Patch and Compliance help

The Patch and Compliance tool window (Tools > Security and Compliance > Patch and Compliance) is where you perform security scanning, remediation, and related tasks. You can download and manage security content, configure security and compliance scans, configure remediation, customize and apply security scanner display/interaction settings, and view comprehensive security-related information for scanned devices.

The main section for Patch and Compliance introduces this security management tool. In that section, you'll find overview and security content subscription information and step-by-step instructions on how to use all of the tool's features, including a description of the tool's interface and functionality (see Open and understand the Patch and Compliance tool). For information on Patch settings, see Agent settings: Distribution and patch.

This section contains help topics that describe the Patch and Compliance dialog boxes. From the console interface, these help topics are accessed by clicking the Help button on each dialog box.

Patch and Compliance tool window help

Download security content updates help

Definition properties help

Detection rule properties help

Patch and Compliance tasks help

Patch and Compliance toolbar help

Patch and Compliance tool window help

About the Select columns dialog box

Use this dialog box to configure data columns for item lists in the Patch and Compliance tool window. You decide which data columns to display, so that you can quickly sort through long lists of downloaded security definitions to find the information needed for a specific task or situation.

NOTE: Using the CVE ID data column
Ivanti® Endpoint Security for Endpoint Manager supports the CVE (Common Vulnerabilities and Exposures) naming standard. With Patch and Compliance you can search for vulnerabilities by their CVE names and view CVE information for downloaded vulnerability definitions. For more information about the CVE naming convention, Ivanti compatibility with the CVE standard, and how to use CVE identification to find individual vulnerabilities in Patch and Compliance, see Search for vulnerabilities by their CVE name.

By adding and removing data columns, and moving them up and down in the list (to the left and to the right in the column view), you ensure that important, relevant information is front and center.

Available columns: Lists the data columns that are currently not displayed in the Patch and Compliance tool window, but are available to add to the Selected Columns list.

Selected columns: Lists the data columns that are currently displayed in the Patch and Compliance window. The data columns display in a downloaded security definition list from left to right in the same order as they appear here from top to bottom.

Defaults: Restores the default displayed data columns.

About the Manage filters dialog box

Use this dialog box to manage filters you can use to customize the security content that displays in the Patch and Compliance window's item list. You can use filters to streamline a lengthy list.

New: Opens the Filter properties dialog box where you can configure a new filter's settings.

Edit: Opens the Filter properties dialog box where you can modify and save the selected filter.

Delete: Removes the selected filter permanently from the database.

Use filter: Applies the selected filter to the current item list. The applied filter persists when you click different groups in the tree view.

About the Filter properties dialog box

Use this dialog box to create or edit security content list filters. You can filter by operating system, security risk severity, or any combination of both.

Filter name: Identifies the filter by a unique name. This name appears in the Filter drop-down list.

Filter operating systems: Specifies the operating systems whose definitions you want to display in the item lists. Only those items associated with the operating systems you select are displayed.

Filter severities: Specifies the severities whose definitions you want to display in the items lists. Only those items whose severity matches the ones you select are displayed.

Download security content updates help

About the Download updates dialog box

Use this dialog box to configure settings for downloading security content updates, proxy server, patch file download location, spyware, autofix, and antivirus updates and backups.

After you specify the types of content updates you want to download and the other options on the pages of the Download updates dialog box:

To perform an immediate download, click Download Now. If you click Apply, the settings you specify will be saved and will appear the next time you open this dialog box. If you click Close, you'll be prompted to save the settings.

To schedule a download security content task, click Schedule download. Enter a name for the task, verify the information, and then click OK to add the task to Scheduled tasks

You can click View log to open the log file.

To save your changes on any page of this dialog box, click Apply.

The Download updates dialog box contains the following pages:

About the Updates page

About the Proxy settings page

About the Patch location page

About the Ivanti Antivirus page

About the Content page

About the Import/Export page

IMPORTANT: Special considerations regarding security content downloading

Endpoint Security for Endpoint Manager content subscriptions

A basic Endpoint Manager installation enables you to download and scan for Ivanti software updates and create and use your own custom definitions. For all other security content types, such as platform-specific vulnerabilities, spyware, and so on, you must have a Ivanti® Endpoint Security for Endpoint Manager content subscription to download the associated definitions.

For information about Endpoint Security for Endpoint Manager content subscriptions, contact your Ivanti reseller, or visit the Ivanti website: Ivanti Home

Task-specific settings and global settings

Note that only the definition types, languages, and definition and patch download settings are saved and associated with a specific task when you create it. Those three settings are considered task specific.

However, all of the settings on the other pages of the Download updates dialog box are global, meaning they apply to all subsequent security content download tasks. Global settings include: patch download location, proxy server, spyware, autofix, security alerts, and antivirus. Any time you change a global setting, it is effective for all security content download tasks from that point on.

About the Updates page

Select update source site: Specifies the Ivanti content server that is accessed to download the latest definitions, detection rules, and associated patches to your database. Select the server nearest your location.

Definition types: Identifies which security content definitions are updated. Only those definition types for which you have a subscription are available. The more definition types you select, the longer the download will take.

After you've downloaded security content, you can use the All types drop-down list in the main Patch and Compliance tool window to determine which definition types are displayed in a list.

Languages: Identifies the language versions of the selected definition types that are updated.

Some vulnerability and other definition types, and any associated patches, are language neutral or independent, meaning they are compatible with any language version of the OS or application addressed by that definition. In other words, you don't need a unique language-specific patch to remediate those vulnerabilities, because the patch covers all supported languages. For example, Linux platforms use only language neutral definitions and patches. However, Microsoft Windows and Apple Macintosh platform vulnerability definitions and patches are nearly always language specific.

When downloading content for any platform (with the appropriate security content subscription), all of the selected platform's language neutral vulnerability definitions are automatically updated by default. If you've selected a Windows or Mac content type, you must also select the specific languages whose definitions you want to update. If you've selected a Linux platform, you do not have to select a specific language because their content is language neutral and will be updated automatically.

Download patches for definitions selected above: Automatically downloads patch executable files to the specified download location (see Patch Location page), according to one of the following download options:

For detected definitions only: Downloads only the patches associated with vulnerabilities, security threats, or Ivanti updates detected by the last security scan (i.e., the definitions that are currently residing in the Detected group).

For all downloaded definitions: Downloads ALL of the patches associated with vulnerabilities, security threats, and Ivanti software updates currently residing in the Scan group.

Set new definition scan status to: Automatically places new definitions and associated detection rules in the group you select. Adjust this option if you want to move content manually in and out of the Scan group to customize the security scan.

