Introduction
This document covers the Patch-only settings in Distribution and Patch settings which are new or moved in LDMS 9.6.
Previously in LDMS 9.5 most of these settings were in "Scan and Repair".
In-place Upgrades
During an in-place upgrade from 9.5 to 9.6, we attempt to move settings from "Scan and Repair" into the new "Distribution and Patch" settings.
It is recommend that they be reviewed after upgrade to make sure they are configured as desired.
Accessing Patch-only Settings in Distribution and Patch settings
To access the Distribution and Patch settings, go into Tools - Configuration - Agent Settings
Expand "All agent settings"
Click on Distribution and Patch Settings.
On the right, double click on one of the settings to open it.
Click on "Patch-only settings" and it should look similar to the above screenshot.
Patch-only Settings
"When no reboot is required": Controls what happens to the Vulscan UI if no reboot is needed after vulscan has completed its task. Be aware that Requiring end user input requires a Scan Dialog to be shown. This is controlled in General Settings. Best practice is to close after timeout.
Alternate Core:This settings will allow scan results to be communicated to another core server.
When installing via CSA: This controls the downloading of patches when the client is connected to the core through a Cloud Service Appliance (CSA). This allows vulscan to download patches directly from vendor's websites instead of the usual patch download location.
CPU utilization when scanning: Controls the CPU utilization when vulscan is scanning.
Scheduled task log: this controls how much logging is sent to the core when vulscan is run as a scheduled task.
Do not disturb
Do not disturb screen is used to list the applications and modes those applications should be in to prevent a security scan from running.
Add defaults... will add the items shown in the above screenshot.
If powerpnt.exe was running in fullscreen on a client, and a security scan with these settings were to run, it would be automatically hidden and deferred.
You can also add item via the "Add..." button.
The existing items can also be edited by the edit button.
Items can also be deleted from here.
9.6 Mac agents will use the above list for its Do not disturb.
Legacy Mac agents do not have a list and instead allow hiding or deferring only if a presentation is running.
Do not disturb - Edit dialog
In the edit dialog you can chose what mode an application needs to be in to prevent a security scan: Any \ Full screen.
You can also chose what to do when the application is in the proper mode. Hide and/or Defer.
Scan Options
Group: Allows a group to be selected. Items in the group will be scanned during a security scan using these settings.
Immediately install (repair) all applicable items: If checked, the items in the group will be repaired immediately during the scan (if possible to remediate).
Type: Any type selected here will be scanned if the patch definition is in the "Scan" group in Patch and Compliance. Items in Do Not Scan or Unassigned will not be scanned.
Enable autofix: this allows items in the selected Type to autofixed, if the definition is set to autofix too, AND the client also allows autofix.
Schedule
This section allows you to determine when the security scan will run. These settings only apply to the "Distribution and Patch" setting that is assigned to the device, usually in the agent configuration or through a change settings task.
Event-Driven:
"When user logs on" will run a scan when the user logs on, this could be multiple times a day and could run while users are actively using the system.
"Max random delay" will delay the log on scan one or more hours. This is useful if you want to let the user open programs and do other log on tasks before the security scan runs.
Schedule-driven
"Use recurring schedule" will use the settings chosen in "Change settings..."
Below the Change Settings button is a review of the selected options and summary of when the scans will run.
Frequent Scan
Frequent scans are typically used if you want the devices to scan against certain definition very frequently.
These settings are similar to the Schedule settings.
You must chose a group to scan against, a frequent scan does not scan against the items listed in "Scan options", but rather against the group specified in "Enable high frequrency scan and repair definitions for the following group".
Override Settings
Because you can chose a different group, you can also chose another Distribution and Patch settings.
Pilot configuration
This section allows you to specify a group to scan against as a test group. These settings are the same as the ones covered earlier.
Spyware scanning
This section allows you to override settings made in the agent configuration. These only need to be done if you want to override the agent configuration and these only apply if this Distribution and Patch setting is assigned to the device through agent configuration or change agent settings task.
Install/Remove options
"Start repair even if" "Reboot is already pending" this option allows a repair to occur, even if the device needs to be reboot. Typically a device needs to be rebooted if the PendingFileRenameOperations Error: "Cannot complete the requested action. The device must be rebooted first." when running vulnerability repair job
Items will be in PendingFileRenameOperations if a file was in use when the OS needed to replace it, as part of a software install for example.
Continuation
Continuation is used to continue security tasks after an event like a reboot or prerequisite install.
"Additional automatic repair count" this count is set to limit a reboot loop in case the repair is not working as expected and the device keeps rebooting and trying to repair the same patch again.
Maintenance window
The maintenance window is used to limit Patch install, uninstall, and reboots to certain times or conditions. Scans will still occur outside of the window.
IMPORTANT NOTE: The Distribution and Patch setting must be assigned to the device through the agent configuration or "Change settings task...".
"Machine must be in this state" checks for either a log off event, or a "locked or logged off" state.
There is a configurable delay before the task kicks off of around 5 minutes, just in case it was an accidental or a quick lock\logoff and a user then logs back on and is using the device.
"Machine must be in this time window"
Allows the administrator to set time, day of week and days of month filters to limit when install, uninstall, or reboot actions can occur.
Pre-repair script
This allows actions or tasks to be run before an install or uninstall action.
There are sample scripts that can be viewed by clicking on "Insert sample script"
Post-repair script
This is nearly identical to the pre-repair, except it happens after the repair task.
MSI Information
Original package location:
Older Office patches needed access to the Office install source when installed. This feature allows an alternate source to be specified like a network location.
Run as information
This section allows the administrator to specify credentials to be used to run the patch installation. Typically this needs to be a local administrator. If left blank local system will be used.
Branding
This section allows the administrator to change the Icon and Banner seen when the repair or status UI appears.