Finding and fixing software vulnerabilities

Kaspersky Security Center Cloud Console detects and fixes software

Updates functionality (including providing anti-virus signature updates and codebase updates), as well as KSN functionality may not be available in the software in the U.S.

Finding software vulnerabilities

To find software vulnerabilities Kaspersky Security Center Cloud Console uses characteristics from the database of known vulnerabilities and Windows Update Database. The database of known vulnerabilities is created and maintained by Kaspersky specialists. It contains information about vulnerabilities, such as vulnerability description, vulnerability detect date, vulnerability severity level. You can find the details of software vulnerabilities on Kaspersky website.

Kaspersky Security Center Cloud Console uses the Find vulnerabilities and required updates task to find software vulnerabilities.

Fixing software vulnerabilities

To fix software vulnerabilities, Kaspersky Security Center Cloud Console uses software updates issued by the software vendors. You can view the list of software vulnerabilities at any time. The software updates metadata is downloaded to the Administration Server repository automatically and to the repositories of distribution points as a result of the Download updates to the repositories of distribution points task run. You can create this task by the Kaspersky Security Center Cloud Console quick start wizard or manually.

Software updates to fix vulnerabilities can be represented as full distribution packages or patches. Software updates that fix software vulnerabilities are named fixes. In Kaspersky Security Center Cloud Console, you fix vulnerabilities by using recommended fixes. Recommended fixes are software updates that are recommended for installation by Kaspersky specialists.

Depending on the Kaspersky Security Center Cloud Console mode and your current license, you can use Install required updates and fix vulnerabilities task or the Fix vulnerabilities task to fix software vulnerabilities.

The Install required updates and fix vulnerabilities task automatically fixes multiple vulnerabilities installing recommended fixes. For this task, you can manually configure certain rules to fix multiple vulnerabilities.

By means of the Fix vulnerabilities task, you can fix vulnerabilities by installing recommended fixes for Microsoft software.

For security reasons, any third-party software updates that you install by using the Vulnerability and patch management feature are automatically scanned for malware by Kaspersky technologies. These technologies are used for automatic file checks and include virus scanning, static analysis, dynamic analysis, behavior analysis in the sandbox environment, and machine learning.

Kaspersky experts do not perform manual analysis of third-party software updates that can be installed by using the Vulnerability and patch management feature. In addition, Kaspersky experts do not search for vulnerabilities (known or unknown) or undocumented features in such updates, nor do they perform other types of analysis of the updates other than those specified in the paragraph above.

The software update installation tasks have a number of limitations. These limitations depend on the license under which you are using Kaspersky Security Center Cloud Console and on the mode in which Kaspersky Security Center Cloud Console is working.

A user interaction may be required when you update a third-party application or fix a vulnerability in a third-party application on a managed device. For example, the user may be prompted to close the third-party application if it is currently open.

To fix some software vulnerabilities, you must accept the End User License Agreement (EULA) for installing the software if EULA acceptance is requested. If you decline EULA, the software vulnerability cannot be fixed.

The information about each fixed vulnerability is stored on the Administration Server for 90 days. After this time, it is automatically deleted.

Fixing software vulnerabilities

Expand all | Collapse all

After you obtain the software vulnerabilities list, you can fix software vulnerabilities on managed devices that are running Windows. You can fix software vulnerabilities in the operating system and in third-party software, including Microsoft software, by creating and running the Fix vulnerabilities task or the Install required updates and fix vulnerabilities task.

The software update installation tasks have a number of limitations. These limitations depend on the license under which you are using Kaspersky Security Center Cloud Console and on the mode in which Kaspersky Security Center Cloud Console is working.

A user interaction may be required when you update a third-party application or fix a vulnerability in a third-party application on a managed device. For example, the user may be prompted to close the third-party application if it is currently open.

As an option, you can create a task to fix software vulnerabilities in the following ways:

• By opening the vulnerability list and specifying which vulnerabilities to fix.

  As a result, a new task to fix software vulnerabilities is created. As an option, you can add the selected vulnerabilities to an existing task.

• By running the Vulnerability fix wizard.

  The availability of this feature depends on the Kaspersky Security Center Cloud Console mode and your current license.