NOTE: Definitions that have a dependency with another definition that already exists in a different group, such as the Scan or Do Not Scan group, are automatically placed in that group even if this option is selected. In other words, the dependency relationship overrides this option so that the most recently downloaded (new) definition is in the same group as the definition with which it has dependency.

NOTE: Definitions that you've already placed in the Alert group (in the Configure alerts dialog box) are automatically placed in the Scan group as well, even if this option is selected, so that the appropriate alerting takes place.

NOTE: For the blocked application type, the default download location is different. Blocked application definitions are downloaded to the Unassigned group by default, not the Scan group. Therefore you don't have to select this option if you're downloading only blocked application definitions.

Definition group settings: Opens the Definition group settings dialog box where you can create, manage, and select definition groups. You can use definition group settings to automate scan status, download location, and how security definitions (content) that match specified type and severity criteria are downloaded.

About the Proxy settings page

If your network uses a proxy server for external transmissions (such as Internet access), use this page to enable and configure the proxy server settings. Internet access is required for both updating vulnerability information and downloading patch files from the appropriate web services.

Use proxy server: Enables the proxy server option (by default, this option is off). If you enable a proxy server, you must fill in the address and port fields below.

Server: Identifies the IP address and port number for your proxy server.

HTTP based Proxy: Enables the proxy server, if it's an HTTP-based proxy (such as Squid), so that it will successfully connect to and download patches from FTP sites. (Patches hosted at some FTP sites cannot be downloaded through an HTTP-based proxy unless you first enable this option).

Requires login: Allows you to enter a username and password if the proxy server is credentialed instead of a transparent proxy server.

About the Patch location page

Use this page to specify where patch executables are downloaded.

UNC path where patches are stored: Specifies where patch files are downloaded. The default location is the core server's \LDLogon\Patch folder. You can enter a different UNC path to download patches, but you must ensure access to that location by entering valid authentication credentials in the fields below.

Credentials to store patches: Identifies a valid username and password for accessing a location other than the core server. If you're downloading patches to the default location on the core server, the username and password fields are not applicable.

Web URL where clients access patches: Specifies a web address where devices can access downloaded patches for deployment. The default location is the core server's \LDLogon\Patch folder. This location will normally be the same as the UNC path specified above.

Test settings: Performs a connectivity test to the specified URL.

Reset to default: Restores both the UNC path and the URL to the default location, which is the core server's \LDLogon\Patch folder.

About the Ivanti Antivirus page

Use this page to configure download options for Ivanti Antivirus virus definition files. Keep in mind this page applies only to actual virus definition files that are used by Ivanti Antivirus; it does not apply to the antivirus scanner detection content (Antivirus updates) that are available in the definition list on the Updates page.

About the Content page

Use this page to specify whether to require verification before downloading definitions. Requiring verification makes the download more secure.

  • Verify definition signatures/hashes before downloading: Check to exclude any definitions that do not have a valid SHA256 hash. The signatures that are excluded from the download will appear as failures.

About the Import/Export page

Use this page to import or export a group of download settings that you previously specified on all of the pages of the Download updates dialog box. If you have multiple cores, this allows you to save time by copying the settings to each core so that you don't have to select the individual settings on each machine.

  • Import settings from file...: Click to open the Select File to Import dialog, then browse to the *.ldms files you wish to import and click Open.
  • Export settings to file...: Click to open the Select export filename dialog, then browse to the settings you wish to export and click Save.
  • Copy settings to another core...: Click to open the Copy content to cores dialog, then select one or more servers and click Copy content.

Definition properties help

About the Definition properties dialog box

Use this dialog box to view properties for downloaded content definition types, including vulnerabilities, spyware, security threats, software updates, etc.

You also use this page to create your own custom definitions.

This information is read-only for downloaded definitions. For custom definitions, the fields on this dialog box are editable. You can enter identification, attribute, and detection rule details information for a custom definition by using the available fields on this dialog box and on the detection rule properties dialog box.

Use the left and right arrow buttons (<, >) to view the previous or next definition's property information in the order they're currently listed in the main window.

The Definition properties dialog box contains the following pages:

About the Definition: General page

About the Definition: Description page

About the Definition: Dependencies page

About the Definition: Custom Variables page

About the Definition: General page

ID: Identifies the selected definition with a unique, vendor-defined alphanumeric code (or user-defined in the case of a custom definition).

Type: Identifies the selected item as a vulnerability, security threat, custom definition, etc.

Publish Date: Indicates the date the selected definition was published by the vendor (or created by a user).

Title: Describes the nature or target of the selected definition in a brief text string.

Severity: Indicates the severity level of the definition. For downloaded content, this severity level is assigned by the vendor. For a custom definition, the severity is assigned by whoever created the definition. Possible severity levels include: Service Pack, Critical, High, Medium, Low, Not Applicable, and Unknown. Use this information to evaluate the risk posed by the definition, and how urgent scanning and remediation are for your network.

Status: Indicates the status of the definition in the Patch and Compliance window. The three status indicators are: Scan, meaning the selected item is enabled for the next security scan; Don't Scan, meaning it won't be scanned; and Unassigned, meaning it is in a temporary holding area and won't be scanned. For more information about these three states/groups, see Open and understand the Patch and Compliance tool.

Language: Indicates the language of the platform identified by the definition. For custom definitions, INTL is the default value meaning the definition is language independent, and can't be edited.

Category: Indicates a more specific category within an individual security content type (see above).

Retain in client cache unless marked "Do not scan": When selected, keeps the patch files in the client cache. This is useful for vulnerabilities that you repeatedly scan for. When unchecked after previously being checked, that patch will be removed the next time the client checks status.

Detection Rules: Lists the detection rules associated with the selected definition. Note that Downloaded indicates whether associated patch files are downloaded to the local repository, and Silent Install indicates whether the patch installs without user interaction.

You can right-click a detection rule to download its associated patch (or patches), disable/enable the detection rule for security scanning, uninstall its associated patches, or view its properties. You can also double-click a detection rule to view its properties.

If you're working with a custom definition, click Add to create a new detection rule; click Edit to modify the selected rule; or click Delete to remove the selected rule.

About the Definition: Description page

Description: Provides additional details about the selected definition. This information is provided by vendor research and test notes (or by the user who created the custom definition).

More information at: Provides a HTTP link to a vendor-specific or user-defined web page, typically a support site, with more information about the selected definition.

More information for CVE ID: (Applies only to vulnerabilities) Provides the CVE ID (name) for the selected vulnerability, plus a link to the CVE web page for that specific CVE ID. For more information, see Search for vulnerabilities by their CVE name.

