Download Options

The Downloads tab allows you to specify the location from which the files used by the program will be downloaded and refreshed. The files include the engine components, the news file displayed on the home page, and the deployment information file, as well as download source for the patch and product level files. The program will check an Internet location or the specified distribution server to determine if newer versions of the files are available.

Field

Description

Patch download directory

Displays the location of the patch download directory (also known as the patch store). This directory is used to store all patches that are downloaded in advance of a patch deployment.

To change the location, click the browse button.

IMPORTANT! If the directory resides on a network drive be sure to use the UNC naming convention; DO NOT SPECIFY A MAPPED DRIVE.

Using a Remote UNC Share Directory

If desired, you can specify a remote share directory for the patch download directory. In order for this to work, appropriate permissions need to be set on the remote directory. Both the Security Controls console user and the console machine need to be granted access to the download directory. The console user should have read/write permission to the share and the console machine needs read access. When specifying share permissions for a machine, you must append a ”$” to the end of the machine name.

In some configurations additional users may need to be granted access to the download directory. If you specify machine or machine group credentials for machines that download patches from a distribution server, the specified user accounts will require read access to the download directory share.

Making the download directory share readable by everyone may or may not be an effective strategy. It depends on:

  • Whether the credential users and the download directory host belong to the same (or trusted) domain(s)
  • The specifics of the local security policy

Clean up patch download directory and distribution servers

Allows for the automatic clean up of your patch download directory and your distribution server(s). Any patches that are unlikely to be used in the future will be deleted from these locations. If the download directory is set to be used as a distribution server, core files are not deleted.

This option is superior to the ITScripts Console Clean Up script, which is not automated nor does it perform clean up of distribution servers.

There are two ways to define which patches will be deleted. A patch file must meet both criteria in order to be deleted.

  • Delete patch files published more the [x] days ago: Patches that were published a long time ago are unlikely to be needed and can be safely deleted. The default value is to delete patches that were published more than 45 days ago.
  • Delete patch files last detected as missing more than [x] days ago: Patches detected as missing by scans older than the threshold will be deleted. Patches detected as missing by more recent scans will not be deleted. The default value for the threshold is 45 days.

Example: Assume you use the default value of 45 days for both options. If a patch file was published 50 days ago, but it was detected as missing in a patch scan that was performed 40 days ago, the patch file will not be deleted.

Patches that have been sideloaded are an exception and will not be deleted. Security Controls will not delete any patch files that it has not downloaded.

The patch download directory clean up task will run automatically once a day. Your distribution servers will be cleaned as they are synchronized with the console.

Definition download source

You can specify where the latest engine components and data files downloaded by this console are located. The available options are:

  • Auto-update definitions (before scans): If enabled, will cause the program to automatically check for and download updated data definition files whenever a new scan is performed. Enabling this check box will also enable the Tools > Auto-update definitions menu command.
  • Default (https://content.ivanti.com): Indicates you want to use the default location when downloading the files. The files are located at https://content.ivanti.com.
  • Custom share or URL: You must specify the path name of the share or the URL of the website that will be used when downloading files. It is the administrator's responsibility to make the files available at this location.
  • Specific Distribution Server: You must select the name of the distribution server that will be used when downloading files. You must have previously configured one or more distribution servers in order for the names to be pre-populated in this box. The newest versions of engines and data files can be periodically downloaded and copied to the distribution servers using the server synchronization feature.

    • There are unique credential requirements when using a distribution server as the download source. For more information see Configuring Distribution Servers.

Patch and product level download source

You can specify where the latest patch and product level files downloaded by this console are located. The available options are:

  • Vendor websites: Patches deployed from the console are downloaded directly from the websites of the companies that author the patches. This is the default. The location of the websites are stored in the patch information file.

    • The other two download options are used if this console does not have an Internet connection or when the patches and product levels are being pre-downloaded to some central location.

  • Custom share or URL: If enabled, you must specify the path name of the share or the URL of the website that will be used when downloading files. It is the administrator's responsibility to make the files available at this location.
  • Specific Distribution Server: If enabled, you must select the distribution server that will be used when downloading patch files. You must have previously configured one or more distribution servers in order for the names to be pre-populated in this box. For more information see Configuring Distribution Servers.

    • This option is typically used by unattended console or disconnected console configurations. The patches and product levels are downloaded by a central console, which then pushes the files to the distribution server.

    One interesting but necessary side effect of enabling this option is that you will not be able to schedule an automatic synchronization for the distribution server you specify here. Why? Because in this particular case you do not want the console to synchronize with the distribution server. Doing so would cause the contents of the distribution server (the patches and product levels) to be overwritten by the contents of the console (which may not contain anything at all).

Scheduled automatic downloads

You can configure the program to automatically download the latest versions of the engine components and the data definition files on a regular basis. This can speed your scan processes by making the necessary files available in advance of a scan. You can also choose to automatically download patches and product levels that are likely to be used in future patch deployments.

  1. Click Add.
    The Schedule Download dialog appears.

  2. Specify when you want the download to occur.
    The Add delay (days) box (available if you download on a monthly basis) allows you to delay the download by up to 31 days. For example, you might use this to schedule a monthly download that is always performed four days after Patch Tuesday. You do this by specifying The Second Tuesday and then using the Add delay (days) option to delay the operation by four days.
  3. Click Save.
    The new scheduled download entry appears. At the scheduled time, the appropriate engines and definition files will be downloaded to the console.
  4. If you want to use the Predictive Patch feature, enable the Predictive patch downloads check box.
    If enabled, patches that are likely to be deployed in the near future are automatically downloaded to the patch download directory. The patches will be downloaded immediately following the scheduled download of the core engines and definitions. Downloading patches in advance of their anticipated deployment will help speed the deployment process. This feature is beneficial for agentless deployments and for agents that deploy patches using the services of a distribution server.

Here are some additional details about Predictive Patch:

  • The following patches will be downloaded to the console's download directory:
    • Missing patches that were detected by recent scans but that have not yet been downloaded. A recent scan is defined as a patch scan that was performed within the last 45 days.
    • Missing patches for products that Security Controls can deduce are on your target machines
    • Patches that were added to the data definition file within the last 45 days and that apply to products on your target machines.
  • New or missing product levels will be downloaded
  • The patches and product levels will be downloaded according to age (the most recent will be downloaded first)
  • The process will download up to 5GB of patches and product levels during a scheduled download session
  • Patches that already exist in the download directory will not be downloaded.
  • You can synchronize Predictive Patch with your distribution servers so that they receive copies of the downloaded patches
  • An entry is recorded in Event History every time patches are downloaded to the console by Predictive Patch
  • The patch download is triggered by either a scheduled download of the core engines and definitions or by clicking Run now when Core engines/definitions is selected
  • If a patch contains different packages for different languages, only those languages supported by your products are downloaded
  • Predictive Patch will not download software distribution patches (patches that are actually installation packages for free third-party applications)