Vulnerability & Patch Management FAQ

Copy current article URL Share via email

This article (PDF) Whole documentation (PDF)

Find below FAQ related to Vulnerability & Patch Management (V&PM):

List of apps

How often does Apps covered by vulnerabilities list update?

•V&PM can detect newly added software based on the database updated a few times a week.

• The list is updated daily based on the data from the provider.

Are apps that are not covered in the list of supported apps scanned in Vulnerabilities?

No, the list is final; apps not covered in the database will not be detected.

Does V&PM display and patch only earlier vulnerable app versions, or can it patch just outdated, non-vulnerable app versions as well?

V&PM does not patch non-CVE'd apps.

Policy

Are Allowed applications and Excluded applications in the V&PM Common Features policy sorted based on what can be automatically patched?

These are safe listing and deny listing for Auto-Patch management based on the Auto-patch strategy setting.

Can I see available OS/Windows updates in the Patch management menu without turning on the OS auto-update if:

➢ Windows is currently not up-to-date on a computer

➢ V&PM is activated with an up-to-date ESET Agent and ESET Endpoint version

➢ in a policy: Enable Vulnerability & Patch Management is enabled

➢ in a policy: Enable OS auto-updates is not enabled

➢ in a policy: Computer restart options is set to Automatic action: Restart, Postpone: 1 hour?

No, selective patching for Windows OS is not supported.

Which option in terms of Operating System updates is stronger when both are assigned? ESET Management Agent policy > Advanced Settings > Operating system > Report if operating system is not up-to-date or Common features policy > Vulnerability & Patch Management > OS auto-updates customization > Allowed OS auto-updates?

They both are equally strong options and can work as cross-checks as well. If V&PM works (in manual or auto-mode) properly, ESET PROTECT will not report any issues with OS updates.

Scheduler

How exactly is V&PM scan triggered?

V&PM scan is triggered one time daily by the V&PM scheduler based on the settings done by administrator in the policy.

What happens during the selected time window?

The scan is done one time daily in that specified time frame. The scan is launched when a computer turns on within this time frame.

Are a scan task and a patch task interconnected? At 15:50, I will set the scheduler to launch 16:00 - 19:00; will it trigger a scan task only or a patch task as well? If only a scan task is triggered at 16:00, when will the next patch task be triggered?

Scan and patch are not interconnected. If it is 15:50 and you apply the policy, then the scan will run at 16:00, and the patch will be run at a random time between 16:30–18:30. But if you are outside the maintenance window, the auto patch will be executed next time. Patch Management does not patch outside those hours.

If a computer turns on at 19:00, will the scan/patch task trigger immediately or wait until 9:00? Is it set in the scheduler task if the scheduled time is skipped, the patch launches immediately after that?

If policy settings are to execute those tasks between 17:00 and 9:00, and you open your computer at 19:00, then the scan will be executed ASAP, and a patch will be executed also only if the random picked hour when that task was created is before 19:00, if not it will wait for the selected hour.

If a scheduler is not set in a policy, when will the scan and patching be triggered? The pre-set policy is 17:00–09:00. Does it mean the scan/patch will trigger 17:00 + 30min or 9:00 - 30 min if there is not a set policy?

Yes, the scheduled time range is the same as the pre-set policy 17:00–09:00.

How exactly and when is an upgrade of applications triggered (when availability in the scheduler is set for all days and the entire 24-hour cycle)?

Auto-patch is a task the scheduler executes, but the execution time is a random value between Start time + 30 min and End time - 30 min. Example: administrator sets the scheduler Monday Start time for 1:00 a.m. and End time for 11:00 a.m. When the policy is applied on an endpoint we have an algorithm that creates the auto-patch task for the scheduler by selecting a random value between 1:30 a.m. and 10:30 a.m., for example, 4:21 a.m. was selected. This means that auto-patch will run every Monday at 4:21 a.m. The same flow is also used when all days are selected and the Start time is 0:00 a.m. and 12:00 p.m. (24h); a value is selected between those hours, for example, 1:23 p.m. was selected, then in all days, auto-patch will run at 1:23 p.m.