About the Definition: Dependencies page

This page displays only if the selected definition has an associated prerequisite definition, or if another definition depends on the selected definition before it can run. You can use this page to make sure your security scan task contains all the definitions necessary to operate properly before scanning devices.

A dependency relationship can exist only for the following security definition types:

Prerequisites: Lists any definitions that have to be run BEFORE the selected definition can be checked for on devices. If any of the definitions in this list aren't included in your scan task, the selected definition won't be detected by the security scanner.

Dependencies: Lists any definitions that won't be detected by the security scanner until AFTER the selected definition is run. Note that the selected definition will be scanned for even if these definitions aren't included in your security scan task. However, if you want your scan task to successfully detect a definition in this list, the selected definition must be run first.

About the Definition: Custom Variables page

This page displays ONLY if the selected security definition includes settings or values that can be modified. Some system configuration security threat definitions have variable settings that you can change before including them in a security scan. Typically, antivirus definitions also have custom variable settings.

With custom variables, you can fine-tune security threat scanning by modifying the values of one or more setting so that the scanner checks for conditions you define, and then determines a device to be vulnerable only if that condition is met.

IMPORTANT: Edit Custom Variables right required
To edit custom variable settings, a user must have the Edit Custom Variables role-based administration right. Rights are configured with the Users tool.

Every security definition with customizable variables has a unique set of specific values that can be modified. In each case however, the Custom Variables page will show the following common information:

Name: Identifies the custom variable. The name can't be modified.

Value: Indicates the current value of the custom variable. Unless the variable is read-only, you can double-click this field to change the value.

Add variable: Opens a dialog box where you can create your own custom variable. (NOTE: Before you can create a custom variable for a custom vulnerability definition, the definition must first contain at least one detection rule.)

Edit variable: Lets you edit the selected custom variable.

Remove variable: Deletes the selected custom variable.

Description: Provides additional useful information about the custom variable from the definition publisher.

Default value: Provides the default value if you've changed it and want to restore it to its original value.

To change a custom variable, double-click the Value field, and either select a value if there's an available drop-down list, or manually edit the value, and then click Apply. Note that some variables are read-only and can't be edited (this is usually indicated in the description).

Custom variable override settings information can be viewed in the device's Inventory view.

NOTE: Custom variable override settings
In some situations, you may want the scanner to ignore custom variable settings by using a feature called Custom variable override settings. You can specify that the scanner ignore certain custom variables when scanning devices so that the variables aren't detected as vulnerable and aren't remediated, even if they meet the actual conditions of a definition's detection rules. A user must have the Edit Custom Variables right to create or edit these override settings. You can create as many settings as you like, and apply them to devices using a Change settings task. For more information, see Agent settings: Custom variables to override.

About the Add/edit custom variable dialog box

Use this dialog to create and edit your own custom variables for your custom vulnerability definitions. With custom variables, you can fine-tune security threat scanning by modifying one or more setting's values so that the scanner checks for conditions you define, and therefore determines a device to be vulnerable only if that condition is met (i.e., the value you specify is detected).

IMPORTANT: Before you can create a custom variable for a custom vulnerability definition, the definition must first contain at least one detection rule.

This dialog contains the following options:

Name: Identifies the custom variable.

Description: Lets you provide additional useful information about the custom variable.

Type: Identifies the type of resource used to define the custom variable (types include: string, encrypted string, multi-value string, integer, enumeration, boolean).

Possible values: Enter all of the possible values that can be considered valid for the custom variable you're creating (based on the type specified above).

Default value: Enter the default value for the custom variable.

Detection rule properties help

About the Detection rule properties dialog box

Use this dialog box to view detection rule properties for downloaded security content and to create and edit custom detection rules.

This information is read-only for detection rules belonging to downloaded definitions. For custom definitions, the fields of this dialog box are editable. Specify detection rule settings and configure the options on each page to create custom detection rules. Furthermore, if the custom detection rule allows remediation, you can add special commands that run during remediation (patch install or uninstall).

You can use the left and right arrow buttons (<, >) to view property information for the previous or next detection rule in the order they are currently listed in the main window.

The Detection rule properties dialog box contains the following pages:

About the Detection rule: General information page

About the Detection logic: Affected platforms page

About the Detection logic: Affected products page

About the Detection logic: Files used for detection page

About the Detection logic: Registry settings used for detection page

About the Detection logic: Custom script page

About the Patch information page

About the Detecting the patch: Files used for installed patch detection page

About the Detecting the patch: Registry settings used for installed patch detection page

About the Patch install commands page

About the Patch uninstall commands page

About the Detection rule: General information page

Name: Displays the name of the detection rule.

State: Indicates whether the detection rule is set to scan or not. These two states correspond to the Scan and Don't Scan groups (under Detection Rules in the Patch and Compliance window).

ID: Shows the ID of the definition associated with this rule.

Title: Shows the title of the definition associated with this rule.

Description: Shows the description of the definition associated with this rule.

Comments: Provides additional information from the vendor, if available. If you're creating or editing a custom definition, you can enter your own comments.

Detection logic pages

The following pages refer to the detection logic used by the selected detection rule to determine whether the vulnerability definition (or other definition type) exists on a scanned device.

About the Detection logic: Affected platforms page

Identifies the operating systems the security scanner will run on to check for this rule's associated definition. In other words, only devices matching the selected platforms will attempt to process this rule. At least one platform MUST be selected. If a target device is running a different operating system, the security scanner quits.

About the Detection logic: Affected products page

Products: Lists the products you want to check for with the detection rule to determine whether the associated definition exists on scanned devices. Select a product in the list to view its name, vendor, and version information. You do not need to have a product associated with a detection rule. Associated products act as a filter during the security scan process. If none of the specified associated products are found on the device, the security scan quits. However, if no products are specified, the scan proceeds to the files check.

If you're creating or editing a custom detection rule, click Configure to open a new dialog box that lets you add and remove products in the list. The list of available products is determined by the security content you've updated via the Ivanti® Endpoint Security for Endpoint Manager web service.

Name: Provides the name of the selected product.

Vendor: Provides the name of the vendor.

Version: Provides the version number of the selected product.

About the Detection logic: Files used for detection page

Files: Lists the file conditions (existence, version, date, size, etc.) that are used to determine whether the associated definition exists on scanned devices. Select a file in the list to view its verification method and expected parameters. If all the file conditions are met, the device is not affected. Said another way, if any of these file conditions are NOT met, the vulnerability is determined to exist on that device. If there are no file conditions in the list, the scan proceeds to the registry check.
If you're creating or editing a custom detection rule, click Add to make the fields editable, allowing you to configure a new file condition and expected values/parameters. A rule can include one or more file conditions, depending on how complex you want to make it. To save a file condition, click Update. To delete a file condition from the list, select it and click Remove.