  The wizard simplifies creation and configuration of a vulnerability fix task and enables you to eliminate the creation of redundant tasks that contain the same updates to install.

Fixing software vulnerabilities by using the vulnerability list

To fix software vulnerabilities:

1. Open one of the lists of vulnerabilities:
   • To open the general vulnerability list, in the main menu, go to Operations → Patch management → Software vulnerabilities.
   • To open the vulnerability list for a managed device, in the main menu, go to Assets (Devices) → Managed devices → <device name> → Advanced → Software vulnerabilities.
   • To open the vulnerability list for a specific application, in the main menu, go to Operations → Third-party applications → Applications registry → <application name> → Vulnerabilities.

   A page with a list of vulnerabilities in the third-party software is displayed.

2. Select one or more vulnerabilities in the list, and then click the Fix vulnerability button.

   If a recommended software update to fix one of the selected vulnerabilities is absent, an informative message is displayed.

   To fix some software vulnerabilities, you must accept the End User License Agreement (EULA) for installing the software if EULA acceptance is requested. If you decline the EULA, the software vulnerability is not fixed.

3. Select one of the following options:
   • New task

     The New task wizard starts. Depending on the Kaspersky Security Center Cloud Console mode and your current license, the Install required updates and fix vulnerabilities task or the Fix vulnerabilities task is preselected. Follow the steps of the wizard to complete the task creation.

   • Fix vulnerability (add rule to specified task)

     Select a task to which you want to add the selected vulnerabilities. Depending on the Kaspersky Security Center Cloud Console mode and your current license, select an Install required updates and fix vulnerabilities task or a Fix vulnerabilities task. If you select an Install required updates and fix vulnerabilities task, a new rule to fix the selected vulnerabilities will be automatically added to the selected task. If you select a Fix vulnerabilities task, the selected vulnerabilities will be added to the task properties.

     The task properties window opens. Click the Save button to save the changes.

If you have chosen to create a task, the task is created and displayed in the task list at Assets (Devices) → Tasks. If you have chosen to add the vulnerabilities to an existing task, the vulnerabilities are saved in the task properties.

To fix the third-party software vulnerabilities, start the Install required updates and fix vulnerabilities task or the Fix vulnerabilities task. If you have created the Fix vulnerabilities task, you must manually specify the software updates to fix the software vulnerabilities listed in the task settings.

Fixing software vulnerabilities by using the Vulnerability fix wizard

The availability of the Vulnerability fix wizard depends on the license that you use and the mode in which Kaspersky Security Center Cloud Console is working.

To fix software vulnerabilities by using the Vulnerability fix wizard:

1. In the main menu, go to Operations → Patch management → Software vulnerabilities.

   A page with a list of vulnerabilities in the third-party software installed on managed devices is displayed.

2. Select the check box next to the vulnerability that you want to fix.
3. Click the Run Vulnerability fix wizard button.

   The Vulnerability fix wizard starts. The Select the vulnerability fix task page displays the list of all existing tasks of the following types:

   • Install required updates and fix vulnerabilities
   • Install Windows Update updates
   • Fix vulnerabilities

   You cannot modify the last two types of tasks to install new updates. To install new updates, you can only use the Install required updates and fix vulnerabilities task.

4. If you want the wizard to display only those tasks that fix the vulnerability that you selected, then enable the Show only tasks that fix this vulnerability option.
5. Choose what you want to do:
   • To start a task, select the check box next to the task name, and then click the Start button.
   • To add a new rule to an existing task:
     1. Select the check box next to the task name, and then click the Add rule button.
     2. On the page that opens, configure the new rule:
        • Rule for fixing vulnerabilities of this severity level

          Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

          If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the severity of the selected update (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

          If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

          By default, this option is disabled.

        • Rule for fixing vulnerabilities by means of updates of the same type as the update defined as recommended for the selected vulnerability (available only for Microsoft software vulnerabilities)
        • Rule for fixing vulnerabilities in applications from the selected vendor (available only for third-party software vulnerabilities)
        • Rule for fixing a vulnerability in all versions of the selected application (available only for third-party software vulnerabilities)
        • Rule for fixing the selected vulnerability
        • Approve updates that fix this vulnerability

          The selected update will be approved for installation. Enable this option if some applied rules of update installation allow installation of approved updates only.

