About LANDesk Patch Manager Scan and Repair Settings

Note: As of LDMS 9.6 the Scan and Repair Settings are known as Distribution and Patch Settings.   For the latest information on this subject see article: About LANDESK Distribution and Patch settings

The Scan and Repair settings are at the core of the patching process. All configuration is set here. These settings are stored on the core server and are updated automatically when vulscan runs. That means if you change the Scan and Repair settings that are configured for a device, the next time it runs vulscan it will update and use the new settings.

Each client machine has an "installed" Scan and Repair settings. That means that it is the default configuration that will be used on any tasks that don't have an assigned Scan and Repair settings. The currently "installed" settings can be found in the client machine inventory at: Computer - LANDesk Management - Vulnerability Scan - Settings - Scan and Repair Setting Name. The "installed" settings can be changed using a "Change settings..." task found the the "Create a task" drop-down in the Patch Manager tool.

Each of the settings and it's effects can be found below. The settings described are from LANDESK Management Suite 9 so previous versions may be missing some options or present them differently.

Settings

General Options

• Name: The name of the settings. If these are descriptive, or have names that make them easy to know where/how they apply it helps.
• Show progress dialog: This determines if the vulscan GUI will appear. Possible settings are always, never and only when repairing
• Hide if user is showing a presentation: This will hide the GUI if the client machine is running a full-screen presentation. Currently we only detect this condition with Microsoft PowerPoint. This WILL NOT prevent the scan or repair job from running, it will only hide the GUI.
• When no reboot is required: These settings apply when there is not a reboot. You can choose to wait for the user to close the GUI, or time out after a certain period of time and close.
  Recommendation: Always set this to "Close after timeout". Usually you are not required to wait for the user to just close the dialog, and it can cause tasks to timeout and return a bad/incorrect status.
• CPU utilization when scanning: This will attempt to control the CPU level when scanning. When set to low, the scans will take longer, but should have a reduced impact on the general computer use. High will result in the fastest scans.
• Scheduled task status: This determines how much information is sent back to the core for a Scheduled Task run on the device, such as a repair job. Possible options here are: Send standard information, Send nothing, and Send debug information (not localized)
• Set as Default: If this option is set it will set this scan and repair setting to the default Scan and Repair setting.

Scan Options

• Scan for: This pane allows you to set what should be scanned for when vulscan is run with these settings
• ...Group: A custom group of vulnerabilities can be set here. Groups can be created in the console and vulnerabilities can be added as needed. Vulnerabilities can be members of more than one group. Groups can have sub groups as well. If a parent group is selected here, all the child groups and vulnerabilities will be scanned.
• Immediately repair all detected items: This option can only be set if scanning for a group. It has the same effect as autofix. Vulscan will scan for all the vulnerabilities in the group, then immediately request and install the patches for any detected items.
• ...Type: If this option is selected, vulscan will scan for all definitions in each category checked below. It will only scan vulnerabilities that are in the Scan category on the core server. It WILL NOT scan for anything in the Do not scan, or Unassigned categories.
• ... Vulnerabilities: This will scan for all definitions in the Scan group that are of the Vulnerability type. This is the most common definition. All of the Microsoft general, or "Patch Tuesday" patches will be this type.
• ... Spyware: This will use the spyware engine to scan for any definitions in the Scan category that are Spyware definitions.
• ... Security threats: This scans for Security threats definitions in the Scan category. These are things like firewall enabled, or telnet enabled.
• ... Blocked applications: This scan will update the list of blocked applications that are blocked in real-time by softmon.exe when vulscan isn't running. You can select to put All blocked apps in the block list on the client or Only apps in group: and select a group of blocked apps.
• ... Antivirus Updates: This will scan for needed AV updates. It can scan for updates on a variety of AV products besides LANDESK AV.
• ... LANDesk Updates: This scans for any LANDESK updates in the scan group. This is limited to patches released by LANDESK, usually roll-ups and Service Packs. This is the only option available to customers that have not purchased LANDESK Patch Manager or Security Suite. All LANDESK customers can scan for and repair LANDESK vulnerabilities.
• ... Software updates: This category is for a limited number of Software updates. Generally Lenovo ThinkVantage or Intel software.
• ... Driver updates: This contains hardware and driver updates from some vendors such as Dell. It allows vulscan to scan for driver updates, BIOS updates and the like.
• ... Custom definitions: This category is for Custom definitions made by the end user. They can be used to do a number of things, including installing customized patches, patches for internal software, or software that LANDESK doesn't provide vulnerability data for.