Verify using: Indicates the method used to verify whether the prescribed file condition is met on scanned devices. For example, a detection rule can scan for file existence, version, date, size, and so on. The expected parameters that appear below the verification method are determined by the method itself (see the list below).

If you're creating or editing a custom detection rule, select the verification method from the Verify using drop-down list. As stated above, the parameter fields are different for each verification method, as described in the following list:

Note that the Search for file recursively option applies to all the file verification methods except for the MSI methods, and causes the scan to search for files in the specified path location and any existing subfolders.

File Existence Only: Verifies by scanning for the specified file. Parameters are: Path (location of the file on the hard drive), including the filename, and Requirement (must exist or must not exist).

File Version: Verifies by scanning for the specified file and its version number. Parameters are: Path, Minimum Version, and Requirement (must exist, must not exist, or may exist).

Note that for the File Version, Date, and Size parameters, after specifying the file path and name, you can click the Gather Data button to automatically populate the appropriate value fields.

File Date: Verifies by scanning for the specified file and its date. Parameters are: Path, Minimum Date, and Requirement (must exist, must not exist, or may exist).

File Size and/or Checksum: Verifies by scanning for the specified file and its size or checksum value. Parameters are: Path, Checksum, File size, and Requirement (must exist, must not exist, or may exist).

MSI Product ID installed: Verifies by scanning to ensure the specified MSI product is installed (a product installed by the Microsoft Installer utility). Parameters are: Guid (the product's global unique identifier).

MSI Product ID NOT installed: Verifies by scanning to ensure the specified MSI product isn't installed. Parameters are: Guid.

About the Detection logic: Registry settings used for detection page

Registry: Lists the registry key conditions that are used to determine whether the associated vulnerability (or other type) exists on a scanned device. Select a registry key in the list to view its expected parameters. If any of these conditions are NOT met, the vulnerability is determined to exist on that device.

IMPORTANT: If there are no registry conditions in the list, AND there were no file conditions on the Files page, the scan will fail. A detection rule must have at least one file or registry condition.

If you're creating or editing a custom detection rule, click Add to configure a new registry key condition and its expected parameters. A rule can include one or more registry conditions. To save a registry condition, click Update. To delete a registry condition from the list, select it and click Remove.

Key: Identifies the registry key's expected folder and path.

Name: Identifies the expected name of the key.

Value: Identifies the expected value of the key.

Requirement: Indicates whether the registry key must or must not exist on target devices.

About the Detection logic: Custom script page

Use this page if you want to write a custom VB script that checks for any other conditions on scanned devices. The security scanner's runtime properties that can be accessed with a custom script to report its results are: Detected, Reason, Expected, and Found.

Click the Use editor button to open your default script editing tool associated with this file type. When you close the tool, you're prompted to save your changes in the Custom Script page. If you want to use a different tool, you have to change the file type association.

About the custom vulnerability's product properties: General information page

Use these dialog boxes when creating a custom vulnerability definition that includes a custom product.

You can enter a name, vendor, and version number, and then define the detection logic that determines the conditions for the vulnerability to exist.

These dialog boxes are similar to the properties dialog boxes for downloaded published vulnerability definitions. Please see the corresponding sections above.

This page includes the following options:

Affected products: Lists products that are affected by this custom vulnerability definition.

Available products: Lists all downloaded products.

Filter available products by affected platforms: Restricts the list of available products to only those that are associated with the platforms you've selected on the Detection logic: Affected platforms page.

Add: Opens the Properties dialog box where you can create a custom product definition.

About the custom vulnerability's product: Detection logic page

The following pages refer to the detection logic used by the selected detection rule to determine whether the vulnerability definition (or other definition type) exists on a scanned device.

These dialog boxes are similar to the detection logic dialog boxes for downloaded known OS and application vulnerability definitions published by vendors that are described above. For information about the options, see the corresponding sections above.

About the custom vulnerability's product: Detection logic: Files used for detection page

See the Detection logic: Files used for detection page above.

About the custom vulnerability's product: Detection logic: Registry settings keys used for detection page

See the Detection logic: Registry settings used for detection page above.

About the custom vulnerability's product: Detection logic: Custom detection script page

See the Detection logic: Custom script page above.

About the Patch information page

Use this page to define and configure the rule's associated patch file (if one is required for remediation) and the logic used to detect whether the patch is already installed. You can also configure additional patch file install or uninstall commands for customized remediation.

This page and the ones under it refer to the patch file required to remediate a vulnerability. These pages are applicable only if the selected detection rule allows remediation by deploying a patch file. If the detection rule is limited to scanning only, or if the security content type doesn't use patch files for remediation, as in the case of security threats, or spyware, then these pages are not relevant.

Repaired by patch, or detection only: Click one of these options to specify whether the detection rule should check just for the presence of the associated definition (detect only), or if it can also remediate that definition by deploying and installing the required patch.

Patch download information:

Patch URL: Displays the full path and filename of the patch file required to remediate the selected definition if detected. This is the location from where the patch file is downloaded.

Auto-downloadable: Indicates whether the patch file can be automatically downloaded from its hosting server. You can use this option with custom detection rules if you want to prevent patch files from being downloaded via the rule's shortcut menu. For example, you may need to prevent an automatic patch download if a firewall is blocking access to the hosting server.

Download: If you're creating or editing a custom detection rule that performs remediation, and you've entered a patch filename and URL, you can click Download to attempt to download the patch file at this time. You can download the patch file at a later time if you prefer.

Unique filename: Identifies the unique executable filename of the patch file.

It is strongly recommended that when you download a patch file, you create a hash for the patch file by clicking Generate MD5 Hash. (Most, if not all, known vulnerability's associated patch files should have a hash.) The patch file must be downloaded before you can create a hash. A hash file is used to ensure the integrity of the patch file during remediation (i.e., when it's deployed and installed on an affected device). The security scanner does this by comparing the hash code created when you click the Generate MD5 Hash button with a new hash it generated immediately before attempting to install the patch file from the patch repository. If the two hash files match, remediation proceeds. If the two hash files do not match, indicating the patch file has changed in some way since being downloaded to the repository, the remediation process quits.

Requires reboot: Indicates whether the patch file requires a device reboot before completing its installation and configuration processes on the device.

Silent install: Indicates whether the patch file can complete its installation without any end user interaction.

Detecting the patch pages

The following pages refer to the detection logic used by the rule to check if the patch is already installed on devices.

IMPORTANT: ALL of the specified conditions for BOTH files and registry settings must be met in order for the patch file to be detected as installed on a device.