          By default, this option is disabled.

     3. Click the Add button.
   • To create a task:
     1. Click the New task button.
     2. On the page that opens, configure the new rule:
        • Rule for fixing vulnerabilities of this severity level

          Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

          If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the severity of the selected update (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

          If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

          By default, this option is disabled.

        • Rule for fixing vulnerabilities by using updates of the type (available only for Microsoft software vulnerabilities)
        • Rule for fixing vulnerabilities in applications from the selected vendor (available only for third-party software vulnerabilities)
        • Rule for fixing a vulnerability in all versions of the selected application (available only for third-party software vulnerabilities)
        • Rule for fixing the selected vulnerability
        • Approve updates that fix this vulnerability

          The selected update will be approved for installation. Enable this option if some applied rules of update installation allow installation of approved updates only.

          By default, this option is disabled.

     3. Click the Add button.

If you have chosen to start a task, you can close the wizard. The task will complete in background mode. No further actions are required.

If you have chosen to add a rule to an existing task, the task properties window opens. The new rule is already added to the task properties. You can view or modify the rule or other task settings. Click the Save button to save the changes.

If you have chosen to create a task, you continue to create the task in the New task wizard. The new rule that you added in the Vulnerability fix wizard is displayed in the New task wizard. When you complete the New task wizard, the Install required updates and fix vulnerabilities task is added to the task list.

Creating the Fix vulnerabilities task

Expand all | Collapse all

The Fix vulnerabilities task enables you fix vulnerabilities in Microsoft software on managed devices that are running Windows.

The availability of this feature depends on the Kaspersky Security Center Cloud Console mode and your current license. We recommend that you use the Install required updates and fix vulnerabilities task instead of the Fix vulnerabilities task. The Install required updates and fix vulnerabilities task enables you to install multiple updates and fix multiple vulnerabilities automatically, according to the rules that you define.

The software update installation tasks have a number of limitations. These limitations depend on the license under which you are using Kaspersky Security Center Cloud Console and on the mode in which Kaspersky Security Center Cloud Console is working.

A user interaction may be required when you update a third-party application or fix a vulnerability in a third-party application on a managed device. For example, the user may be prompted to close the third-party application if it is currently open.

To create the Fix vulnerabilities task:

1. In the main menu, go to Assets (Devices) → Tasks.
2. Click Add.

   The New task wizard starts. Proceed through the wizard by using the Next button.

3. For the Kaspersky Security Center Cloud Console application, select the Fix vulnerabilities task type.
4. Specify the name for the task that you are creating.

   A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).

5. Select devices to which the task will be assigned.
6. Click the Add button.

   The list of vulnerabilities opens.

7. Select the vulnerabilities that you want to fix, and then click OK.
8. Specify the operating system restart settings:
   • Do not restart the device

     Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.

   • Restart the device

     Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).

   • Prompt user for action

     The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

     By default, this option is selected.

   • Repeat prompt every (min)

     If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.

     By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.

     If this option is disabled, the prompt is displayed only once.

   • Restart after (min)

     After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.

     By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.

   • Force closure of applications in blocked sessions

     Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.

     If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.

     If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.

     By default, this option is disabled.

9. Specify the account settings:
   • Default account

     The task will be run under the same account as the application that performs this task.

     By default, this option is selected.

   • Specify account

     Fill in the Account and Password fields to specify the details of an account under which the task is run. The account must have sufficient rights for this task.

   • Account

     Account under which the task is run.

   • Password

     Password of the account under which the task will be run.

10. If on the Finish task creation page you enable the Open task details when creation is complete option, you can modify the default task settings. If you do not enable this option, the task is created with the default settings. You can modify the default settings later, at any time.
11. Click the Finish button.

    The task is created and displayed in the list of tasks.

12. Click the name of the created task to open the task properties window.
13. In the task properties window, specify the general task settings according to your needs.
14. Click the Save button.

The task is created and configured.

Creating the Install required updates and fix vulnerabilities task

Expand all | Collapse all

The availability of the Install required updates and fix vulnerabilities task depends on the Kaspersky Security Center Cloud Console mode and your current license.

The Install required updates and fix vulnerabilities task is used to update and fix vulnerabilities in third-party software, including Microsoft software, installed on the managed devices. This task enables you to install multiple updates and fix multiple vulnerabilities according to certain rules.

