Vulnerability & Patch Management FAQ

How often does Apps covered by vulnerabilities list update?

•V&PM can detect newly added software based on the database updated a few times a week.

• The list is updated daily based on the data from the provider.

Are apps that are not covered in the list of supported apps scanned in Vulnerabilities?

No, the list is final; apps not covered in the database will not be detected.

Does V&PM display and patch only earlier vulnerable app versions, or can it patch just outdated, non-vulnerable app versions as well?

V&PM does not patch non-CVE'd apps.

Are Allowed applications and Excluded applications in the V&PM Common Features policy sorted based on what can be automatically patched?

These are safe listing and deny listing for Auto-Patch management based on the Auto-patch strategy setting.

How exactly is V&PM scan triggered?

V&PM scan is triggered one time daily by the V&PM scheduler based on the settings done by Admin in the policy.

What happens during the selected time window?

The scan is done one time daily in that specified time frame. The scan is launched when a computer turns on within this time frame.

Are a scan task and a patch task interconnected? At 15:50, I will set the scheduler to launch 16:00 - 19:00; will it trigger a scan task only or a patch task as well? If only a scan task is triggered at 16:00, when will the next patch task be triggered?

Scan and patch are not interconnected. If it is 15:50 and you apply the policy, then the scan will run at 16:00, and the patch will be run at a random time between 16:30–18:30. But if you are outside the maintenance window, the auto patch will be executed next time. Patch Management does not patch outside those hours.

If a computer turns on at 19:00, will the scan/patch task trigger immediately or wait until 9:00? Is it set in the scheduler task if the scheduled time is skipped, the patch launches immediately after that?

If policy settings are to execute those tasks between 17:00 and 9:00, and you open your computer at 19:00, then the scan will be executed ASAP, and a patch will be executed also only if the random picked hour when that task was created is before 19:00, if not it will wait for the selected hour.

If a scheduler is not set in a policy, when will the scan and patching be triggered?

The pre-set policy is 17:00–09:00. Does it mean the scan/patch will trigger 17:00 + 30min or 9:00 - 30 min if there is not a set policy?

Yes, the scheduled time range is the same as the pre-set policy 17:00–09:00.

How exactly and when is an upgrade of applications triggered (when availability in the scheduler is set for all days and the entire 24-hour cycle)?

Auto-patch is a task the scheduler executes, but the execution time is a random value between Start time + 30 min and End time - 30 min. Example: admin sets the scheduler Monday Start time for 1:00 a.m. and End time for 11:00 a.m. When the policy is applied on an endpoint we have an algorithm that creates the auto-patch task for the scheduler by selecting a random value between 1:30 a.m. and 10:30 a.m., for example, 4:21 a.m. was selected. This means that auto-patch will run every Monday at 4:21 a.m. The same flow is also used when all days are selected and the Start time is 0:00 a.m. and 12:00 p.m. (24h); a value is selected between those hours, for example, 1:23 p.m. was selected, then in all days, auto-patch will run at 1:23 p.m.

Does the scan time depend on settings in the V&PM scheduler (for example, can scan be manually forced by editing scheduler settings), or does only the scheduler determine the time when the patch is applied?

Scan cannot be manually forced; it is run only by the scheduler.

Is there a set time for the scan, or is the time frame random?

Scan task runs for the selected weekdays using the start time value. For example, on Monday and Friday the Start time is 1:00 a.m. The End time is 11:00 a.m., meaning the scan will run on Monday at 1:00 a.m. and Friday at 1:00 a.m.

Should I expect to see OS vulnerabilities in the Vulnerabilities page?

V&PM can detect both application vulnerabilities and operating system vulnerabilities.

How is the scan performed?

No active checks for exploitability are performed. Versions of installed software are compared to those listed in the database as vulnerable.

When the patching task says finished, what does it mean? Does it successfully patch the machine or successfully send the patching request?

Why do the Upgrade tasks appear to be successfully applied while no patch was actually applied?

The endpoint product launches the command in the OS. There is no other way of tracking the results of msiexec operation; therefore if the command is passed successfully, the task is finished with a successful result.

ELC and diagnostics logs?

To collect advanced V&PM logs:

1.Press F5 > click Tools > Diagnostics > Enable Vulnerability & Patch Management Advanced logging to enable V&PM diagnostic logging.

2.Reproduce the issue.

3.Disable Advanced logging (otherwise, collected data will not be written into the log).

4.Collect ELC + SysInspector logs with ELC 4.9.0 and later.

Where can I find a report of applied and failed patches?

You can create your report with the list of CVE/patch pair computers, but currently, you cannot create a report with failed tasks, even to see the task results where patching on an OS is done and also logged by the OS.

How long does a manual upgrade command to patch an app take to be applied on the endpoint?

The manual patch will be performed as soon as the Agent connects. The Upgrade command will create an Apply application patch task that triggers immediately.

If restart happens when not all patches were applied, will the process continue after the restart?

We have only one patch task that iterates through all apps and patches one by one; if one of them requires a restart, the restart message displays after the iteration finishes. Restart does not happen without any notification and during the iteration through the list of apps to be patched.

Although some apps will restart directly after being patched without informing us that a restart is required, and we already have a ticket opened, this should not happen. But if it restarts, the patching will not continue from where it left, even if we are in the right time interval; it will be executed next time.

Is there a way to install a specific version of apps? Not only the latest version?

You cannot patch the supported software only to the latest version.

What will be the download of patch installation packages like? Will it be hosted by ESET or just cached?

Direct download only from the endpoint machine.

Does computer restart have any effect on app upgrade/patch management?

No, restart is necessary only if patching an app at the end of the patch requires a restart, and in this case, we will notify the user that a restart is necessary.