Applies to 9.6 and 9.6sp1

Autofix by scope added in LDMS 9.6

Scan by scope added in LDMS 9.6sp1

Overview

Autofix and Scan by scope have been implemented to allow different computers to be scanned or autofixed by the scope(s) they are in and still use the same Distribution and Patch settings.

Patch and Compliance Tree Changes

The Scan tree in Patch Manager has been changed to show both global and scoped Autofix and Scan groups.

Notice that the "All Items" has been incorporated into the root of the tree "Vulnerabilities (all items)"

If you don't see a "Current Scope" option, make sure at least one scope is created and that you have selected to view the Patch and Compliance under one of those scopes. 

For example, in the screenshot above my scope is currently set to "Blah".

If I changed the scope to "Global (all devices)" I would no longer see the Autofix (current scope) and Scan (current scope) options.

Setting to Global or Current Scope

To set a definition to Global or Current scope they can be copied and pasted into the desired category: Autofix (current scope), Autofix (global), Scan (current scope), or Scan (global).

If multiple scopes are needed to be set you can open individual definitions and select multiple scopes as seen in the next section.

Definition View of Scope

When opening a single definition you can view the Scan or Autofix tab.

This screen shows the current status of a definition, in this example "Scan (global)"

The available scopes are also show with checkboxes.

To enable this definition to be scanned by scope you can check the checkboxes next to the available scopes.

Autofix tab has a similar view.

Scan by Scope process

When a computer gets vulnerability definitions from the core it will also ask the core for its list of scopes.

The client uses this list of scopes to compare against the list of definitions it should scan.

The vulnerability definitions are stored on the core server in the LDLogon\VulnerabilityData directory.

The .xmlz are the compressed versions of the .xml files.

The .xmlz is copied down by the client and put into a "mergedGetVulnerabilitiesOfType_?.<Coreserver>.xml

The scopes will be listed in the .xml files as "Scanscopes"

For example, this custom definition is set to be scanned by scope 3:

<vulnerability Lang="INTL" Vul_ID="CD-order1" Date="1415725397" T="4">

  <Status>Available</Status>

  <ScanScopes>.3.</ScanScopes>