To install updates or fix vulnerabilities by using the Install required updates and fix vulnerabilities task, you can do one of the following:

• Run the Update installation wizard or the Vulnerability fix wizard.
• Create an Install required updates and fix vulnerabilities task.
• Add a rule for update installation to an existing Install required updates and fix vulnerabilities task.

The software update installation tasks have a number of limitations. These limitations depend on the license under which you are using Kaspersky Security Center Cloud Console and on the mode in which Kaspersky Security Center Cloud Console is working.

To create the Install required updates and fix vulnerabilities task:

1. In the main menu, go to Assets (Devices) → Tasks.
2. Click Add.

   The New task wizard starts. Follow the steps of the wizard.

3. For the Kaspersky Security Center Cloud Console application, select the Install required updates and fix vulnerabilities task type.
4. Specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
5. Select devices to which the task will be assigned.
6. Specify the rules for update installation, and then specify the following settings:
   • Start installation at device restart or shutdown

     If this option is enabled, updates are installed when the device is restarted or shut down. Otherwise, updates are installed according to a schedule.

     Use this option if installing the updates might affect the device performance.

     By default, this option is disabled.

   • Install the required general system components

     If this option is enabled, before installing an update the application automatically installs all general system components (prerequisites) that are required to install the update. For example, these prerequisites can be operating system updates.

     If this option is disabled, you may have to install the prerequisites manually.

     By default, this option is disabled.

   • Allow installation of new application versions during updates

     If this option is enabled, updates are allowed when they result in installation of a new version of a software application.

     If this option is disabled, the software is not upgraded. You can then install new versions of the software manually or through another task. For example, you may use this option if your company infrastructure is not supported by a new software version or if you want to check an upgrade in a test infrastructure.

     By default, this option is enabled.

     Upgrading an application may cause malfunction of dependent applications installed on client devices.

   • Download updates to the device without installing them

     If this option is enabled, the application downloads updates to the device but does not install them automatically. You can then Install downloaded updates manually.

     Microsoft updates are downloaded to the system Windows storage. Updates of third-party applications (applications made by software vendors other than Kaspersky and Microsoft) are downloaded to the folder specified in the Download updates to field.

     If this option is disabled, the updates are installed to the device automatically.

     By default, this option is disabled.

   • Download updates to

     This folder is used to download updates of third-party applications (applications made by software vendors other than Kaspersky and Microsoft).

   • Enable advanced diagnostics

     If this feature is enabled, Network Agent writes traces even if tracing is disabled for Network Agent in Kaspersky Security Center Cloud Console Remote Diagnostics Utility. Traces are written to two files in turn; the total size of both files is determined by the Maximum size, in MB, of advanced diagnostics files value. When both files are full, Network Agent starts writing to them again. The files with traces are stored in the %WINDIR%\Temp folder. These files are accessible in the remote diagnostics utility, you can download or delete them there.

     If this feature is disabled, Network Agent writes traces according to the settings in Kaspersky Security Center Cloud Console Remote Diagnostics Utility. No additional traces are written.

     When creating a task, you do not have to enable advanced diagnostics. You may want to use this feature later if, for example, a task run fails on some of the devices and you want to get additional information during another task run.

     By default, this option is disabled.

   • Maximum size, in MB, of advanced diagnostics files

     The default value is 100 MB, and available values are between 1 MB and 2048 MB. You may be asked to change the default value by Kaspersky Technical Support specialists when information in the advanced diagnostics files sent by you is not enough to troubleshoot the problem.

7. Specify operating system restart settings:
   • Do not restart the device

     Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.

   • Restart the device

     Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).

   • Prompt user for action

     The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

     By default, this option is selected.

   • Repeat prompt every (min)

     If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.

     By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.

     If this option is disabled, the prompt is displayed only once.

   • Restart after (min)

     After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.

     By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.

   • Wait time before forced closure of applications in blocked sessions (min)

     Applications are forced to close when the user's device goes locked (automatically after a specified interval of inactivity, or manually).

     If this option is enabled, applications are forced to close on the locked device upon expiration of the time interval specified in the entry field.

     If this option is disabled, applications do not close on the locked device.

     By default, this option is disabled.

