Adding rules for update installation

Expand all | Collapse all

This feature is only available under the Vulnerability and patch management license.

When installing software updates or fixing software vulnerabilities by using the Install required updates and fix vulnerabilities task, you must specify rules for the update installation. These rules determine the updates to install and the vulnerabilities to fix.

The exact settings depend on whether you add a rule for all updates, for updates from Windows Update, or for updates of third-party applications (applications made by software vendors other than Kaspersky and Microsoft). When adding a rule for updates from Windows Update or updates of third-party applications, you can select specific applications and application versions for which you want to install updates. When adding a rule for all updates, you can select the specific updates you want to install and the vulnerabilities you want to fix by installing updates.

You can add a rule for update installation in the following ways:

• By adding a rule while creating a new Install required updates and fix vulnerabilities task.
• By adding a rule on the Application settings tab in the task properties window of an existing Install required updates and fix vulnerabilities task.
• Through the Update installation wizard or the Vulnerability fix wizard.

Adding rules for all updates

To add a new rule for all updates:

1. Click the Add button.

   The Rule creation wizard starts. Proceed through the wizard by using the Next button.

2. At the Select rule type step of the wizard, select Rule for all updates.
3. At the General criteria step of the wizard, specify the following settings:
   • Set of updates to be installed

     Select the updates that must be installed on client devices:

     • Install approved updates only. This installs only approved updates.
     • Install all updates (except declined). This installs updates with the Approved or Undefined approval status.
     • Install all updates (including declined). This installs all updates, regardless of their approval status. Select this option with caution. For example, use this option if you want to check installation of some declined updates in a test infrastructure.
   • Fix vulnerabilities with a severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

   Go to the next step of the wizard.

4. Select the updates to be installed:
   • Install all suitable updates

     Install all software updates that meet the criteria specified at the General criteria step of the wizard. Selected by default.

   • Install only updates from the list

     Install only software updates that you select manually from the list. This list contains all available software updates.

     For example, you may want to select specific updates in the following cases: to check their installation in a test environment, to update only critical applications, or to update only specific applications.

     • Automatically install all previous application updates that are required to install the selected updates

       Keep this option enabled if you agree with the installation of interim application versions when this is required for installing the selected updates.

       If this option is disabled, only the selected versions of applications are installed. Disable this option if you want to update applications in a straightforward manner, without attempting to install successive versions incrementally. If installing the selected updates is not possible without installing previous versions of applications, the updating of the application fails.

       For example, you have version 3 of an application installed on a device and you want to update it to version 5, but version 5 of this application can be installed only over version 4. If this option is enabled, the software first installs version 4, and then installs version 5. If this option is disabled, the software fails to update the application.

       By default, this option is enabled.

   Go to the next step of the wizard.

5. Select the vulnerabilities that will be fixed by installing the selected updates:
   • Fix all vulnerabilities that match other criteria

     Fix all vulnerabilities that meet the criteria specified at the General criteria step of the wizard. Selected by default.

   • Fix only vulnerabilities from the list

     Fix only vulnerabilities that you select manually from the list. This list contains all detected vulnerabilities.

     For example, you may want to select specific vulnerabilities in the following cases: to check their fix in a test environment, to fix vulnerabilities only in critical applications, or to fix vulnerabilities only in specific applications.

   Go to the next step of the wizard.

6. Specify the name of the rule that you are adding. You can later change this name on the Application settings tab in the task properties window of the created task.

The new rule is created, configured, and displayed in the table of rules of the New task wizard.

Adding rules for updates from Windows Update

To add a new rule for updates from Windows Update:

1. Click the Add button.

   The Rule creation wizard starts. Proceed through the wizard by using the Next button.

2. Select Rule for Windows Update.

   Go to the next step of the wizard.

3. At the General criteria step of the wizard, specify the following settings:
   • Set of updates to install

     Select the updates that must be installed on client devices:

     • Install approved updates only. This installs only approved updates.
     • Install all updates (except declined). This installs updates with the Approved or Undefined approval status.
     • Install all updates (including declined). This installs all updates, regardless of their approval status. Select this option with caution. For example, use this option if you want to check installation of some declined updates in a test infrastructure.
   • Fix vulnerabilities with a severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

   • Fix vulnerabilities with an MSRC severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Microsoft Security Response Center (MSRC) is equal to or higher than the value selected in the list (Low, Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

4. On the Applications page, select the applications and application versions for which you want to install updates. By default, all applications are selected.
5. On the Categories of updates page, select the categories of updates to be installed. These categories are the same as in Microsoft Update Catalog. By default, all categories are selected.
6. On the Name page, specify the name for the rule that you are adding. You can later change this name in the Settings section of the properties window of the created task.

After the Rule creation wizard completes its operation, the new rule is added and displayed in the rule list in the New task wizard or in the task properties.

Adding rules for updates of third-party applications

To add a new rule for updates of third-party applications:

1. Click the Add button.

   The Rule creation wizard starts. Proceed through the wizard by using the Next button.

2. At the Select rule type step of the wizard, select Rule for third-party updates.
3. At the General criteria step of the wizard, specify the following settings:
   • Set of updates to install

     Select the updates that must be installed on client devices:

     • Install approved updates only. This installs only approved updates.
     • Install all updates (except declined). This installs updates with the Approved or Undefined approval status.
     • Install all updates (including declined). This installs all updates, regardless of their approval status. Select this option with caution. For example, use this option if you want to check installation of some declined updates in a test infrastructure.
   • Fix vulnerabilities with a severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

   Go to the next step of the wizard.

4. Select the applications and application versions for which you want to install updates.

   By default, all applications are selected.

   Go to the next step of the wizard.

5. Specify the name of the rule that you are adding. You can later change this name on the Application settings tab in the task properties window of the created task.

The new rule is created, configured, and displayed in the table of rules of the New task wizard.

See also: Scenario: Updating third-party software Scenario: Finding and fixing third-party software vulnerabilities

Page top