About the Detecting the patch: Files used for installed patch detection page

This page specifies the file conditions used to determine whether the patch file is already installed on a device. The options on this page are the same as on the Files page for definition detection logic (see above). However, the logic works conversely when detecting patch installation. In other words, when checking for a patch installation, all of the file conditions specified on this page must be met in order to determine an installation.

About the Detecting the patch: Registry settings used for installed patch detection page

This page specifies the registry key conditions used to determine whether the patch file is already installed on a device. The options on this page are the same as on the Registry settings page for definition detection logic (see above). However, the logic works conversely in this case. In other words, when checking for a patch installation, all of the registry conditions specified on this page must be met in order to determine an installation.

IMPORTANT: ALL of the specified conditions for BOTH files and registry settings must be met in order for the patch file to be detected as installed on a device.

Patch install and uninstall pages

The following pages let you configure additional commands that run when the patch is installed on or uninstalled from affected devices.

This option is available only for custom definitions that allow remediation.

These commands are useful if you need to program specific actions on target devices to ensure successful remediation. Additional commands aren't required. If you don't configure any additional commands, the patch file executes by itself by default. Keep in mind that if you do configure one or more additional commands, you must also include a command that executes the actual patch file with the Execute command.

About the Patch install commands page

Use this page to configure additional commands for a patch install task. The available commands are the same for patch install and uninstall.

Commands: Lists commands in the order they will run on target devices. Select a command to view its arguments. You can change the order of commands with the Move Up and Move Down buttons. To remove a command from the list, select it and click Remove.

Add: Opens a dialog box that lets you select a command type to add to the Commands list.

Command Arguments: Displays the arguments that define the selected command. An argument's values can be edited. To edit any argument, double-click its Value field, and then type directly in the field. For all the command types, you can also right-click in the Value field to insert a macro/variable into the argument.

The following list describes the commands and their arguments:

Copy: Copies a file from the specified source to the specified destination on the hard drive of the target device. This command can be used before and/or after executing the patch file itself. For example, after extracting the contents of a compressed file with the Unzip command, you may want to copy files from one location to another.

The arguments for the Copy command are: Dest (full path where you want to copy the file, not including the filename) and Source (full path, and filename, of the file you want to copy).

Execute: Runs the patch file, or any other executable file, on target devices.

The arguments for the Execute command are: Path (full path and filename where the executable file resides; for the patch file, you can use the %SDMCACHE% and %PATCHFILENAME% variables); Args (command-line options for the executable file; note this field is not required); Timeout (number of seconds to wait for the executable to terminate before continuing to the next command in the list if the Wait argument is set to true); and Wait (true or false value that determines whether to wait for the executable to terminate before continuing to the next command in the list).

ButtonClick: Automatically clicks a specified button that displays when an executable file runs. You can use this command to program a button click if such interaction is required by the executable.

In order for the ButtonClick command to work properly, the Wait argument for the preceding Execute command must be set to false so that the executable doesn't have to terminate before continuing to the button click action.

The arguments for the ButtonClick command are: Required (true or false value indicating whether the button must be clicked before proceeding; if you select true and the button can't be clicked for any reason, remediation quits; if you select false and the button can't be clicked, remediation will continue); ButtonIDorCaption (identifies the button you want clicked by its text label or its control ID); Timeout (number of seconds it takes for the button you want clicked appears when the executable runs); and WindowCaption (identifies the window or dialog box where the button you want clicked is located).

ReplaceInFile: Edits a text-based file on target devices. Use this command to make any modifications to a text-based file, such as a specific value in an .INI file, before or after executing the patch file to ensure that it runs correctly.

The arguments for the ReplaceInFile command are: Filename (full path and name of the file you want to edit); ReplaceWith (exact text string you want to add to the file); and Original Text (exact text string you want to replace in the file).

StartService: Starts a service on target devices. Use this command to start a service required for the patch file to run, or to restart a service that was required to be stopped in order for the patch file to run.

The arguments for the StartService command are: Service (name of the service).

StopService: Stops a service on target devices. Use this command if a service must be stopped on a device before the patch file can be installed.

The arguments for the StopService command are: Service (name of the service).

Unzip: Unzips a compressed file on target devices. For example, you can use this command if remediation requires more than one file be run or copied on target devices.

The arguments for the Unzip command are: Dest (full path to where you want to extract a compressed file's contents on a device's hard drive) and Source (full path and filename of the compressed file).

WriteRegistryValue: Writes a value to the registry.

The arguments for the WriteRegistryValue are: Key, Type, ValueName, ValueData, WriteIfDataEmpty

About the Patch uninstall commands page

Use this page to configure additional commands for a patch uninstall task. The available commands are the same for patch install and uninstall. However, the Patch uninstall commands page includes two unique options:

Patch can be uninstalled: Indicates whether the patch file can be uninstalled from remediated devices.

Original patch is required for uninstall: Indicates whether the original patch executable file itself must be accessible on the core server to uninstall it from scanned devices.

For information on the commands, see About the Patch install commands page.

Patch and Compliance tasks help

About the Create security scan task dialog box

Use this dialog box to create and configure a scheduled task that runs the security scanner on target devices.

You can also run an immediate on-demand security or compliance scan on one or more target devices. Right-click the selected device (or up to 20 multi-selected devices), and either click Security scan and select a scan and repair settings, or click Compliance scan, and then click OK. A compliance scan checks target devices specifically for compliance with your security policy based on the contents of the Compliance group.

This dialog box contains the following options:

Name: Enter a unique name to identify the security scan task.

Create a scheduled task: Adds the security scan task to the Scheduled tasks window, where you can configure its scheduling and recurrence options, and assign target devices.

Create a policy: Adds the security scan task as a policy to the Scheduled tasks window, where you can configure the policy options.

Scan and repair settings: Specifies scan and repair settings used for the scan task. Scan and repair settings determine whether the security scanner displays on devices while running, reboot options, user interaction, and the security content types scanned. Select a scan and repair settings from the drop-down list to assign it to the security scan task you're creating.

About the Change settings task dialog box

Use this dialog box to create and configure a task that changes the default settings on target devices for Patch and Compliance services, including:

Scan and repair settings

Compliance security settings (applies only to compliance security scans)

Custom variable override settings

With a change settings task, you can conveniently change a managed device's default settings (which are written to the device's local registry) without having to redeploy a full agent configuration.

Task name: Enter a unique name to identify the task.

Create a scheduled task: Adds the task to the Scheduled tasks window, where you can configure its scheduling and recurrence options, and assign target devices.

Create a policy: Adds the task as a policy to the Scheduled tasks window, where you can configure the policy options.

