, you can resolve this issue through the Windows Registry.

Adding rules for update installation

Expand all | Collapse all

The availability of this feature depends on the Kaspersky Security Center Cloud Console mode and your current license.

When installing software updates or fixing software vulnerabilities by using the Install required updates and fix vulnerabilities task, you must specify rules for the update installation. These rules determine the updates to install and the vulnerabilities to fix.

The exact settings depend on whether you add a rule for all updates, for Windows Update updates, or for updates of third-party applications (applications made by software vendors other than Kaspersky and Microsoft). When adding a rule for Windows Update updates or updates of third-party applications, you can select specific applications and application versions for which you want to install updates. When adding a rule for all updates, you can select specific updates that you want to install and vulnerabilities that you want to fix by means of installing updates.

You can add a rule for update installation in the following ways:

• By adding a rule while creating a new Install required updates and fix vulnerabilities task.
• By adding a rule on the Application Settings tab in the properties window of an existing Install required updates and fix vulnerabilities task.
• Through the Update installation wizard or the Vulnerability fix wizard.

To add a new rule for all updates:

1. Click the Add button.

   The Rule creation wizard starts. Proceed through the wizard by using the Next button.

2. On the Rule type page, select Rule for all updates.
3. On the General criteria page, use the drop-down lists to specify the following settings:
   • Set of updates to install

     Select the updates that must be installed on client devices:

     • Install approved updates only. This installs only approved updates.
     • Install all updates (except declined). This installs updates with the Approved or Undefined approval status.
     • Install all updates (including declined). This installs all updates, regardless of their approval status. Select this option with caution. For example, use this option if you want to check installation of some declined updates in a test infrastructure.
   • Fix vulnerabilities with a severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

4. On the Updates page, select the updates to be installed:
   • Install all suitable updates

     Install all software updates that meet the criteria specified on the General criteria page of the wizard. Selected by default.

   • Install only updates from the list

     Install only software updates that you select manually from the list. This list contains all available software updates.

     For example, you may want to select specific updates in the following cases: to check their installation in a test environment, to update only critical applications, or to update only specific applications.

   • Automatically install all previous application updates that are required to install the selected updates

     Keep this option enabled if you agree with the installation of interim application versions when this is required for installing the selected updates.

     If this option is disabled, only the selected versions of applications are installed. Disable this option if you want to update applications in a straightforward manner, without attempting to install successive versions incrementally. If installing the selected updates is not possible without installing previous versions of applications, the updating of the application fails.

     For example, you have version 3 of an application installed on a device and you want to update it to version 5, but version 5 of this application can be installed only over version 4. If this option is enabled, the software first installs version 4, and then installs version 5. If this option is disabled, the software fails to update the application.

     By default, this option is enabled.

5. On the Vulnerabilities page, select vulnerabilities that will be fixed by installing the selected updates:
   • Fix all vulnerabilities that match other criteria

     Fix all vulnerabilities that meet the criteria specified on the General criteria page of the wizard. Selected by default.

   • Fix only vulnerabilities from the list

     Fix only vulnerabilities that you select manually from the list. This list contains all detected vulnerabilities.

     For example, you may want to select specific vulnerabilities in the following cases: to check their fix in a test environment, to fix vulnerabilities only in critical applications, or to fix vulnerabilities only in specific applications.

6. On the Name page, specify the name for the rule that you are adding. You can later change this name in the Settings section of the properties window of the created task.

After the Rule creation wizard completes its operation, the new rule is added and displayed in the rule list in the New task wizard or in the task properties.

To add a new rule for Windows Update updates:

1. Click the Add button.

   The Rule creation wizard starts. Proceed through the wizard by using the Next button.

2. On the Rule type page, select Rule for Windows Update.
3. On the General criteria page, specify the following settings:
   • Set of updates to install

     Select the updates that must be installed on client devices:

     • Install approved updates only. This installs only approved updates.
     • Install all updates (except declined). This installs updates with the Approved or Undefined approval status.
     • Install all updates (including declined). This installs all updates, regardless of their approval status. Select this option with caution. For example, use this option if you want to check installation of some declined updates in a test infrastructure.
   • Fix vulnerabilities with a severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

   • Fix vulnerabilities with an MSRC severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Microsoft Security Response Center (MSRC) is equal to or higher than the value selected in the list (Low, Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

4. On the Applications page, select the applications and application versions for which you want to install updates. By default, all applications are selected.
5. On the Categories of updates page, select the categories of updates to be installed. These categories are the same as in Microsoft Update Catalog. By default, all categories are selected.
6. On the Name page, specify the name for the rule that you are adding. You can later change this name in the Settings section of the properties window of the created task.

After the Rule creation wizard completes its operation, the new rule is added and displayed in the rule list in the New task wizard or in the task properties.

To add a new rule for updates of third-party applications:

1. Click the Add button.

   The Rule creation wizard starts. Proceed through the wizard by using the Next button.

