Patch Scan

Vulnerabilities are increasing at an alarming rate. To mitigate risks effectively, it is imperative to maintain accurate and up-to-date patch scans. This proactive approach enables the identification of systems with missing critical patches, allowing for timely remediation and reducing the organization's overall security posture.

Pre-Requisites of Patch Scanning

1. Vulnerability DB Sync

   Before implementing the patch scan in the agent machine, it is required to check if the Vulnerability DB is synced. The Vulnerability Database is automatically updated every day. This can also be updated manually (not required for cloud based servers). To update the Vulnerability DB manually, navigate to the Threats & Patches tab on the Endpoint Central console. In the left pane, go to Update Now tab, and click on Update Now under Update Vulnerability DB. After the Vulnerability DB has been updated, and only if new patches are found, a patch scan is done in the subsequent refresh cycle. If you wish to change the schedule of Vulnerablity DB Update, click on Change. You will be redirected to the Patch Database Settings page; where you can also select the patches that you wish to manage using Endpoint Central. To learn more about Patch Database Settings, refer to this page.

2. Agent Onboarding

   The agent has to be installed in the endpoint and onboarded. A patch scan can be initiated after the agent installation. This patch scan occurs only if the Perform Patch Scanning checkbox has been enabled. To enable this checkbox, navigate to Admin -> SoM Settings -> Agent settings -> General Settings tab. Under Actions to be performed after agent installation, enable the checkbox "Perform Patch Scanning".

Validate Patch Scan Status

A 20-minute wait period is required for the patch scan to complete. Subsequently, verify the scan's successful execution by navigating to Systems -> Scan Systems under the Threats & Patches tab.

Patch Scan Scenarios

A patch scan is triggered under the following conditions:

• Database Synchronization: After daily automatic or manual updates to the Vulnerability Database.
• Patch Installation: Following patch installation via Install Patch Configuration, APD Deployment or Test and Approve.
• System Reboot: Post-reboot of systems that required a reboot after patch installation.
• APD/Test Group Actions: When patches within an APD task or Test Group are approved, not approved, or declined.
• Manual Scan: Initiated manually through the console or Agent Tray icon.
• Agent Installation: After agent installation, if the Perform Patch Scanning option is enabled in SoM Settings.

On-Demand Patch Scan

The patch scan can also be implemented manually through the console or the Agent Tray icon. Choose Initiate Patch Scan option by right-clicking on the Agent Tray icon -> Scan -> Initiate Patch Scan. To initiate patch scan manually through the console, follow the steps below:

1. Open Endpoint Central console and navigate to Threats & Patches -> Systems -> Scan Systems.
2. Choose the computers to be scanned for patches and click Scan Systems.
3. To scan all the systems, click Scan All. Please note that this option is limited to a maximum of 100 computers.

After synchronization with the patch database, Endpoint Central will collect details of the latest patches released. In the next refresh policy, Endpoint Central agents will automatically scan the computers to check if the newly available patches are missing. The scan happens right after the database is synced. The end-user can go to the patch DB settings to change the sync timings.

Every time the scan happens, the latest missing patches are detected. The agents will scan only in their subsequent refresh cycle. So, the network traffic is distributed in the refresh interval, and hence, the server remains undisturbed.

The user can get reports of missing patches after the scan is completed. Navigate to Reports -> Schedule Reports -> Scan Report. You can get it easily by scheduling the reports to be emailed 2 hours from the database sync. Also, you can configure it at any frequency you wish.