Patch Scanning & Deployment Best Practices - Configuring Patch Scan Templates and Filtering Options

Table of Contents

Configuring Patch Scan Templates and Filtering Options

One of the main features of Protect is the ability to set up filtering for exactly what you want Protect to scan. There are many different ways you can set up the filtering to include only specific products, specific criticality or severity levels, or even specific updates. All filtering starts with the patch scan that is run, so the patch scan template that you use will determine what Protect will scan for. Below are steps on how to use and configure patch scan templates and other filtering options.

Viewing and Editing Existing Patch Scan Templates

1) From the main drop-down menu, choose 'Templates'.

2) Within the Templates list, you will see two groupings for Patch Scan Templates.

• Default Patch Scan Templates
  • These are the available built-in scan templates that are always available and cannot be renamed or deleted.
• My Patch Scan Templates
  • These are the available custom scan templates that you or another admin have created.

3) To get an idea of what the default settings are within a scan template, try clicking on the Security Patch Scan or WUscan template.

• It will pop up the Patch Scan Template window where you can see the settings of the selected template. For the Default Patch Scan Templates everything is grayed out because these templates cannot be modified.
• Below you can see, for example, what the Security Patch Scan template Filtering settings look like.
• If you intend to just scan for all Security patches, using the built-in Security Patch Scan template may be all you need.
  • Likewise, if you intend to scan for all Security and Non-Security patches the WUscan may be all that you need.
• Before creating a new template, check to see if one already exists that meets your needs.
• When you click on a template from 'My Patch Scan Templates' you can edit the template settings. See the steps below on how to edit the settings as it is just the same as creating a new patch scan template.

Creating New Patch Scan Templates and Using Filtering Options

1) From the main menu of Protect, go to New > Patch Scan Template.

2) Make sure to name your template. You'll be prompted when trying to save the template if you fail to do so.

Filtering Tab

The Filtering tab of the Patch Scan Template is where you will set up all filtering of scan results.

It is not required to make any changes to filtering. However, it can be very useful when attempting to set up automation of patching.

Patch Type and Vendor Severity

1) The most common change that you might be considering is what patches to scan for, based on patch type and vendor severity.

• These are found under "Patch Properties - Detect only these patch types or severities:"
• There are four main patch types available here:
  • Security Patches
    • Security bulletin related patches
      • Generally includes Microsoft major bulletins as well as Adobe, Java, and other vendor's security bulletins.
    • For any purposes of truly patching systems, these updates should be included.
  • Security Tools
    • Updates for security tools, cert updates, and other hotfixes for known security risks that are not yet part of an actual security bulletin.
    • Some updates listed as security tools will always show up missing.
    • Consider referring to the following documents prior to using Security Tools:
      • Best Practice & Q/A - Using Security Tools
      • Patches That Always Show Missing In Results - Install/Uninstall Loops
  • Non-security Patches
    • Vendor patches that fix known software problems that are not security issues
  • Custom Actions
    • Enables you to perform custom actions even if you are already fully patched.
    • It does this by scanning for a specific QNumber and patch (QSK2745, MSST-001) that will never be found. The process uses the temporary file Nullpatch.exe.
    • It is generally best practice to not include this in your template, unless you intend to have a custom action run.
    • More information about custom actions can be found in this document:
      • Custom Action - How to perform a custom action complete tutorial
• To select which patch types and severities you want to include, just use the check boxes next to each.
  • It is possible to include only a certain vendor severity of each patch type if you wish.
    • In the example below you can see we would only be scanning for Security and Non-security patches with a vendor severity marked as 'Critical'.

• You see the Vendor Severity of any patch by looking at the patch information found either within a scan result or View > Patches.
  • Note that you may need to add the Vendor Severity column or drag it over in the window to view it.

User Criticalities

2) It is also possible to filter based on User Criticalities.

• The default and best practice is to leave these unchecked.
• To include certain user criticalities just check the box for those you wish to include in the scan.

We often see this confused with the Vendor Severity, but be aware that these are custom user criticality settings and are completely separate from the vendor severity settings.

The user criticalities must be set by the Protect admin before this filter will work properly.

• User criticalities can be hard to manage - you will need to continually update the criticality of new patches as they come out for the filter to work properly.

• You can see the User Criticality that is set for any patches by viewing the 'User Criticality' column in a scan result or View > Patches.

• To set the user criticality of any patch, right click on the patch, then go to Set Criticality > Choose criticality.

• Once you have set the criticality, you will see the value indicated as seen below. (When viewing in a scan result or View > Patches)

Product Filters

3) Product Filters can be used to filter based on the product which updates apply to.

