Fixing vulnerabilities in applications

Expand all | Collapse all

If you have selected Find and install required updates on the Update management settings page of the Quick Start Wizard, the Install required updates and fix vulnerabilities task is created automatically. The task is displayed in the workspace of the Managed devices folder, on the Tasks tab.

Otherwise, you can do any of the following:

• Create a task for fixing vulnerabilities by installing available updates.
• Add a rule for fixing a vulnerability to an existing vulnerability fix task.

A user interaction may be required when you update a third-party application or fix a vulnerability in a third-party application on a managed device. For example, the user may be prompted to close the third-party application if it's currently open.

Fixing vulnerabilities by creating a vulnerability fix task

You can do any of the following:

• Create a task for fixing multiple vulnerabilities that meet certain rules.
• Select a vulnerability and create a task for fixing it and similar vulnerabilities.

To fix vulnerabilities that meet certain rules:

1. In the console tree, select Administration Server on devices for which you want to fix vulnerabilities.
2. In the View menu of the main application window, select Configure interface.
3. In the window that opens, select the Display Vulnerability and Patch Management check box, and then click OK.
4. In the window with the application message, click OK.
5. Restart the Administration Console, so the changes take effect.
6. In the console tree, select the Managed devices folder.
7. In the workspace, select the Tasks tab.
8. Click the Create a task button to run the Add Task Wizard. Follow the steps of the Wizard.
9. On the Select the task type page of the Wizard, select the Install required updates and fix vulnerabilities task.

   If the task is not displayed, check whether your account has the Read, Modify, and Execute rights for the System management: Vulnerability and patch management functional area. You cannot create and configure the Install required updates and fix vulnerabilities task without these access rights.

10. On the Settings page of the Wizard, specify the task settings as follows:
    • Specify rules for installing updates

      These rules are applied to installation of updates on client devices. If rules are not specified, the task has nothing to perform. For information about operations with rules, refer to Rules for update installation.

    • Start installation at device restart or shutdown

      If this option is enabled, updates are installed when the device is restarted or shut down. Otherwise, updates are installed according to a schedule.

      Use this option if installing the updates might affect the device performance.

      By default, this option is disabled.

    • Install required general system components

      If this option is enabled, before installing an update the application automatically installs all general system components (prerequisites) that are required to install the update. For example, these prerequisites can be operating system updates

      If this option is disabled, you may have to install the prerequisites manually.

      By default, this option is disabled.

    • Allow installation of new application versions during updates

      If this option is enabled, updates are allowed when they result in installation of a new version of a software application.

      If this option is disabled, the software is not upgraded. You can then install new versions of the software manually or through another task. For example, you may use this option if your company infrastructure is not supported by a new software version or if you want to check an upgrade in a test infrastructure.

      By default, this option is enabled.

      Upgrading an application may cause malfunction of dependent applications installed on client devices.

    • Download updates to the device without installing them

      If this option is enabled, the application downloads updates to the device but does not install them automatically. You can then Install downloaded updates manually.

      Microsoft updates are downloaded to the system Windows storage. Updates of third-party applications (applications made by software vendors other than Kaspersky and Microsoft) are downloaded to the folder specified in the Folder for downloading updates field.

      If this option is disabled, the updates are installed to the device automatically.

      By default, this option is disabled.

      • Folder for downloading updates

        This folder is used to download updates of third-party applications (applications made by software vendors other than Kaspersky and Microsoft).

    • Enable advanced diagnostics

      If this feature is enabled, Network Agent writes traces even if tracing is disabled for Network Agent in Kaspersky Security Center Remote Diagnostics Utility. Traces are written to two files in turn; the total size of both files is determined by the Maximum size, in MB, of advanced diagnostics files value. When both files are full, Network Agent starts writing to them again. The files with traces are stored in the %WINDIR%\Temp folder. These files are accessible in the remote diagnostics utility, you can download or delete them there.

      If this feature is disabled, Network Agent writes traces according to the settings in Kaspersky Security Center Remote Diagnostics Utility. No additional traces are written.

      When creating a task, you do not have to enable advanced diagnostics. You may want to use this feature later if, for example, a task run fails on some of the devices and you want to get additional information during another task run.

      By default, this option is disabled.

      • Maximum size, in MB, of advanced diagnostics files

        The default value is 100 MB, and available values are between 1 MB and 2048 MB. You may be asked to change the default value by Kaspersky Technical Support specialists when information in the advanced diagnostics files sent by you is not enough to troubleshoot the problem.

11. On the Selecting an operating system restart option page of the Wizard, select the action to perform when the operating system on client devices must be restarted after the operation:
    • Do not restart the device

      Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.

    • Restart the device

      Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).

    • Prompt user for action

      The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

      By default, this option is selected.