Scan and repair settings: Specifies scan and repair settings used for security scan tasks. Scan and repair settings determine whether the scanner displays on devices while running, reboot options, user interaction, and the security content types scanned. Select one of the settings from the drop-down list. For more information, see About the Configure scan and repair (and compliance) settings dialog box.

Compliance settings: Specifies compliance settings used for compliance scan tasks. Compliance settings determine when and how a compliance scan takes place, whether remediation occurs automatically, and/or what to do when Ivanti Antivirus detects a virus infection on target devices.

Custom variables override settings: Specifies custom variable override settings used on target devices when they're scanned for security definitions that include custom variables (such as security threats and viruses). Custom variable override settings let you specify values you want to ignore or bypass during a security scan. This is very useful in situations where you don't want a scanned device to be identified as vulnerable according to a definition's default custom variable settings. Select one of the settings from the drop-down list. From the drop-down list, you can also select to remove the custom variable override settings from target devices. The Remove custom variable settings option lets you clear a device so that custom variable settings are in full affect. For more information, see Agent settings: Custom variables to override.

About the Create reboot task dialog box

Use this dialog box to create and configure a generic reboot task.

A reboot task can be useful when you want to install patches (without rebooting) as a single process and then reboot those remediated devices as another separate task. For example, you can run a scan or a patch install task during the day, and then deploy a reboot-only task at a more convenient time for end users.

Task name: Identifies the task with a unique name.

Create a scheduled task: Creates a reboot task in the Scheduled tasks window when you click OK.

Create a policy: Creates a reboot policy when you click OK.

Scan and repair settings: Specifies which scan and repair settings' reboot configuration is used for the task to determine reboot requirements and action on target devices.

About the Create repair task dialog box

Use this dialog box to create and configure a repair (remediation) task for the following definition types: vulnerabilities, spyware, Ivanti software updates, custom definitions, and security threats with an associated patch. The schedule repair option is not applicable to blocked applications.

This dialog box includes the following pages:

About the Create repair task: General page

About the Create repair task: Patches page

About the Create repair task: General page

Task name: Identifies the repair task with a unique name. The default is the name of the selected definition or the custom group. You can edit this name if you prefer.

Repair as a scheduled task: Creates a security repair task in the Scheduled tasks window when you click OK.

Split into staging task and repair task: (Optional) Creates two separate tasks in the Scheduled tasks tool—one task for staging the required patch files in the target device's local cacheand one task for actually installing those patch files on the affected devices.

Select computers to repair: Specifies which devices to add to the scheduled repair task. You can choose no devices, all affected devices (devices where the definition was detected by the last security scan), or only the affected devices that are also selected (this last option is available only when you access the Schedule repair dialog box from within a device Security and Patch Information dialog box).

Use Multicast: Enables Targeted Multicast for patch deployment to devices. Click this option, and click Multicast Options if you want to configure multicast options. For more information, see About the Multicast options dialog box.

Repair as a policy: Creates a security repair policy when you click OK.

Add query representing affected devices: Creates a new query, based on the selected definition, and applies it to the policy. This query-based policy will search for devices affected by the selected definition, and deploy the associated patch.

Download patch only from local peers: Restricts patch deployment so that it will only take place if the patch file is located in the device local cache or on a peer on the same subnet. This option conserves network bandwidth, but note that for the patch installation to be successful, the patch file must currently reside in one of these two places.

Download patch only (Do not repair): Downloads the patch file to the patch repository but does not deploy the patch. You can use this option if you want to retrieve the patch file in a staging scenario for testing purposes before actual deployment.

Scan and repair settings: Specifies which scan and repair settings is used for the repair task to determine whether the security scanner displays on devices when it is running.

About the Create repair task: Patches page

Use this page to show either required patches only or all associated patches for the selected vulnerability.

To download patches directly from this page, if they have not already been downloaded and placed in the patch repository, click Download.

About the Multicast options dialog box

Use this dialog box to configure the following Targeted Multicast options for a scheduled security repair task:

Multicast Domain Discovery:

Use multicast domain discovery: Enables Targeted Multicast to do a domain discovery for this job. This option won't save the domain discovery results for reuse.

Use multicast domain discovery and save results: Enables Targeted Multicast to do a domain discovery for this job and save the results for future use, saving time on subsequent multicasts.

Use results of last multicast domain discovery: Enables Targeted Multicast to do a domain discovery from the saved the results of the last discovery.

Have domain representative wake up computers: Enables devices that support Wake On LAN technology to turn on to receive the multicast.

Number of seconds to wait after Wake on LAN: Sets how long domain representatives wait to multicast after the Wake On LAN packet has been sent. The default waiting period is 120 seconds. If some devices on your network take longer than 120 seconds to boot, you should increase this value. The maximum value allowed is 3600 seconds (one hour).

The options below let you configure task-specific Targeted Multicast parameters. The defaults should be fine for most multicasts.

Maximum number of multicast domain representatives working simultaneously: No more than this number of representatives will be actively doing a multicast at one time.

Limit the processing of machines that failed multicast: When a device fails to receive the file through multicast, it will download the file from the website or file server. This parameter can be used to limit the number of devices that will obtain the file at one time. For example, if the maximum number of threads was 200 and the maximum number of multicast failure threads was 20, the Custom job dialog box would process no more than 20 devices at a time that failed the multicast. The Custom job dialog box will process up to 200 devices at a time if they successfully received the multicast, but no more than 20 of the 200 threads will be processing devices that failed the multicast task. If this value is set to 0, the Custom job dialog box won't perform the distribution portion of the task for any device that failed multicast.

Number of days the files stay in the cache: Amount of time that the file being multicast can stay in the cache on each target device. After this period of time, the file will be automatically purged.

Number of days the files stay in multicast domain representative cache: Amount of time that the file being multicast can stay in the cache on the multicast domain representative. After this period of time, the file will be automatically purged.

Minimum number of milliseconds between packet transmissions (WAN or Local): Minimum amount of time to wait between sending out multicast packets.

This value is only used when the domain representative isn't multicasting a file from its own cache. If this parameter isn't specified, then the default minimum sleep time stored on the subnet/domain representative device will be used. You can use this parameter to limit bandwidth usage across the WAN.

Maximum number of milliseconds between packet transmissions (WAN or Local): Maximum amount of time to wait between sending out multicast packets.

About the Uninstall patch dialog box

Use this dialog box to create and configure an uninstall task for patches that have been deployed to affected devices.

Task name: Identifies the task with a unique name. The default is the name of the patch. You can edit this name if you prefer.

Uninstall as a scheduled task: Creates an uninstall patch task in the Scheduled tasks window when you click OK.