8. If on the Finish task creation page you enable the Open task details when creation is complete option, you can modify the default task settings. If you do not enable this option, the task is created with the default settings. You can modify the default settings later, at any time.
9. Click the Finish button.

   The task is created and displayed in the list of tasks.

10. Click the name of the created task to open the task properties window.
11. In the task properties window, specify the general task settings according to your needs.
12. Click the Save button.

    The task is created and configured.

If the task results contain a warning of the 0x80240033 "Windows Update Agent error 80240033 ("License terms could not be downloaded.")" error, you can resolve this issue through the Windows Registry.

Adding rules for update installation

Expand all | Collapse all

The availability of this feature depends on the Kaspersky Security Center Cloud Console mode and your current license.

When installing software updates or fixing software vulnerabilities by using the Install required updates and fix vulnerabilities task, you must specify rules for the update installation. These rules determine the updates to install and the vulnerabilities to fix.

The exact settings depend on whether you add a rule for all updates, for Windows Update updates, or for updates of third-party applications (applications made by software vendors other than Kaspersky and Microsoft). When adding a rule for Windows Update updates or updates of third-party applications, you can select specific applications and application versions for which you want to install updates. When adding a rule for all updates, you can select specific updates that you want to install and vulnerabilities that you want to fix by means of installing updates.

You can add a rule for update installation in the following ways:

• By adding a rule while creating a new Install required updates and fix vulnerabilities task.
• By adding a rule on the Application Settings tab in the properties window of an existing Install required updates and fix vulnerabilities task.
• Through the Update installation wizard or the Vulnerability fix wizard.

To add a new rule for all updates:

1. Click the Add button.

   The Rule creation wizard starts. Proceed through the wizard by using the Next button.

2. On the Rule type page, select Rule for all updates.
3. On the General criteria page, use the drop-down lists to specify the following settings:
   • Set of updates to install

     Select the updates that must be installed on client devices:

     • Install approved updates only. This installs only approved updates.
     • Install all updates (except declined). This installs updates with the Approved or Undefined approval status.
     • Install all updates (including declined). This installs all updates, regardless of their approval status. Select this option with caution. For example, use this option if you want to check installation of some declined updates in a test infrastructure.
   • Fix vulnerabilities with a severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

4. On the Updates page, select the updates to be installed:
   • Install all suitable updates

     Install all software updates that meet the criteria specified on the General criteria page of the wizard. Selected by default.

   • Install only updates from the list

     Install only software updates that you select manually from the list. This list contains all available software updates.

     For example, you may want to select specific updates in the following cases: to check their installation in a test environment, to update only critical applications, or to update only specific applications.

   • Automatically install all previous application updates that are required to install the selected updates

     Keep this option enabled if you agree with the installation of interim application versions when this is required for installing the selected updates.

     If this option is disabled, only the selected versions of applications are installed. Disable this option if you want to update applications in a straightforward manner, without attempting to install successive versions incrementally. If installing the selected updates is not possible without installing previous versions of applications, the updating of the application fails.

     For example, you have version 3 of an application installed on a device and you want to update it to version 5, but version 5 of this application can be installed only over version 4. If this option is enabled, the software first installs version 4, and then installs version 5. If this option is disabled, the software fails to update the application.

     By default, this option is enabled.

5. On the Vulnerabilities page, select vulnerabilities that will be fixed by installing the selected updates:
   • Fix all vulnerabilities that match other criteria

     Fix all vulnerabilities that meet the criteria specified on the General criteria page of the wizard. Selected by default.

   • Fix only vulnerabilities from the list

     Fix only vulnerabilities that you select manually from the list. This list contains all detected vulnerabilities.

     For example, you may want to select specific vulnerabilities in the following cases: to check their fix in a test environment, to fix vulnerabilities only in critical applications, or to fix vulnerabilities only in specific applications.

6. On the Name page, specify the name for the rule that you are adding. You can later change this name in the Settings section of the properties window of the created task.

After the Rule creation wizard completes its operation, the new rule is added and displayed in the rule list in the New task wizard or in the task properties.

To add a new rule for Windows Update updates:

1. Click the Add button.

   The Rule creation wizard starts. Proceed through the wizard by using the Next button.

