ESET Online Help

Search English
Select the topic

Patch Management

Patch management helps ensure that systems and applications are secure against known vulnerabilities and exploits. The Patch management section lists all available patches remedying the detected vulnerabilities and makes the remediation process easier through automated software updates. With patching options, you can promptly ensure that your endpoints are updated with the latest security patches.

note

Prerequisites

To view and enable ESET Vulnerability & Patch Management, ensure you have one of the following tiers:

ESET PROTECT Elite

ESET PROTECT Complete

ESET PROTECT MDR

You can enable ESET Vulnerability & Patch Management only on Windows computers running:

ESET Management Agent version 10.1+

ESET Endpoint Security for Windows version 10.1+

ESET Endpoint Antivirus for Windows version 10.1+

ESET Server Security for Microsoft Windows Server version 11.0+

important

ESET Vulnerability & Patch Management is not supported on ARM processors.

warning

ESET Bridge users

ESET Bridge blocks the Patch Management network traffic by default. ESET Bridge does not affect the reporting of vulnerabilities.

To enable the Patch Management network traffic, disable the Access Control List (ACL) rules in the ESET Bridge configuration file:

1.Open the ESET Bridge configuration restrict.conf.template file in a text editor:

oWindows: C:\ProgramData\ESET\Bridge\Proxies\Nginx\Conf\restrict.conf.template

oLinux: /var/opt/eset/bridge/nginx/conf/restrict.conf.template

2.Change set $valid_host 0; to set $valid_host 1;.

3.Save the restrict.conf.template file.

4.Restart the ESET Bridge service.

Disabling ACL rules allows the routing of all network traffic via ESET Bridge (ESET Bridge becomes an open proxy).

Patch Management is enabled during Vulnerabilities & Patch Management activation.

View Patch Management

You can view Patch Management from several places:

Click Patch Management in the main menu to open the Patch Management section and view a list of patches

Click Computers > select Details > in the Vulnerability & Patch Management tile, click Show patches to open the Patch Management section

Grouping the view

To group patches, select from the drop-down menu:

Ungrouped—default view

Group by Application name—when grouped, click an application row and click Show Devices to display devices (computers) where a patch will be applied

Filtering the view

To add filtering criteria, click Add Filter and select item(s) from the list. Type the search string(s) or select the items from the drop-down menu in the filter field(s) and press Enter. Active filters are highlighted in blue.

Application name—the name of the application with the vulnerability

Application version—the version of the application causing the vulnerability

Patch version—the patch version

Severity—severity level, including informational, warning, or critical

Computer name—the name of the affected computer

Application vendor—the name of the application vendor

Side panel with details

Click an application name to view application details in a side panel. Application preview manipulation:

icon_apply_later_defaultNext—displays the next application details in the side panel

icon_apply_sooner_defaultPrevious—displays the previous application details in the side panel

gear_iconManage content for Patch Details—manages how the side panel sections are displayed and in what order

remove_defaultClose—closes the side panel

cloud_patch_management_preview

Deploy patches

important

You can patch only selected apps.

important

We recommend that you enable the auto-patch management via a policy.

important

You can enable operating system auto-updates and select the severity levels for applying OS updates via a policy.

OS auto-updates are only available for ESET Endpoint for Windows 11.0 and later.

When automated patching is configured, the solution will automatically patch applications during maintenance windows.

note

Some applications require a computer restart and can restart computers automatically after an upgrade.

note

Some applications (for example, TeamViewer) can be licensed to a specific version. Revise your applications. To avoid an unnecessary upgrade, set Auto-patch strategy > Patch all except excluded applications while creating a policy.

Alternatively, you can deploy patches via:

Select the applications where you want to deploy patches > click the Actions button and click Upgrade.

To patch an application on all affected devices, apply the Group by Application name view, select the application name row, click icon_more_vertical and click Upgrade.

After you deploy patches with the Upgrade button, a new client task Apply application patch will be created automatically in Tasks. For endpoints, the patches will be applied based on the Vulnerability & Patch Management scheduler set in Policies. For servers, the patches will be installed after a 60-second countdown with no option to postpone.

For more information, see Vulnerability & Patch Management FAQ.