Creating the Find vulnerabilities and required updates task

Expand all | Collapse all

Through the Find vulnerabilities and required updates task, Kaspersky Security Center Linux receives lists of detected vulnerabilities and required updates for the third-party software installed on the managed devices.

You can create the Find vulnerabilities and required updates task only for Windows devices. You cannot create this task for devices running on other operating systems.

The Find vulnerabilities and required updates task is created automatically when the quick start wizard is running. If you did not run the wizard, you can create the task manually.

To create the Find vulnerabilities and required updates task:

1. In the main menu, go to Asset management → Tasks.
2. Click Add.

   The New task wizard starts. Proceed through the wizard by using the Next button.

3. For the Kaspersky Security Center application, select the Find vulnerabilities and required updates task type.
4. Specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
5. Select the devices to which the task will be assigned.
6. Specify the methods to scan for vulnerabilities and applications that require updating:
   • Search for vulnerabilities and updates listed by Microsoft

     When searching for vulnerabilities and updates, Kaspersky Security Center Linux uses the information about applicable Microsoft updates from the source of Microsoft updates, which are available at the present moment.

     For example, you may want to disable this option if you have different tasks with different settings for Microsoft updates and updates of third-party applications.

     By default, this option is enabled.

     Information about optional Microsoft Windows updates is not being sent to the Administration Server.

     • Connect to the update server to update data

       Windows Update Agent on a managed device connects to the source of Microsoft updates. The following servers can act as a source of Microsoft updates:

       • Windows Server with Microsoft Windows Server Update Services (WSUS) deployed in your organization's network
       • Microsoft Updates servers

       If this option is enabled, Windows Update Agent on a managed device connects to the source of Microsoft updates to refresh the information about applicable Microsoft Windows updates.

       If this option is disabled, Windows Update Agent on a managed device uses the information about applicable Microsoft Windows updates that was received from the source of Microsoft updates earlier.

       Connecting to the source of Microsoft updates can be resource-consuming. You might want to disable this option if you set regular connection to this source of updates in another task or in the properties of Network Agent policy, in the section Software updates and vulnerabilities. If you do not want to disable this option, then, to reduce the Server overload, you can configure the task schedule to randomize delay for task starts within 360 minutes.

       By default, this option is enabled.

       Combination of the following options of the settings of Network Agent policy defines the mode of getting updates:

       • Windows Update Agent on a managed device connects to the Update Server to get updates only if the Connect to the update server to update data option is enabled in the properties of the Find vulnerabilities and required updates task and the Windows Update search mode option is set to Active in the settings of Network Agent policy.
       • If you do not need Network Agent to initiate a connection to the Microsoft Windows update source and download updates when performing the Vulnerability scan task, you can set the Windows Update search mode option to Passive, while the Connect to the update server to update data option must remain enabled. This allows for you to save resources and use previously received Windows updates to scan for vulnerabilities. You can use the passive mode if you configure receiving Microsoft Windows updates in a different way. If receiving Microsoft Windows updates is not configured in another way, do not set the Windows Update search mode option to Passive, because in this case, information about updates will never be received.
       • Irrespective of the Connect to the update server to update data option's status (enabled or disabled), if the Windows Update search mode option is set to Disabled, Kaspersky Security Center Linux does not request any information about updates.

       If in the network of your organization the WSUS server is used (local WSUS server), and you want to use it together with Kaspersky Security Center Administration Server, you must first ensure that Kaspersky Security Center Administration Server is not used as a WSUS server, and then do the following:

       1. On your managed devices running Windows, specify your local WSUS server for the Windows Update service. You can do it either manually in Windows Registry or by using a Windows group policy.
       2. On your local WSUS server, specify the required classifications for updates and the applications on which the updates are to be distributed.
       3. Synchronize your WSUS server with the upstream server (this can be either a Microsoft WSUS server or another local upstream WSUS server).