2. On the Rule type page, select Rule for Windows Update.
3. On the General criteria page, specify the following settings:
   • Set of updates to install

     Select the updates that must be installed on client devices:

     • Install approved updates only. This installs only approved updates.
     • Install all updates (except declined). This installs updates with the Approved or Undefined approval status.
     • Install all updates (including declined). This installs all updates, regardless of their approval status. Select this option with caution. For example, use this option if you want to check installation of some declined updates in a test infrastructure.
   • Fix vulnerabilities with a severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

   • Fix vulnerabilities with an MSRC severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Microsoft Security Response Center (MSRC) is equal to or higher than the value selected in the list (Low, Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

4. On the Applications page, select the applications and application versions for which you want to install updates. By default, all applications are selected.
5. On the Categories of updates page, select the categories of updates to be installed. These categories are the same as in Microsoft Update Catalog. By default, all categories are selected.
6. On the Name page, specify the name for the rule that you are adding. You can later change this name in the Settings section of the properties window of the created task.

After the Rule creation wizard completes its operation, the new rule is added and displayed in the rule list in the New task wizard or in the task properties.

To add a new rule for updates of third-party applications:

1. Click the Add button.

   The Rule creation wizard starts. Proceed through the wizard by using the Next button.

2. On the Rule type page, select Rule for third-party updates.
3. On the General criteria page, specify the following settings:
   • Set of updates to install

     Select the updates that must be installed on client devices:

     • Install approved updates only. This installs only approved updates.
     • Install all updates (except declined). This installs updates with the Approved or Undefined approval status.
     • Install all updates (including declined). This installs all updates, regardless of their approval status. Select this option with caution. For example, use this option if you want to check installation of some declined updates in a test infrastructure.
   • Fix vulnerabilities with a severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

4. On the Applications page, select the applications and application versions for which you want to install updates. By default, all applications are selected.
5. On the Name page, specify the name for the rule that you are adding. You can later change this name in the Settings section of the properties window of the created task.

After the Rule creation wizard completes its operation, the new rule is added and displayed in the rule list in the New task wizard or in the task properties.

Viewing information about software vulnerabilities detected on all managed devices

After you have scanned software on managed devices for vulnerabilities, you can view the list of software vulnerabilities detected on all managed devices. If you run the task for the hierarchy of Administration Servers, you can view the list of managed devices with detected vulnerabilities only for the selected Administration Server.

To view the list of software vulnerabilities detected on all managed devices,

In the main menu, go to Operations → Patch management → Software vulnerabilities.

The page displays the list of software vulnerabilities detected on client devices.

You can also generate and view a Report on vulnerabilities.

You can specify a filter to view the list of software vulnerabilities. Click the Filter icon () in the upper right corner of the software vulnerabilities list to manage the filter. You can also select one of preset filters from the Preset filters drop-down list above the software vulnerabilities list.

You can obtain detailed information about any vulnerability from the list.

To obtain information about a software vulnerability:

In the list of software vulnerabilities, click the link with the name of the vulnerability.

The properties window of the software vulnerability opens.

Viewing information about software vulnerabilities detected on the selected managed device

You can view information about software vulnerabilities detected on the selected managed device running Windows.

To view the list of software vulnerabilities detected on the selected managed device:

1. In the main menu, go to Assets (Devices) → Managed devices.

   The list of managed devices is displayed.

2. In the list of managed devices, click the link with the name of the device for which you want to view detected software vulnerabilities.

   The properties window of the selected device is displayed.

3. In the properties window of the selected device, select the Advanced tab.
4. In the left pane, select the Software vulnerabilities section.

The list of software vulnerabilities detected on the selected managed device is displayed.

To view the properties of the selected software vulnerability,

Click the link with the name of the software vulnerability in the list of software vulnerabilities.

The properties window of the selected software vulnerability is displayed.

Viewing statistics of vulnerabilities on managed devices

You can view statistics for each software vulnerability on managed devices. Statistics are represented as a diagram. The diagram displays the number of devices with the following statuses:

• Ignored on: <number of devices>. This status is assigned if, in the vulnerability properties, you have manually set the option to ignore the vulnerability.
• Fixed on: <number of devices>. This status is assigned if the task to fix the vulnerability has successfully completed.
• Fix scheduled on: <number of devices>. This status is assigned if you have created the task to fix the vulnerability, but the task is not performed yet.
• Patch applied on: <number of devices>. This status is assigned if you have manually selected a software update to fix the vulnerability, but this software update has not fixed the vulnerability.
• Fix required on: <number of devices>. This status is assigned if the vulnerability was fixed only on some managed devices, and the vulnerability is required to be fixed on more managed devices.