2. On the Rule type page, select Rule for third-party updates.
3. On the General criteria page, specify the following settings:
   • Set of updates to install

     Select the updates that must be installed on client devices:

     • Install approved updates only. This installs only approved updates.
     • Install all updates (except declined). This installs updates with the Approved or Undefined approval status.
     • Install all updates (including declined). This installs all updates, regardless of their approval status. Select this option with caution. For example, use this option if you want to check installation of some declined updates in a test infrastructure.
   • Fix vulnerabilities with a severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

4. On the Applications page, select the applications and application versions for which you want to install updates. By default, all applications are selected.
5. On the Name page, specify the name for the rule that you are adding. You can later change this name in the Settings section of the properties window of the created task.

After the Rule creation wizard completes its operation, the new rule is added and displayed in the rule list in the New task wizard or in the task properties.

Creating the Install Windows Update updates task

Expand all | Collapse all

The Install Windows Update updates task enables you to install software updates provided by the Windows Update service on client devices.

The software update installation tasks have a number of limitations. These limitations depend on the license under which you are using Kaspersky Security Center Cloud Console and on the mode in which Kaspersky Security Center Cloud Console is working.

To create the Install Windows Update updates task:

1. In the main menu, go to Assets (Devices) → Tasks.
2. Click Add.

   The New task wizard starts. Proceed through the wizard by using the Next button.

3. For the Kaspersky Security Center Cloud Console application, select the Install Windows Update updates task type.
4. Specify the name for the task that you are creating.

   A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).

5. Select devices to which the task will be assigned.
6. Click the Add button.

   The list of updates opens.

7. Select the Windows Update updates that you want to install, and then click OK.
8. Specify the operating system restart settings:
   • Do not restart the device

     Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.

   • Restart the device

     Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).

   • Prompt user for action

     The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

     By default, this option is selected.

   • Repeat prompt every (min)

     If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.

     By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.

     If this option is disabled, the prompt is displayed only once.

   • Restart after (min)

     After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.

     By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.

   • Force closure of applications in blocked sessions

     Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.

     If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.

     If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.

     By default, this option is disabled.

9. Specify the account settings:
   • Default account

     The task will be run under the same account as the application that performs this task.

     By default, this option is selected.

   • Specify account

     Fill in the Account and Password fields to specify the details of an account under which the task is run. The account must have sufficient rights for this task.

   • Account

     Account under which the task is run.

   • Password

     Password of the account under which the task will be run.

10. If you want to modify the default task settings, enable the Open task details when creation is complete option on the Finish task creation page. If you do not enable this option, the task is created with the default settings. You can modify the default settings later, at any time.
11. Click the Finish button.

    The task is created and displayed in the list of tasks.

12. Click the name of the created task to open the task properties window.
13. In the task properties window, specify the general task settings according to your needs.
14. Click the Save button.

The task is created and configured.

Viewing information about available third-party software updates

Expand all | Collapse all

You can view the list of available updates for third-party software, including Microsoft software, installed on client devices.

To view a list of available updates for third-party applications installed on client devices,

In the main menu, go to Operations → Patch management → Software updates.

A list of available updates appears.

You can specify a filter to view the list of software updates. Click the Filter icon () in the upper right corner of the software updates list to manage the filter. You can also select one of preset filters from the Preset filters drop-down list above the software vulnerabilities list.

To view the properties of an update:

1. Click the name of the required software update.
2. The properties window of the update opens, displaying information grouped on the following tabs:
   • General

     This tab displays general details of the selected update:

     • Update approval status (can be changed manually by selecting a new status in the drop-down list)
     • Windows Server Update Services (WSUS) category to which the update belongs
     • Date and time the update was registered
     • Date and time the update was created
     • Importance level of the update
     • Installation requirements imposed by the update
     • Application family to which the update belong
     • Application to which the update applies
     • Number of the update revision
   • Attributes

     This tab displays a set of attributes that you can use to obtain more information about the selected update. This set differs depending on whether the update is published by Microsoft or by a third-party vendor.

     The tab displays the following information for a Microsoft update:

     • Importance level of the update according to the Microsoft Security Response Center (MSRC)
     • Link to the article in the Microsoft Knowledge Base describing the update
     • Link to the article in the Microsoft Security Bulletin describing the update
     • Update identifier (ID)

     The tab displays the following information for a third-party update:

     • Whether the update is a patch or a full distribution package
     • Localization language of the update
     • Whether the update is installed automatically or manually
     • Whether the update was revoked after being applied
     • Link for downloading the update
   • Devices

     This tab displays a list of devices on which the selected update has been installed.

   • Fixed vulnerabilities

     This tab displays a list of vulnerabilities that the selected update can fix.

   • Crossover of updates

     This tab displays possible crossovers between various updates published for the same application, that is, whether the selected update can supersede other updates or, vice versa, be superseded by other updates (available for Microsoft updates only).

   • Tasks to install this update

     This tab displays a list of tasks whose scope includes installation of the selected update. The tab also enables you to create a new remote installation task for the update.

To view the statistics of an update installation:

1. Select the check box next to the required software update.
2. Click the Statistics of update installation statuses button.