      • Repeat prompt every (min)

        If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.

        By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.

        If this option is disabled, the prompt is displayed only once.

      • Restart after (min)

        After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.

        By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.

    • Force closure of applications in blocked sessions

      Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.

      If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.

      If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.

      By default, this option is disabled.

12. On the Configure task schedule page of the Wizard, you can create a schedule for task start. If necessary, specify the following settings:
    • Scheduled start:

      Select the schedule according to which the task runs, and configure the selected schedule.

      • Every N hours

        The task runs regularly, with the specified interval in hours, starting from the specified date and time.

        By default, the task runs every six hours, starting from the current system date and time.

      • Every N days

        The task runs regularly, with the specified interval in days. Additionally, you can specify a date and time of the first task run. These additional options become available, if they are supported by the application for which you create the task.

        By default, the task runs every day, starting from the current system date and time.

      • Every N weeks

        The task runs regularly, with the specified interval in weeks, on the specified day of week and at the specified time.

        By default, the task runs every Monday at the current system time.

      • Every N minutes

        The task runs regularly, with the specified interval in minutes, starting from the specified time on the day that the task is created.

        By default, the task runs every 30 minutes, starting from the current system time.

      • Daily (daylight saving time is not supported)

        The task runs regularly, with the specified interval in days. This schedule does not support observance of daylight saving time (DST). It means that when clocks jump one hour forward or backward at the beginning or ending of DST, the actual task start time does not change.

        We do not recommend that you use this schedule. It is needed for backward compatibility of Kaspersky Security Center.

        By default, the task starts every day at the current system time.

      • Weekly

        The task runs every week on the specified day and at the specified time.

      • By days of week

        The task runs regularly, on the specified days of week, at the specified time.

        By default, the task runs every Friday at 6:00:00 PM.

      • Monthly

        The task runs regularly, on the specified day of the month, at the specified time.

        In months that lack the specified day, the task runs on the last day.

        By default, the task runs on the first day of each month, at the current system time.

      • Manually

        The task does not run automatically. You can only start it manually.

        By default, this option is enabled.

      • Every month on specified days of selected weeks

        The task runs regularly, on the specified days of each month, at the specified time.

        By default, no days of month are selected; the default start time is 6:00:00 PM.

      • On virus outbreak

        The task runs after a Virus outbreak event occurs. Select application types that will monitor virus outbreaks. The following application types are available:

        • Anti-virus for workstations and file servers
        • Anti-virus for perimeter defense
        • Anti-virus for mail systems

        By default, all application types are selected.

        You may want to run different tasks depending on the anti-virus application type that reports a virus outbreak. In this case, remove the selection of the application types that you do not need.

      • On completing another task

        The current task starts after another task completes. You can select how the previous task must complete (successfully or with error) to trigger the start of the current task. For example, you may want to run the Manage devices task with the Turn on the device option and, after it completes, run the Virus scan task.

    • Run missed tasks

      This option determines the behavior of a task if a client device is not visible on the network when the task is about to start.

      If this option is enabled, the system attempts to start the task the next time the Kaspersky application is run on the client device. If the task schedule is Manually, Once or Immediately, the task is started immediately after the device becomes visible on the network or immediately after the device is included in the task scope.

      If this option is disabled, only scheduled tasks run on client devices; for Manually, Once and Immediately, tasks run only on those client devices that are visible on the network. For example, you may want to disable this option for a resource-consuming task that you want to run only outside of business hours.

      By default, this option is enabled.

    • Use automatically randomized delay for task starts

      If this option is enabled, the task is started on client devices randomly within a specified time interval, that is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

      The distributed start time is calculated automatically when a task is created, depending on the number of client devices to which the task is assigned. Later, the task is always started on the calculated start time. However, when task settings are edited or the task is started manually, the calculated value of the task start time changes.

      If this option is disabled, the task starts on client devices according to the schedule.

    • Use randomized delay for task starts within an interval of (min)

      If this option is enabled, the task is started on client devices randomly within the specified time interval. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

      If this option is disabled, the task starts on client devices according to the schedule.

      By default, this option is disabled. The default time interval is one minute.

13. On the Define the task name page of the Wizard, specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
14. On the Finish task creation page of the Wizard, click the Finish button to close the Wizard.

    If you want the task to start as soon as the Wizard finishes, select the Run the task after the Wizard finishes check box.

After the Wizard completes its operation, the Install required updates and fix vulnerabilities task is created and displayed in the Tasks folder.

In addition to the settings that you specify during task creation, you can change other properties of a created task.

If the task results contain the 0x80240033 "Windows Update Agent error 80240033 ("License terms could not be downloaded.")" error, you can resolve this issue through the Windows Registry.