To view the statistics of a vulnerability on managed devices:

1. In the main menu, go to Operations → Patch management → Software vulnerabilities.

   The page displays a list of vulnerabilities in applications detected on managed devices.

2. Select the check box next to the required vulnerability.
3. Click the Statistics of vulnerability on devices button.

A diagram of the vulnerability statuses is displayed. Clicking a status opens a list of devices on which the vulnerability has the selected status.

Exporting the list of software vulnerabilities to a file

You can export the displayed list of vulnerabilities to the CSV or TXT files. You can use these files, for example, to send them to your information security manager or to store them for purposes of statistics.

To export the list of software vulnerabilities detected on all managed devices to a text file:

1. In the main menu, go to Operations → Patch management → Software vulnerabilities.

   The page displays a list of vulnerabilities in applications detected on managed devices.

2. Click the Export to TXT or Export to CSV button, depending on the format you prefer for export.

The file containing the list of software vulnerabilities is downloaded to the device that you use at the moment.

To export the list of software vulnerabilities detected on selected managed device to a text file:

1. Open the list of software vulnerabilities detected on selected managed device.
2. Select the software vulnerabilities you want to export.

   Skip this step if you want to export a complete list of software vulnerabilities detected on the managed device.

   If you want to export complete list of software vulnerabilities detected on the managed device, only vulnerabilities displaying on the current page will be exported.

3. Click the Export to TXT or Export to CSV button, depending on the format you prefer for export.

The file containing the list of software vulnerabilities detected on the selected managed device is downloaded to the device you are using at the moment.

Ignoring software vulnerabilities

You can ignore software vulnerabilities to be fixed. The reasons to ignore software vulnerabilities might be, for example, the following:

• You do not consider the software vulnerability to be critical to your organization.
• You understand that the software vulnerability fix can damage data related to the software that required the vulnerability fix.
• You are sure that the software vulnerability is not dangerous for your organization's network because you use other measures to protect your managed devices.

You can ignore a software vulnerability on all managed devices or only on selected managed devices.

To ignore a software vulnerability on all managed devices:

1. In the main menu, go to Operations → Patch management → Software vulnerabilities.

   The page displays the list of software vulnerabilities detected on managed devices.

2. In the list of software vulnerabilities, click the link with the name of the software vulnerability you want to ignore.

   The software vulnerability properties window opens.

3. On the General tab, enable the Ignore vulnerability option.
4. Click the Save button.

   The software vulnerability properties window closes.

The software vulnerability is ignored on all managed devices.

To ignore a software vulnerability on the selected managed device:

1. In the main menu, go to Assets (Devices) → Managed devices.

   The list of managed devices is displayed.

2. In the list of managed devices, click the link with the name of the device on which you want to ignore a software vulnerability.

   The device properties window is opened.

3. In the device properties window, select the Advanced tab.
4. In the left pane, select the Software vulnerabilities section.

   The list of software vulnerabilities detected on the device is displayed.

5. In the list of software vulnerabilities, select the vulnerability you want to ignore on the selected device.

   The software vulnerability properties window opens.

6. In the software vulnerability properties window, on the General tab, enable the Ignore vulnerability option.
7. Click the Save button.

   The software vulnerability properties window closes.

8. Close the device properties window.

The software vulnerability is ignored on the selected device.

The ignored software vulnerability will not be fixed after the completion of the Fix vulnerabilities task or Install required updates and fix vulnerabilities task. You can exclude ignored software vulnerabilities from the list of vulnerabilities by using a filter.

Scenario: Finding and fixing software vulnerabilities

This section provides a scenario for finding and fixing vulnerabilities on the managed devices running Windows. You can find and fix software vulnerabilities in the operating system and in third-party software, including Microsoft software.

Prerequisites

• Kaspersky Security Center Cloud Console is deployed in your organization.
• There are managed devices running Windows in your organization.