Does the scan time depend on settings in the V&PM scheduler (for example, can scan be manually forced by editing scheduler settings), or does only the scheduler determine the time when the patch is applied?

Scan and patch time depend on the scheduler settings.

Is there a set time for the scan, or is the time frame random?

Scan task runs for the selected weekdays using the start time value. For example, on Monday and Friday the Start time is 1:00 a.m. The End time is 11:00 a.m., meaning the scan will run on Monday at 1:00 a.m. and Friday at 1:00 a.m.

If the scheduler is set to Monday, Start time: 10:00, End time: 19:00, Enforce patch installation is enabled when a patch is delayed by 3 days with the Cannot postpone option. The workstation is turned off until next Saturday. Will the enforced patch run automatically on Saturday, or does the administrator need to manually send an update task from the Patch Management menu?

If auto-patching is enabled, the workstation (after turning it on) will update on a Saturday (because cannot postpone is set in the scheduler), giving the user a very short notice before patching.

Process

Should I expect to see OS vulnerabilities in the Vulnerabilities page?

V&PM can detect both application vulnerabilities and operating system vulnerabilities.

How is the scan performed?

No active checks for exploitability are performed. Versions of installed software are compared to those listed in the database as vulnerable.

When the patching task says finished, what does it mean? Does it successfully patch the machine or successfully send the patching request? Why do the Upgrade tasks appear to be successfully applied while no patch was actually applied?

The endpoint product launches the command in the OS. There is no other way of tracking the results of msiexec operation; therefore if the command is passed successfully, the task is finished with a successful result.

ELC and diagnostics logs?

To collect advanced V&PM logs:

1.Press F5 > click Tools > Diagnostics > Enable Vulnerability & Patch Management Advanced logging to enable V&PM diagnostic logging.

2.Reproduce the issue.

3.Disable Advanced logging (otherwise, collected data will not be written into the log).

4.Collect ELC + SysInspector logs with ELC 4.9.0 and later.

Where can I find a report of applied and failed patches?

You can create your report with the list of CVE/patch pair computers, but currently, you cannot create a report with failed tasks, even to see the task results where patching on an OS is done and also logged by the OS.

How long does a manual upgrade command to patch an app take to be applied on the endpoint?

The manual patch will be performed as soon as the Agent connects. The Upgrade command will create an Apply application patch task that triggers immediately.

If restart happens when not all patches were applied, will the process continue after the restart?

We have only one patch task that iterates through all apps and patches one by one; if one of them requires a restart, the restart message displays after the iteration finishes. Restart does not happen without any notification and during the iteration through the list of apps to be patched.

Although some apps will restart directly after being patched without informing us that a restart is required, and we already have a ticket opened, this should not happen. But if it restarts, the patching will not continue from where it left, even if we are in the right time interval; it will be executed next time.

Is there a way to install a specific version of apps? Not only the latest version?

You cannot patch the supported software only to the latest version.

What will be the download of patch installation packages like? Will it be hosted by ESET or just cached?

Direct download only from the endpoint machine.

Does computer restart have any effect on app upgrade/patch management?

No, restart is necessary only if patching an app at the end of the patch requires a restart, and in this case, we will notify the user that a restart is necessary.

Can I update Windows from the Patch Management menu with the Actions button > Update (as with other applications, for example, 7-Zip)?

No, you cannot update Windows via the Patch management menu.

For informative purposes, you can click the Vulnerabilities menu and work with the assumption that all listed OS vulnerabilities can typically be patched, except for zero-day events (OS vendors will usually try to avoid this).

Do you provide OS update rollback or application rollback?

Patch rollback is not supported. Instead, we recommend testing the patches on a few computers before a full network deployment to avoid unexpected problems with patched applications.

˄˅