Repair Options

• Before repairing, installing, or uninstalling a patch: This setting determines when the patch will be installed. Once the job is run and started on the client, these options will be used to determine when the patch will be installed. The options are:
  • Immediately begin: The patch job will begin immediately, as soon as the client receives the job.
  • Notify user with message: The patch job will still begin immediately, but a message will be presented to the user indicating that the patching is happening.
  • Notify user, also allowing defer: The message is presented to the users. They can select to begin the patch installation, or they can defer it until the machine is locked or logged out. There is only one option and the user can't choose lock or logout, so the patch job will occur as soon as either condition is met.
  • Notify user, also allowing defer or cancel: This options presents the message to the user with the deferral option above, but also allows the user to cancel the job. If this option is selected the patches will not install and the console will report that the user canceled the job.
  • Wait to repair until machine is locked or screen saver is running: This will put the repair job on hold until the machine is either locked, or a screensaver starts. The patch job will continue after the machine is unlocked or the screensaver is canceled.
  • Wait to repair until user is logged off: This option will wait to install the patch until the user logs off. If the same user, or another user logs on during the repair job, it will continue patching until the job is complete.
• Message: This is the message that will displayed if an option is selected to notify user.
• If no end user response: This is what to do if a message is presented to the user and there is no response.
  • Wait for user response before repair, install or uninstall: This will leave the message there until there is a response. As noted, this can cause scheduled tasks to timeout and/or fail.
  • After timeout, automatically: If this option is selected, the message prompt will wait the specified time and then proceed with the action selected. The options are:
    • Start install: This will just proceed to the patch installation.
    • Close: This will close the notification and not run the patch job.
    • Defer install till machine locked: This will defer the installation until the machine is locked or logged out.
• Start repair even if: This tells vulscan to start the repair job even when certain conditions are true.
  • User is running a presentation: This will start the repair job even if a presentation is running. If this is unchecked the job will automatically be delayed until the machine is locked or logged out. Note:This only detects the machine as "running a presentation" for MS PowerPoint, full screen presentation at this time.
  • Reboot is already pending: A reboot is deemed to be already pending if there are any entries in the PendingFileRenamekey in the registry. Other applications can modify this key so if the machine is pending a reboot for ANY reason we will detect it and either continue or fail the job depending on this setting. Some AV applications are known to always set this key.
• Max bandwidth when downloading from source: This is the maximum bandwidth to be used when downloading files from the source (the core or preferred server).
• Max bandwidth when downloading from peer: This is the maximum bandwidth to use when downloading from a peer through the LANDESK Peer-Peer download technologies.

MSI Information

• MSI Information: Some patches require access to the install MSIs and this allows them to find the correct MSIs.
  • Original package location: This is used to specify a network path containing original MSIs.
  • Credentials to user when referencing the original package location
    • User name: The user name to use when accessing the MSIs. This should be in the form domain\username.
    • Password: The password for the user name listed above.
  • Ignore the /overwriteoem command-line option: Indicates the command to overwrite OEM-specific instructions will be ignored. In other words, the OEM instructions are executed.
• Run as information: This allows you to configure a user to run the patches as. This will override the default use of the Local System account
  • Domain\User name: Make sure to specify the user as domain\username. This user MUST have admin rights on ALL client machines.
  • Password: The password to the above user.

Reboot Options

These are the options used to configure when and how the machine is rebooted by vulscan. It can be configured to present a message, allow delays or cancels or to not reboot at all.