Select targets: Specifies which devices to add to the uninstall patch task. You can choose no devices, all devices with the patch installed, or only the devices with the patch installed that are also selected (this last option is available only when you access the Uninstall Patch dialog box from within a device Security and Patch Information dialog box).

If the original patch is required:

Use Multicast: Enables Targeted Multicast for deploying the uninstall patch task to devices. Click this option, and click Multicast Options if you want to configure the multicast options. For more information, see About the Multicast options dialog box.

Uninstall as a policy: Creates an uninstall patch policy in the Scheduled tasks window when you click OK.

Add query representing affected devices: Creates a new query, based on the selected patch, and applies it to the policy. This query-based policy will search for devices with the selected path installed and uninstall it.

Scan and repair settings: Specifies which scan and repair settings is used for the uninstall task to determine whether the security scanner displays on devices, reboot options, MSI location information, and so on.

About the Gather historical information dialog box

Use this dialog box to compile data about scanned and detected vulnerabilities on managed devices. This information is used for security reports. You can either gather the data immediately or create a task to collect the data for a specified period of time.

This dialog box contains the following options:

Task name: Identifies the task with a unique name.

Threshold for 'recently scanned': Devices will be considered recently scanned if a scan happened within the specified number of days. The default is 30 days.

Build report data for definitions published less than: Restricts the report to data about vulnerabilities published within the specified time period. The default is 90 days.

Keep historical data for: Specifies the amount of time (in days) for which data will be collected. You can specify 1 day to 3,000 days. The default is 90 days.

Keep rollout project action history data for: Specifies the amount of time (in days) for which data will be collected. The default is 90 days.

Warn if gather historical information has not been run in: Displays a message on the core server console if a task has not run in the specified time period. The default is one day.

Save and gather now: Immediately collects the current data for detected, scanned, and not scanned vulnerabilities.

Create task: (Button) Adds the task to the Scheduled tasks window, where you can configure its scheduling and recurrence options, and assign target devices.

Purge all: (Button) Completely removes the data about vulnerabilities collected to this point.

Patch and Compliance settings help

About the Configure scan and repair (and compliance) settings dialog box

Use this dialog box to manage your scan and repair (and compliance) settings. Once configured, you can apply the settings to tasks for security and compliance scans, repairs, uninstalls, and reboots.

This dialog box contains the following options:

New: Opens the settings dialog box where you can configure the options pertaining to the specified settings type.

Edit: Opens the settings dialog box where you can modify the selected settings.

Copy: Opens a copy of the selected settings as a template, which you can then modify and rename.

Delete: Removes the selected settings from the database.

NOTE: The selected settings may currently be associated with one or more tasks or managed devices. If you delete a setting, devices with that setting will still have it and continue to use it until a new change settings task is deployed. Scheduled tasks and local scheduler tasks with that setting will still run on target devices until a new configuration is deployed.

Close: Closes the dialog box without applying any settings to the task.

About the Configure custom variable override settings dialog box

Use this dialog box to manage your custom variable override settings. Once configured, you can apply custom variable override settings to a change settings task and deploy it to target devices to change (or remove) their default custom variable override settings.

Custom variable override settings enable you to configure exceptions to custom variable values. Use them to ignore or bypass a specific custom variable condition so that a scanned device is not determined to be vulnerable.

This dialog box contains the following options:

New: Opens the Custom variable override settings dialog box where you can configure the options.

Edit: Opens the Custom variable override settings dialog box where you can modify the selected custom variable override settings.

Copy: Opens a copy of the selected settings as a template, which you can then modify and rename.

Delete: Removes the selected settings from the database.

NOTE: The selected settings may currently be associated with one or more tasks or managed devices. If you delete the settings, devices with those settings will still have it and continue to use it until a new change settings task is deployed. Scheduled tasks and local scheduler tasks with those settings will still run on target devices until a new configuration is deployed.

Close: Closes the dialog box, without applying any settings to the task.

You can view custom variable override settings information in the device's Inventory view.

About the Definition group settings dialog box

Use this dialog box to create, edit, and select settings that control how and where security definitions are downloaded based on their type and/or severity.

This dialog box contains the following options:

Definition type and severity filters: Lists definition group settings.

Type: Shows the definition type for the selected group settings.

Severity: Shows the definition severity for the selected group settings.

Status: Shows the status (Do not scan, Scan, and Unassigned) for definitions that match the group settings when they're downloaded. Status corresponds to the group nodes in the tree view. Unassigned is the default status.

Group(s): Shows the group or groups where the security definitions matching the type and severity criteria specified above are placed. You can add and delete as many custom groups as you like.

Autofix: If you've specified that downloaded security definitions are set to Scan status (placed in the Scan group), select this option if you want the vulnerabilities to have autofix enabled.

About the Definition filter properties dialog box

Use this dialog box to define definition group settings. These settings control how and where security definitions are downloaded based on their type and/or severity.

This dialog box contains the following options:

Filter: Defines which security content (definitions) will be place in the group(s) selected below.

Definition type: Select the definition type you want to download with your desired status and location.

Severity: Select the severity for the specified definition type. If the type matches but the severity does not, the definition will not be filtered by this setting.

Action: Defines what you want to do with the downloaded definitions and where you want them placed.

Set status: Select the status for the downloaded definitions. Options include: Do not scan, Scan, and Unassigned.

Set autofix: Select autofix if the status is Scan and you want the security risk to be fixed automatically upon detection.

Put definition in custom groups: Select one or more groups with the Add and Delete buttons. You can select custom groups you've created, the Alert group, the Compliant group, and several of the available security industry groups.

About the Alert settings dialog box

Use this dialog box to configure security-related alerting for scanned devices, including both vulnerability and antivirus alerting.

The Alert settings dialog box contains the following pages:

Definitions page

Use this page to configure security alerting. If you've added security definitions to the Alert group, Patch and Compliance will alert you whenever any of those definitions is detected on any scanned device.

Minimum alert interval: Specifies the shortest time interval (in minutes or hours) in which alerts for detected vulnerabilities are sent. You can use this setting if you don't want to be alerted too frequently. Set the value to zero if you want instant, real-time alerting to occur.

Add to Alert group: Indicates which vulnerabilities, by severity level, are automatically placed in the Alert group during a content download process. Any definition placed in the Alert group is also automatically placed in the Scan group by default (in order to include those definitions in a security scan task).

Antivirus page

Use this page to configure antivirus alerting.

Minimum alert level: Specifies the shortest time interval (in minutes or hours) in which alerts for detected viruses are sent. You can use this setting if you don't want to be alerted too frequently. Set the value to zero if you want instant, real-time alerting to occur.

Alert on: Indicates which antivirus events generate alerts.