To fix a specific vulnerability and similar ones:

1. In the Advanced → Application management folder in the console tree, select the Software vulnerabilities subfolder.
2. Select the vulnerability that you want to fix.
3. Click the Run Vulnerability Fix Wizard button.

   The Vulnerability Fix Wizard starts.

   The Vulnerability Fix Wizard features are only available under the Vulnerability and Patch Management license.

   Follow the steps of the Wizard.

4. In the Search for existing vulnerability fix tasks window, specify the following parameters:
   • Show only tasks that fix this vulnerability

     If this option is enabled, the Vulnerability Fix Wizard searches for existing tasks that fix the selected vulnerability.

     If this option is disabled or if the search yields no applicable tasks, the Vulnerability Fix Wizard prompts you to create a rule or task for fixing the vulnerability.

     By default, this option is enabled.

   • Approve updates that fix this vulnerability

     Updates that fix a vulnerability will be approved for installation. Enable this option if some applied rules of update installation only allow the installation of approved updates.

     By default, this option is disabled.

5. If you choose to search for existing vulnerability fix tasks and if the search retrieves some tasks, you can view properties of these tasks or start them manually. No further actions are required.

   Otherwise, click the New vulnerability fix task button.

6. Select the type of the vulnerability fix rule to be added to the new task, and then click the Finish button.
7. Make your choice in the displayed prompt about installing all previous application updates. Click Yes if you agree to the installation of successive application versions incrementally if this is required for installing the selected updates. Click No if you want to update applications in a straightforward fashion, without installing successive versions. If installing the selected updates is not possible without installing previous versions of applications, the updating of the application fails.

   The Updates Installation and Vulnerabilities Fix Task Creation Wizard starts. Follow the steps of the Wizard.

8. On the Selecting an operating system restart option page of the Wizard, select the action to perform when the operating system on client devices must be restarted after the operation:
   • Do not restart the device

     Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.

   • Restart the device

     Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).

   • Prompt user for action

     The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

     By default, this option is selected.

     • Repeat prompt every (min)

       If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.

       By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.

       If this option is disabled, the prompt is displayed only once.

     • Restart after (min)

       After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.

       By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.

   • Force closure of applications in blocked sessions

     Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.

     If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.

     If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.

     By default, this option is disabled.

9. On the Select devices to which the task will be assigned page of the Wizard, select one of the following options:
   • Select networked devices detected by Administration Server

     The task is assigned to specific devices. The specific devices can include devices in administration groups as well as unassigned devices.

     For example, you may want to use this option in a task of installing Network Agent on unassigned devices.

   • Specify device addresses manually or import addresses from a list

     You can specify NetBIOS names, DNS names, IP addresses, and IP subnets of devices to which you want to assign the task.

     You may want to use this option to execute a task for a specific subnet. For example, you may want to install a certain application on devices of accountants or to scan devices in a subnet that is probably infected.

   • Assign task to a device selection

     The task is assigned to devices included in a device selection. You can specify one of the existing selections.

     For example, you may want to use this option to run a task on devices with a specific operating system version.

   • Assign task to an administration group

     The task is assigned to devices included in an administration group. You can specify one of the existing groups or create a new one.

     For example, you may want to use this option to run a task of sending a message to users if the message is specific for devices included in a specific administration group.

10. On the Configure task schedule page of the Wizard, you can create a schedule for task start. If necessary, specify the following settings:
    • Scheduled start:

      Select the schedule according to which the task runs, and configure the selected schedule.

      • Every N hours

        The task runs regularly, with the specified interval in hours, starting from the specified date and time.

        By default, the task runs every six hours, starting from the current system date and time.

      • Every N days

        The task runs regularly, with the specified interval in days. Additionally, you can specify a date and time of the first task run. These additional options become available, if they are supported by the application for which you create the task.

        By default, the task runs every day, starting from the current system date and time.

      • Every N weeks

        The task runs regularly, with the specified interval in weeks, on the specified day of week and at the specified time.

        By default, the task runs every Monday at the current system time.

      • Every N minutes

        The task runs regularly, with the specified interval in minutes, starting from the specified time on the day that the task is created.

        By default, the task runs every 30 minutes, starting from the current system time.

      • Daily (daylight saving time is not supported)

        The task runs regularly, with the specified interval in days. This schedule does not support observance of daylight saving time (DST). It means that when clocks jump one hour forward or backward at the beginning or ending of DST, the actual task start time does not change.

        We do not recommend that you use this schedule. It is needed for backward compatibility of Kaspersky Security Center.

        By default, the task starts every day at the current system time.

      • Weekly

        The task runs every week on the specified day and at the specified time.

      • By days of week

        The task runs regularly, on the specified days of week, at the specified time.

        By default, the task runs every Friday at 6:00:00 PM.

      • Monthly

        The task runs regularly, on the specified day of the month, at the specified time.