Stages

Finding and fixing software vulnerabilities proceeds in stages:

1. Scanning for vulnerabilities in the software installed on the client devices

   To find vulnerabilities in the software installed on the managed devices, run the Find vulnerabilities and required updates task. When this task is complete, Kaspersky Security Center Cloud Console receives the lists of detected vulnerabilities and required updates for the third-party software installed on the devices that you specified in the task properties.

   The Find vulnerabilities and required updates task is created automatically by Kaspersky Security Center Cloud Console quick start wizard. If you did not run the wizard, start it now or create the task manually.

   How-to instructions: Creating the Find vulnerabilities and required updates task

2. Analyzing the list of detected software vulnerabilities

   View the Software vulnerabilities list and decide which vulnerabilities are to be fixed. To view detailed information about each vulnerability, click the vulnerability name in the list. For each vulnerability in the list, you can also view the statistics on the vulnerability on managed devices.

   How-to instructions:

   • Viewing information about software vulnerabilities
   • Viewing statistics of vulnerabilities on managed devices
3. Configuring vulnerabilities fix

   When the software vulnerabilities are detected, you can fix the software vulnerabilities on the managed devices by using the Install required updates and fix vulnerabilities task or the Fix vulnerabilities task.

   The Install required updates and fix vulnerabilities task is used to update and fix vulnerabilities in third-party software, including Microsoft software, installed on the managed devices. This task enables you to install multiple updates and fix multiple vulnerabilities according to certain rules. Availability of this task depends on the Kaspersky Security Center Cloud Console mode and your current license. To fix software vulnerabilities, the Install required updates and fix vulnerabilities task uses recommended software updates.

   The Fix vulnerabilities task uses recommended fixes for Microsoft software.

   You can start Vulnerability fix wizard that creates one of these tasks automatically, or you can create one of these tasks manually.

   How-to instructions: Fixing vulnerabilities in third-party software, Creating the Install required updates and fix vulnerabilities

4. Scheduling the tasks

   To be sure that the vulnerabilities list is always up-to-date, schedule the Find vulnerabilities and required updates task to run it automatically from time to time. The recommended average frequency is once a week.

   If you have created the Install required updates and fix vulnerabilities task, you can schedule it to run with the same frequency as the Find vulnerabilities and required updates task or less often. When scheduling the Fix vulnerabilities task, note that you have to select fixes for Microsoft software every time before starting the task.

   When scheduling the tasks, make sure that a task to fix vulnerability starts after the Find vulnerabilities and required updates task is complete.

5. Ignoring software vulnerabilities (optional)

   If you want, you can ignore software vulnerabilities to be fixed on all managed devices or only on the selected managed devices.

   How-to instructions: Ignoring software vulnerabilities

6. Running a vulnerability fix task

   Start the Install required updates and fix vulnerabilities task or the Fix vulnerabilities task. After the task is complete, make sure that it has the Completed successfully status in the task list.

7. Create the report on results of fixing software vulnerabilities (optional)

   To view detailed statistics on the vulnerabilities fix, generate the Report on vulnerabilities. The report displays information about software vulnerabilities that are not fixed. Thus you can have an idea about finding and fixing vulnerabilities in third-party software, including Microsoft software, in your organization.

   How-to instructions: Generating and viewing a report

8. Checking configuration of finding and fixing vulnerabilities in third-party software

   Make sure of the following:

   • The list of software vulnerabilities on managed devices is not empty.
   • A task to fix vulnerabilities is in the task list.
   • The tasks to find and to fix software vulnerabilities are scheduled so that they start sequentially. View the properties of these tasks and compare their schedule.
   • The task to fix software vulnerabilities was successfully completed. View information on the Results tab of the task properties window.

Results

If you have created and configured the Install required updates and fix vulnerabilities task, the vulnerabilities are fixed on the managed devices automatically. When the task is run, it correlates the list of available software updates to the rules specified in the task settings. All software updates that meet the criteria in the rules will be downloaded to the repositories of distribution points and will be installed to fix software vulnerabilities, except for Windows Updates. To install Windows Updates, you have to ensure the access to Microsoft Updates public servers on your managed devices.

If you have created the Fix vulnerabilities task, only software vulnerabilities in Microsoft software are fixed.