About the Core settings dialog box

Use this dialog box to enable and configure automatic forwarding of the latest security scan results to a rollup core server on your network. Security scan data forwarding allows you to view real-time vulnerability status for all of your managed devices in a large, distributed enterprise network without having to manually retrieve that data directly from the primary core server.

Every time the security scanner runs, it writes a scan results file to a folder called VulscanResults on the core server and notifies the Ivanti® Endpoint Security for Endpoint Manager web service, which adds the file to the core database. If the rollup core settings are enabled and a valid rollup core is identified, the rollup core reads the scan results file into its own database, providing faster access to critical vulnerability information.

This dialog box contains the following options:

Scan results:

Keep scan results in vulscan results folder after processing: Saves the security scan results files in the default vulscan folder.

Decompress files if necessary: Enables automatic decompression of scan results files if they are compressed.

Autofix retry count:

Attempt autofix times before giving up: Specifies the number of times the core server will try to remediate via autofix before it times out.

Attempt autofix indefinitely: Indicates that the core server will try to remediate via autofix until it is successful or until you stop the process.

Autofix settings for revision changed vulnerabilities:

Autofix remains enabled if vulnerability revision changed: (2022 SU4) Vulnerability revision changes will trigger autofix. This is the default behavior.

Autofix is disabled if vulnerability revision changed: (2022 SU4) Vulnerability revision changes won't trigger autofix. This can be helpful in situations where you want to do additional testing on revision changes or if you want to reduce the amount of reboots a device experiences because of autofix.

Rollup core:

Send scan results to rollup core immediately: Enables immediate forwarding of security scan results to the specified core server, using the method described above.

Use default rollup URL: Enables the default URL to be used when the scan results file is sent from the core server to the rollup core. Enter the name of the core server, and then check this box to automatically insert the script and web address in the Rollup URL field.

Rollup core name: Identifies the rollup core you want to receive the latest security scan results from the core database.

Rollup URL: Specifies the web address of the rollup core receiving the security scan results and the destination folder for the scan results file on the rollup core. The rollup URL can either be automatically inserted by checking the Use default rollup URL check box, or you can manually edit the field by clearing the check box and entering the URL you want.

About the Permissions dialog box

Use this dialog box to view the effective permissions for the Patch and Compliance tool for the currently logged-in administrator. These permissions settings are configured with the User Management tool. Also, a Ivanti Administrator can change role-based permissions required to edit and import custom vulnerability definitions.

IMPORTANT: ONLY a Ivanti Administrator can change role-based permission.

This dialog box contains the following options:

User:

View: Indicates the user has the ability to view patch security content.

Edit: Indicates the user has the ability to edit patch security content.

Deploy: Indicates the user has the ability to deploy patch security content.

Edit Public: Indicates the user has the ability to edit custom vulnerability content.

How to interpret role-based permissions:

Require Edit Public permission to edit custom definitions: Specifies that the Edit Public permission is required for a user to be able to edit custom vulnerability definitions.

Require Edit Public permission to import definitions: Specifies that the Edit Public permission is required for a user to be able to import security definitions.

Patch and Compliance toolbar help

About the Purge patch and compliance definitions dialog box

Use this dialog box to completely remove definitions (and their associated detection rules) from the core database.

IMPORTANT: Requires the Ivanti Administrator right
A user must have the Ivanti Administrator right in order to perform this task.

You may want to remove definitions if they have become obsolete, are not working properly, or if the related security risk has been totally resolved.

This dialog box contains the following options:

Platforms: Specifies the platforms whose definitions you want to remove from the database. If a definition is associated with more than one platform, you must select all of its associated platforms in order for the definition and its detection rule information to be removed.

Languages: Specifies the language versions of the selected platforms whose definitions you want to remove from the database. If you've selected a Windows or Macintosh platform, you should specify the languages whose definition information you want to remove. If you've selected a Linux platform, you must specify the Language neutral option in order to remove those platform's language independent definition information.

Types: Specifies the content types whose definitions you want to remove.

Purge: Completely removes definition and detection rule information for the types you've selected that belong to the specified platforms and languages you've selected. This information can only be restored by downloading the content again.

Close: Closes the dialog box without saving changes and without removing definition information.

About the Security scan information view

Use this dialog box to view detailed patch deployment activity and status for scanned devices on your network.

You can view scan results for:

Devices not recently reporting

Devices with no results

Devices needing patches by selected severity type

About the Threshold settings dialog box

Use this dialog box to define time periods for security scan (patch deployment) results that appear in the Security scan information dialog box.

Threshold for not recently scanned: Indicates the maximum number of days to check for devices that haven't been scanned for patch deployment.

About the Security and Patch Information dialog box

In the Network view, right-click a device and click Security and Patch > Security and Patch Information. Use this dialog box to view detailed security information for selected devices. You can view a device's scan results, detected security definitions, missing and installed patches (or software updates), and repair history.

Use the Clear button to remove all scan information from the database for the selected devices.

You can also right-click a vulnerability (or other security content type) in this view and directly create a repair task, or enable/disable the autofix option for applicable security content types.

Displayed information is based on the selected security content type

The group names and information fields that display on this page are dynamic, depending on the security content type you select from the Type drop-down list. For example, if you select vulnerabilities, the following information fields display:

All detected: Lists all of the vulnerabilities detected on the device by the last scan.

All installed: Lists all of the patches installed on the device.

History: Shows information about the remediation tasks attempted on the device. This information is helpful when troubleshooting devices. To clear this data, click Purge History, specify the devices and time range settings, and then click Purge.

Vulnerability Information:

Title: Displays the title of the selected vulnerability.

Detected: Indicates whether the selected vulnerability was detected.

First detected: Displays the date and time the vulnerability was initially detected on the device. This information can be useful if you've performed multiple scans.

Reason: Describes the reason why the selected vulnerability was detected. This information can be useful in helping you decide whether the security risk is serious enough to prompt immediate remediation.

Expected: Displays the version number of the file or registry key the vulnerability scanner is looking for. If the version number of the file or registry key found on the scanned device matches this number, the vulnerability does not exist.

Found: Displays the version number of the file or registry key found on the scanned device. If this number is different than the Expected number above, the vulnerability exists.

Patch Information:

Patch Required: Displays the filename of the patch executable required to remediate the selected vulnerability.

Patch Installed: Indicates whether the patch file has been installed.

Last action date: Displays the date and time the patch was installed on the device.

Action: Indicates whether the last action was an install or uninstall.

Details: Indicates whether the deployment/installation was successful. If an installation failed, you must clear this status information before attempting to install the patch again.

Clear: Clears the current patch installation date and status information for the selected device, which is necessary to attempt to deploy and install the patch again.