• Default is 'Scan all' (no product filtering).
• This filter takes precedence over all other filters, meaning this filter will work along with any other filtering that is configured in the template.
• Product filter set to 'Scan selected' will allow only the selected products to be scanned for.

• Product filter set to 'Skip selected' will exclude the selected products from the scan.

• Product filters are generalized, meaning many specific products are grouped into a generalized product option for the product filter.
• However, to get an idea of product filter would associate to a specific patch, you can go into a scan result or View > Patches and view the 'Product name' that corresponds to any given patch.

• In this case we can see the listed patches are associated with the specific product of Microsoft Office Professional 2010 (x64).
• This would fall under the 'Microsoft Office' option from the list of available product filters within a scan template.
  • Any other flavors and versions of Microsoft office would also fall into the 'Microsoft Office' product filter.

Patch filter settings

4) Patch filter settings allow you to use a file or patch group to include or exclude specific updates from the scan.

Using a file to include or exclude specific patches from a scan

• In the Patch filter settings, you can either choose scan selected to include or skip selected to exclude.
• Next to the 'File:' box you can either click 'New' to create a new text file for use with this, or you can click the '...' button to browse for an existing file.
  It is best practice to use a .txt or .csv file. The file browser will allow you to link to any file type, but your scan will come back with no patches missing or installed if using an invalid file type with this filtering option. It will not warn you of an invalid file type.

• When creating a text file containing the list of patches, they must be listed as the Qnumber of the patch from Protect, and the Qnumbers should listed one per line. Example below:

• If you don't know the Qnumber for a specific patch, you can refer to the Qnumber column found within a scan result or View > Patches to find this.
• One method that may help in building a text file more quickly is to do the following:

1. From the main menu of Protect, go to View > Patches.
2. Highlight all patches that you wish to add to a file, then right click in the highlighted area, and choose 'Export selected patches to CSV...'.
   
3. Once you have the CSV file, open it with a spreadsheet application such as Excel where the Qnumbers are lined up.
   Then you can highlight and copy/paste them into a .txt file.
   
4. If everything works OK you should easily get a text file formatted correctly that can be used for the purpose of patch filtering.
   
   

Using Patch Groups to include or exclude patches in a scan

• To use a patch group within your scan template you will first need to create a patch group to use.
• From the main drop-down menu, choose 'Patch and SP Groups' if you want to view or edit existing templates.

Steps for Creating a new Patch Group:

1. From the main menu, go to New > Patch Group...
   
2. Make sure to name the patch group.
3. Click the 'Add...' button to add patches to the group.
   
4. After clicking 'Add...' you'll be presented with the 'Select Patches' window. From this window, you need to place a check in the 'Include' box next to each patch that you want included in the patch group. Click on the 'Select' button when done.
   
5. You will see the patches added into the list under 'Patch Group Members'.
   
6. An alternate and often easier method to use is to to add patches from a scan result or View > Patches. This allows you to highlight multiple patches, right click in the highlighted area, then choose Add to Patch Group > GROUPNAME.
   
7. Once you have your patch group created or edited how you like, you need to add it to your scan template.
   1. For Patch filter settings choose whether to 'Scan selected' (include) or 'Skip selected' (exclude).
   2. Next to 'Patch group(s)', click the '...' button to bring up the 'Select Patch Groups' window.
   3. Select any patch groups you intend to use for this scan template. Then click the 'Select' button.
   4. You will see the selected patch groups added into the list area.
8. Make sure to save the changes to your template.
   

Combining Multiple Filters

• Below is an example of what it might look like when combining multiple filters for the Patch Scan Template.
• This is what will happen based on these filtering settings:
  • Only Security and Non-security patch types will be scanned.
    • Of that, only Critical, Important, and Moderate severity patches will be scanned.
  • The scan will only include the selected products in the product filter.
  • The scan will skip (exclude) the specific patches listed in the patch group 'Test Group'.

General Tab

• On the General tab of the scan template, you can choose if Protect should report results of only missing patches or also installed and even effectively installed patches.
  • Only missing patches - Scan results when using this template will only show missing patches (and service packs).
  • Both missing and installed patches - Scan results using this template will show both missing and explicitly installed patches.
    • Explicitly installed patches are those where Protect was able to detect that both the registry key exist and the affected files are at the correct version.
  • Checkbox to 'Include effectively installed patches'.
    • If checked, you will also see effectively installed patches in your scan results and reports when using this scan template.
    • Effectively installed patches are those where the file version is at or above the required version for the patch to be considered installed. Often this happens with superseded updates.

Back toPatch Scanning and Deployment Best Practices Guide (Agentless)