The diagram of the update installation statuses is displayed. Clicking a status opens a list of devices on which the update has the selected status.

You can view information about available software updates for third-party software, including Microsoft software, installed on the selected managed device running Windows.

To view a list of available updates for third-party software installed on the selected managed device:

1. In the main menu, go to Assets (Devices) → Managed devices.

   The list of managed devices is displayed.

2. In the list of managed devices, click the link with the name of the device for which you want to view third-party software updates.

   The properties window of the selected device is displayed.

3. In the properties window of the selected device, select the Advanced tab.
4. In the left pane, select the Available updates section. If you want to view only installed updates, enable the Show installed updates option.

The list of available third-party software updates for the selected device is displayed.

Exporting the list of available software updates to a file

You can export the list of updates for third-party software, including Microsoft software, that is displayed at the moment to the CSV or TXT files. You can use these files, for example, to send them to your information security manager or to store them for purposes of statistics.

To export to a text file the list of available updates for third-party software installed on all managed devices:

1. In the main menu, go to Operations → Patch management → Software updates.

   The page displays a list of available updates for third-party software installed on all managed devices.

2. Click the Export to TXT or Export to CSV button, depending on the format you prefer for export.

The file containing the list of available updates for third-party software, including Microsoft software, is downloaded to the device that you use at the moment.

To export to a text file the list of available updates for third-party software installed on the selected managed device:

1. Open the list of available third-party software updates on the selected managed device.
2. Select the software updates you want to export.

   Skip this step if you want to export a complete list of software updates.

   If you want to export a complete list of software updates, only updates displaying on the current page will be exported.

   If you want to export only installed updates, select the Show installed updates check box.

3. Click the Export to TXT or Export to CSV button, depending on the format you prefer for export.

The file containing the list of updates for third-party software, including Microsoft software, installed on the selected managed device is downloaded to the device you are using at the moment.

Approving and declining third-party software updates

When you configure the Install required updates and fix vulnerabilities task, you can create a rule that requires a specific status of updates that are to be installed. For example, an update rule can allow installation of the following:

• Only approved updates
• Only approved and undefined updates
• All updates irrespective of the update statuses

You can approve updates that must be installed and decline updates that must not be installed.

The usage of the Approved status to manage update installation is efficient for a small amount of updates. To install multiple updates, use the rules that you can configure in the Install required updates and fix vulnerabilities task. We recommend that you set the Approved status for only those specific updates that do not meet the criteria specified in the rules. When you manually approve a large amount of updates, performance of Administration Server decreases and may lead to Administration Server overload.

To approve or decline one or several updates:

1. In the main menu, go to Operations → Patch management → Software updates.

   A list of available updates appears.

2. Select the updates that you want to approve or decline.
3. Click Approve to approve the selected updates or Decline to decline the selected updates.

   The default value is Undefined.

The selected updates have the statuses that you defined.

As an option, you can change the approval status in the properties of a specific update.

To approve or decline an update in its properties:

1. In the main menu, go to Operations → Patch management → Software updates.

   A list of available updates appears.

2. Click the name of the update that you want to approve or decline.

   The update properties window opens.

3. In the General section, select a status for the update by changing the Update approval status option. You can select the Approved, Declined, or Undefined status.
4. Click the Save button to save the changes.

The selected update has the status that you defined.

If you set Declined status for third-party software updates, these updates will not be installed on devices for which they were planned but have not yet been installed. Updates will remain on devices on which they were already installed. If you have to delete them, you can manually delete them locally.

Updating third-party applications automatically

Some third-party applications can be updated automatically. The application vendor defines whether or not the application supports the auto-update feature. If a third-party application installed on a managed device supports auto-update, you can specify the auto-update setting in the application properties. After you change the auto-update setting, Network Agents apply the new setting on each managed device on which the application is installed.

The auto-update setting is independent of the other objects and settings of the Vulnerability and patch management feature. For example, this setting does not depend on an update approval status or the update installation tasks, such as Install required updates and fix vulnerabilities, Install Windows Update updates, and Fix vulnerabilities.

To configure the auto-update setting for a third-party application:

1. In the main menu, go to Operations → Third-party applications → Applications registry.
2. Click the name of the application for which you want to change the auto-update setting.

   To simplify the search, you can filter the list by the Automatic Updates status column.

   The application properties window opens.

3. In the General section, select a value for the following setting:

   Automatic Updates status

   Select one of the following options:

   • Undefined

     The auto-update feature is disabled. Kaspersky Security Center Cloud Console installs third-party application updates by using the tasks: Install required updates and fix vulnerabilities, Install Windows Update updates, and Fix vulnerabilities.

   • Allowed

     After the vendor releases an update for the application, this update is installed on the managed devices automatically. No additional actions are required.

   • Blocked

     The application updates are not installed automatically. Kaspersky Security Center Cloud Console installs third-party application updates by using the tasks: Install required updates and fix vulnerabilities, Install Windows Update updates, and Fix vulnerabilities.

4. Click the Save button to save the changes.

The auto-update setting is applied to the selected application.