        In months that lack the specified day, the task runs on the last day.

        By default, the task runs on the first day of each month, at the current system time.

      • Manually

        The task does not run automatically. You can only start it manually.

        By default, this option is enabled.

      • Every month on specified days of selected weeks

        The task runs regularly, on the specified days of each month, at the specified time.

        By default, no days of month are selected; the default start time is 6:00:00 PM.

      • On virus outbreak

        The task runs after a Virus outbreak event occurs. Select application types that will monitor virus outbreaks. The following application types are available:

        • Anti-virus for workstations and file servers
        • Anti-virus for perimeter defense
        • Anti-virus for mail systems

        By default, all application types are selected.

        You may want to run different tasks depending on the anti-virus application type that reports a virus outbreak. In this case, remove the selection of the application types that you do not need.

      • On completing another task

        The current task starts after another task completes. You can select how the previous task must complete (successfully or with error) to trigger the start of the current task. For example, you may want to run the Manage devices task with the Turn on the device option and, after it completes, run the Virus scan task.

    • Run missed tasks

      This option determines the behavior of a task if a client device is not visible on the network when the task is about to start.

      If this option is enabled, the system attempts to start the task the next time the Kaspersky application is run on the client device. If the task schedule is Manually, Once or Immediately, the task is started immediately after the device becomes visible on the network or immediately after the device is included in the task scope.

      If this option is disabled, only scheduled tasks run on client devices; for Manually, Once and Immediately, tasks run only on those client devices that are visible on the network. For example, you may want to disable this option for a resource-consuming task that you want to run only outside of business hours.

      By default, this option is enabled.

    • Use automatically randomized delay for task starts

      If this option is enabled, the task is started on client devices randomly within a specified time interval, that is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

      The distributed start time is calculated automatically when a task is created, depending on the number of client devices to which the task is assigned. Later, the task is always started on the calculated start time. However, when task settings are edited or the task is started manually, the calculated value of the task start time changes.

      If this option is disabled, the task starts on client devices according to the schedule.

    • Use randomized delay for task starts within an interval of (min)

      If this option is enabled, the task is started on client devices randomly within the specified time interval. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

      If this option is disabled, the task starts on client devices according to the schedule.

      By default, this option is disabled. The default time interval is one minute.

11. On the Define the task name page of the Wizard, specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
12. On the Finish task creation page of the Wizard, click the Finish button to close the Wizard.

    If you want the task to start as soon as the Wizard finishes, select the Run the task after the Wizard finishes check box.

When the Wizard completes, the Install required updates and fix vulnerabilities task is created and displayed in the Tasks folder.

In addition to the settings that you specify during task creation, you can change other properties of a created task.

Fixing a vulnerability by adding a rule to an existing vulnerability fix task

To fix a vulnerability by adding a rule to an existing vulnerability fix task:

1. In the Advanced → Application management folder in the console tree, select the Software vulnerabilities subfolder.
2. Select the vulnerability that you want to fix.
3. Click the Run Vulnerability Fix Wizard button.

   The Vulnerability Fix Wizard starts.

   The Vulnerability Fix Wizard features are only available under the Vulnerability and Patch Management license.

   Follow the steps of the Wizard.

4. In the Search for existing vulnerability fix tasks window, specify the following parameters:
   • Show only tasks that fix this vulnerability

     If this option is enabled, the Vulnerability Fix Wizard searches for existing tasks that fix the selected vulnerability.

     If this option is disabled or if the search yields no applicable tasks, the Vulnerability Fix Wizard prompts you to create a rule or task for fixing the vulnerability.

     By default, this option is enabled.

   • Approve updates that fix this vulnerability

     Updates that fix a vulnerability will be approved for installation. Enable this option if some applied rules of update installation only allow the installation of approved updates.

     By default, this option is disabled.

5. If you choose to search for existing vulnerability fix tasks and if the search retrieves some tasks, you can view properties of these tasks or start them manually. No further actions are required.

   Otherwise, click the Add vulnerability fix rule to existing task button.

6. Select the task to which you want to add a rule, and then click the Add rule button.

   Also, you can view properties of the existing tasks, start them manually, or create a new task.

7. Select the type of rule to be added to the selected task, and then click the Finish button.
8. Make your choice in the displayed prompt about installing all previous application updates. Click Yes if you agree to the installation of successive application versions incrementally if this is required for installing the selected updates. Click No if you want to update applications in a straightforward fashion, without installing successive versions. If installing the selected updates is not possible without installing previous versions of applications, the updating of the application fails.

A new rule for fixing the vulnerability is added to the existing Install required updates and fix vulnerabilities task.

See also: Scenario: Updating third-party software Scenario: Finding and fixing third-party software vulnerabilities

Page top