       After the Find vulnerabilities and required updates task is run on the device, Network Agent uses the Windows Update service to initiate a request for Windows updates applicable to the device. The Windows Update service obtains the address of the external WSUS server from the registry and searches for updates directly from that external WSUS server. Then, the Windows Update service forwards this list to the Administration Server through Network Agent. Thus, Administration Server has an up-to-date base.

   • Search for third-party vulnerabilities and updates listed by Kaspersky

     If this option is enabled, Kaspersky Security Center Linux searches for vulnerabilities and required updates for third-party applications (applications made by software vendors other than Kaspersky and Microsoft) in Windows Registry and in the folders specified under Specify paths for advanced search of applications in file system. The full list of supported third-party applications is managed by Kaspersky.

     If this option is disabled, Kaspersky Security Center Linux does not search for vulnerabilities and required updates for third-party applications. For example, you may want to disable this option if you have different tasks with different settings for Microsoft Windows updates and updates of third-party applications.

     By default, this option is enabled.

   You can disable these options after task creation on the Application settings tab of the task properties window.

7. Specify paths for advanced search of applications across the file system

   The folders in which Kaspersky Security Center Linux searches for third-party applications that require vulnerability fix and update installation. You can use system variables.

   Specify the folders to which applications are installed. By default, the list contains system folders to which most of the applications are installed.

   You can change the specified paths after task creation on the Application settings tab of the task properties window.

8. If required, Enable advanced diagnostics

   If this feature is enabled, Network Agent writes trace files even if writing trace files is disabled for Network Agent in Kaspersky Security Center Linux Remote Diagnostics Utility. Traces are written to two files in turn; the total size of both files is determined by the Maximum size, in MB, of advanced diagnostics files value. When both files are full, Network Agent starts writing to them again. The files with traces are stored in the %WINDIR%\Temp folder. These files are accessible in the remote diagnostics utility, you can download or delete them there.

   If this feature is disabled, Network Agent writes traces according to the settings in Kaspersky Security Center Linux Remote Diagnostics Utility. No additional traces are written.

   When creating a task, you do not have to enable advanced diagnostics. You may want to use this feature later if, for example, a task run fails on some of the devices and you want to get additional information during another task run.

   By default, this option is disabled.

   You can disable this option after task creation on the Application settings tab of the task properties window.

9. Specify the Maximum size, in MB, of advanced diagnostics files

   The default value is 100 MB, and available values are between 1 MB and 2048 MB. You may be asked to change the default value by Kaspersky Technical Support specialists when information in the advanced diagnostics files sent by you is not enough to troubleshoot the problem.

   You have to specify this value if you enabled advanced diagnostics in the previous step. You can change this value after task creation on the Application settings tab of the task properties window.

10. If you want to modify the default task settings, enable the Open task details when creation is complete option on the Finish task creation page. If you do not enable this option, the task is created with the default settings. You can modify the default settings later, at any time.
11. Click the Finish button.

    The wizard creates the task. If you enabled the Open task details when creation is complete option, the task properties window automatically opens. In this window, you can specify the general task settings and, if required, change the settings specified during task creation.

    You can also open the task properties window by clicking the name of the created task in the list of tasks.

The task is created and configured. To run the task, select it in the task list and click the Start button.

Recommendations for the task schedule

When scheduling the Find vulnerabilities and required updates task, make sure that two options—Run missed tasks and Use automatically randomized delay for task starts—are enabled.

By default, the Find vulnerabilities and required updates task is set to start manually.

You can also schedule the Find vulnerabilities and required updates task to start at a particular time. For example, you can select the Every N hours scheduled start from the Start task drop-down list on the Schedule tab of the task properties window. In this case, note that if the organization's workplace rules provide for shutting down all devices at this time, the Find vulnerabilities and required updates task will run after the devices are turned on again. Such activity may be undesirable because a vulnerability scan may increase the load on CPUs and disk subsystems. You should set up the most convenient schedule for the task based on the workplace rules adopted by the organization.

For a detailed description of scheduled start settings, refer to the general task settings.

See also: Scenario: Finding and fixing third-party software vulnerabilities Scenario: Updating third-party software

Page top