• When deciding whether to reboot
  • Never reboot: Once vulscan completes, regardless of what patches were installed the machine will not be rebooted by vulscan.
  • Reboot only if needed: Once vulscan completes it will check the PendingFileRename key on the machine registry to determine if a reboot is needed. If it is the machine will be rebooted using the options configured.
  • Always reboot: When vulscan finishes, regardless of what it did, it will reboot the machine according to the reboot options configured.
• When rebooting
  • Prompt user before rebooting: This will prompt the user before the reboot happens to let them know that it will happen.
  • If no one is logged in, reboot immediately without prompting or delay: This allows vulscan to bypass the prompt if no one is logged in.
  • Allow user to defer (snooze): These settings can be used to allow the user to defer or snooze the reboot for a period of time if needed.
    • Snooze time: This is how long the reboot will be delayed. Once the time is up the prompt will re-appear.
    • Max deferrals allowed: This is the maximum number of times that a reboot can be delayed. Once met, the Snooze button on the client will no longer be available.
  • Allow user to cancel reboot: When selected the user can cancel the reboot and it will not be re-attempted.
  • Reboot message: This is the message that is presented to the user in the vulscan GUI when prompted to reboot.
  • Wait for user response before rebooting (This can cause scheduled tasks to timeout): If this option is selected, the prompt to reboot will wait until there is a user response. If it takes too long, the scheduled task will timeout and report a failure to the core server.
  • After timeout, automatically: If this option is selected, vulscan will automatically perform the selected action after the specified timeout period without user interaction.
    • Snooze: This will snooze the reboot as configured.
    • Reboot: This will reboot the machine.
    • Close: This will close the dialog and cancel the reboot.

Network Settings

These settings can be used to allow the machine to communicate with an alternate core server.

• Communicate with alternate core server. If this is enabled, vulscan will attempt to communicate with an alternate core server as specified below.
  • Server name: Put the alternate core server name here. It MUST be resolvable by the CLIENTsystems.

Note:The syntax for the Server Name field should be ServerName:PortNumber where port number is the secure port 443 for SSL transmission. If you enter only a server name, without specifying port 443, it defaults to port 80 which is the standard HTTP port. By default vulscan operates on port 80.

Pilot Configuration

This setting can be used to tell machines using this Scan and Repair settings to additionally scan a certain group. This is used to test patches or vulnerabilities before general release. For example new patches can be added to a custom "Pilot" group and through these pilot settings be rolled out to a test group to make sure the new patches don't cause any problems with business applications.

• Periodically scan and repair definitions in the following group. This enables the client machines with this setting to scan and AUTOMATICALLY repair all definitions in a custom group. Make sure to select a group
• Schedule This is the schedule that the machines will scan the pilot group on. This is configured the same way as other locally scheduled tasks on the client machine.

Pro Tip:You can use this as the opposite of pilot group. If you have a set of patches that MUST be installed on client machines, you can add them to the a custom group, then specify it as the 'pilot' group. You can then set an independent schedule for it to run. Another example would be to have a normally scheduled scan that scans everything during the day, then set the 'pilot' group to run at night or during maintenance periods. Patches added to the custom group will be repaired. As you work through approving patches, simply add them to the custom group and you know that the next time the 'pilot' scan runs they will be installed on the clients. Be careful and test this to make sure it works the way you expect, because any patches in the 'pilot' group will be AUTOMATICALLY repaired when the scan runs.

Spyware Scanning

These settings can be used to override and modify the settings set in the client configuration for real-time spyware scanning. That means you can use it to enable or disable real-time scanning on a device. Normally this setting is part of the client setting, but if a Scan and Repair setting is set on a machine that has the Spyware override set, then it will change to whatever the Scan and Repair settings is configured to.

• Override settings from client configurationSelect this if you want to override the real-time spyware scanning settings configured in the client configuration
• Settings
  • Enable real-time spyware blocking Set to enable real-time spyware scanning and blocking
    • Notify user when spyware has been blockedSetting this will notify the user that spyware has been blocked. If it is not set, the spyware will still be blocked, but the user will not be notified. The core server will still have a record of the block
    • If an application is not recognized as spyware, require user's approval before it can be installed If this is enabled, any application that attempts to install must be approved by the user even if it is not recognized as spyware.

Note: In order for spyware blocking to work, the definitions on the core must be set to autofix. For more information see the following articles:

• Using LANDesk Antispywareand Best Known Method for Spyware Scanning