Patch Scanning & Deployment Best Practices - Configuring Patch Scan Templates and Filtering Options

Version 3

    Table of Contents


    Configuring Patch Scan Templates and Filtering Options


    One of the main features of Protect is the ability to set up filtering for exactly what you want Protect to scan. There are many different ways you can set up the filtering to include only specific products, specific criticality or severity levels, or even specific updates. All filtering starts with the patch scan that is run, so the patch scan template that you use will determine what Protect will scan for. Below are steps on how to use and configure patch scan templates and other filtering options.


    Viewing and Editing Existing Patch Scan Templates


    1) From the main drop-down menu, choose 'Templates'.

    Choose templates.PNG


    2) Within the Templates list, you will see two groupings for Patch Scan Templates.

    • Default Patch Scan Templates
      • These are the available built-in scan templates that are always available and cannot be renamed or deleted.
    • My Patch Scan Templates
      • These are the available custom scan templates that you or another admin have created.

    3) To get an idea of what the default settings are within a scan template, try clicking on the Security Patch Scan or WUscan template.

    • It will pop up the Patch Scan Template window where you can see the settings of the selected template. For the Default Patch Scan Templates everything is grayed out because these templates cannot be modified.
    • Below you can see, for example, what the Security Patch Scan template Filtering settings look like.
    • If you intend to just scan for all Security patches, using the built-in Security Patch Scan template may be all you need.
      • Likewise, if you intend to scan for all Security and Non-Security patches the WUscan may be all that you need.
    • Before creating a new template, check to see if one already exists that meets your needs.
    • When you click on a template from 'My Patch Scan Templates' you can edit the template settings. See the steps below on how to edit the settings as it is just the same as creating a new patch scan template.

    Creating New Patch Scan Templates and Using Filtering Options


    1) From the main menu of Protect, go to New > Patch Scan Template.


    New Patch Group 1.PNG


    2) Make sure to name your template. You'll be prompted when trying to save the template if you fail to do so.


    Filtering Tab


    The Filtering tab of the Patch Scan Template is where you will set up all filtering of scan results.

    It is not required to make any changes to filtering. However, it can be very useful when attempting to set up automation of patching.


    Scan Template Modified.PNG


    Patch Type and Vendor Severity


    The most common change that you might be considering is what patches to scan for, based on patch type and vendor severity.

    • These are found under "Patch Properties - Detect only these patch types or severities:"
    • There are four main patch types available here:
      • Security Patches
        • Security bulletin related patches
          • Generally includes Microsoft major bulletins as well as Adobe, Java, and other vendor's security bulletins.
        • For any purposes of truly patching systems, these updates should be included.
      • Security Tools
      • Non-security Patches
        • Vendor patches that fix known software problems that are not security issues
      • Custom Actions
        • Enables you to perform custom actions even if you are already fully patched.
        • It does this by scanning for a specific QNumber and patch (QSK2745, MSST-001) that will never be found. The process uses the temporary file Nullpatch.exe.
        • It is generally best practice to not include this in your template, unless you intend to have a custom action run.
        • More information about custom actions can be found in this document:
    • To select which patch types and severities you want to include, just use the check boxes next to each.
      • It is possible to include only a certain vendor severity of each patch type if you wish.
        • In the example below you can see we would only be scanning for Security and Non-security patches with a vendor severity marked as 'Critical'.


    • You see the Vendor Severity of any patch by looking at the patch information found either within a scan result or View > Patches.
      • Note that you may need to add the Vendor Severity column or drag it over in the window to view it.



    Vendors, Families, and Products


    The Vendors, Families, and Products Filters can be used to filter based on the vendor, family or product which updates apply to.

    • Default is 'Scan all' (no product filtering).
    • This filter takes precedence over all other filters, meaning this filter will work along with any other filtering that is configured in the template.
    • When the inclusion filter is set to 'Scan selected' only the selected products to be scanned for.
    • You can also set the inclusion filter to scan for all and the exclusion filter to exclude certain vendors, families, or products if you wish to only exclude certain items.

    Scan Templates with filters set.PNG


    Using Patch Groups to include or exclude patches in a scan


    To import a patch group, follow the instructions in this document How To: Export and Import a Patch Group .


    1. If you do not already have a patch group, go to New > Patch Group...
      New Patch Group 1.PNG
    2. Make sure to name the patch group.
    3. Click the 'Save' button to add patches to the group.
      New Patch Group.PNG
    4. After clicking 'Save.' you'll be presented with the View > Patches window. You can research patches that you would like to add in the search bar in the top pane of View > Patches and can filter out results using the left side pains or our smart filters. To see more information about the filters in View > Patches, please check out How To: View All Patches, Software Distributions, Security Tools and Service Packs .
    5. Once you have found the patch(es) that you would like, you can right click the patch(es) and select to add them to your patch group which will show up in the bottom right pane of View > Patches. Alternatively, you can also import patches into a patch group using a text file either by importing when you create a patch group as is mentioned here How To: Export and Import a Patch Group or adding patches to an existing group using the Import from file... option above the patch group.

    Add patches to patch group modified.PNG


         6. Once you have your patch group created or edited how you like, you need to add it to your scan template by selecting to set it either as a baseline or exclusion in your scan template. If you set it as a baseline then all other filters will be disabled and any scan using this template will scan only for                    what is in the patch group. Make sure to save your template when you are finished.

    Add patch group to scan template modified.png



    Combining Multiple Filters
    • Below is an example of what it might look like when combining multiple filters for the Patch Scan Template.
    • This is what will happen based on these filtering settings:
      • Only Security and Non-security patch types will be scanned.
        • Of that, only Critical, Important, and Moderate severity patches will be scanned.
      • The scan will include all vendors, families, and products except for Apple Itunes and anything from AOL.
      • The scan will skip (exclude) the specific patches listed in the patch group 'Test Group'.


    General Tab

    • On the General tab of the scan template, you can choose if Protect should report results of only missing patches or also installed and even effectively installed patches.
      • Only missing patches - Scan results when using this template will only show missing patches (and service packs).
      • Both missing and installed patches - Scan results using this template will show both missing and explicitly installed patches.
        • Explicitly installed patches are those where Protect was able to detect that both the registry key exist and the affected files are at the correct version.
      • Checkbox to 'Include effectively installed patches'.
        • If checked, you will also see effectively installed patches in your scan results and reports when using this scan template.
        • Effectively installed patches are those where the file version is at or above the required version for the patch to be considered installed. Often this happens with superseded updates.

    Effectively Installed Patches modified.png


    Back to Patch Scanning And Deployment Best Practices Guide (Agentless)