It is recommended to regularly check for software updates and apply them as soon as possible. GravityZone automates this process through security policies, but if you need to update the software on certain endpoints right away, run the following tasks in this order:
Prerequisites
The security agent with Patch Management module is installed on target endpoints.
For the scanning and installation tasks to be successful, Windows endpoints must meet these conditions:
Trusted Root Certification Authorities stores the DigiCert Assured ID Root CA certificate.
Intermediate Certification Authorities includes the DigiCert SHA2 Assured ID Code Signing CA.
Endpoints have installed the patches mentioned in these Microsoft articles:
For Windows 7 and Windows Server 2008 R2: Microsoft Security Advisory 3033929
For Windows Vista and Windows Server 2008: You cannot run an application that is signed with a SHA-256 certificate on a computer that is running Windows Vista SP2 or Windows Server 2008 SP2
Patch Scan
Endpoints with outdated software are vulnerable to attacks. It is recommended to regularly check the software installed on your endpoints and update it as soon as possible. To scan your endpoints for missing patches:
Go to the Network page.
Select the container that you want from the left-side pane. All endpoints from the selected container are displayed in the right-side pane table.
Select the target endpoints.
Click the task.png Tasks button at the upper side of the table and choose Patch Scan. A confirmation window will appear.
Click Yes to confirm the scan task.
Note
To schedule patch scanning, edit the policies assigned to the target endpoints, and configure the settings in the Patch management section. For more information, refer to Patch management.
Patch Install
To install one or more patches on the target endpoints:
Go to the Network page.
Select the container that you want from the left-side pane. All endpoints from the selected container are displayed in the right-side pane table.
Click the
Tasks button at the upper side of the table and choose Patch Install.A configuration window will appear. Here, you can view all patches missing from the target endpoints.
If needed, use the sorting and filtering options at the upper side of the table to find specific patches.
Click the
Columns button at the upper-right side of the pane to view only relevant information.Select the patches you want to install.
Certain patches depend on others. In such case, they are automatically selected once with the patch.
Clicking the numbers of CVEs or Products will display a pane in the left side. The pane contains additional information, such as the CVEs which the patch resolves, or the products to which the patch applies. When done reading, click Close to hide the pane.
Select Reboot endpoints after installing the patch, if required to restart the endpoints immediately after the patch installation, if a system restart is required. Take into account that this action may disrupt the user activity.
Click Install.
The installation task is created, together with sub-tasks for each target endpoint.
You can view and manage the task on the Network > Tasks page. For more information, refer to Viewing and Managing Tasks.
Note
To schedule patch deployment, edit the policies assigned to the target endpoints, and configure the settings in the Patch management section. For more information, refer to Patch Management.
You can also install a patch from the Patch inventory page, starting from a certain patch that you are interested in. In this case, select the patch from the list, click the Install button at the upper side of the table and configure the patch installation details. For more details, refer to Patch inventory.
After installing a patch, we recommend sending a Patch scan task to target endpoints. This action will update the patch information stored in GravityZone for your managed networks.
You can uninstall patches:
Remotely, by sending a patch uninstall task from GravityZone.
Locally on the endpoint. In this case, you need to log in as an administrator to the endpoint and run the uninstaller manually.