Alexander Ilin

Vulnerability Assessment & Patch Management

79 posts in this topic

Dear users of "Kaspersky Lab" enterprise products, you are welcome to take part in improving the Vulnerability Assessment & Patch Management components in Kaspersky Security Center 10.

 

Being part of the "System Management" section, these components allow you to scan managed computers for vulnerabilities, as well as to push software upgrade.

 

In this topic we would like to gather your suggestions regarding the data components.

We wonder what kind of programs you upgrade via Kaspersky Security Center 10, and whether you install "patches" for these programs.

 

Wbr

Adobe falsh,

mozilla,

adobe reader.

Share this post


Link to post
Share on other sites

I also have some things which quite annoy me when it comes to use Kasperskys Patch Management...

 

1) Is there an option to prevent KAS from downloading Software Updates in any available language? My list of Software Updates contains thousand of patches... (for example any Firefox Patch in any language...)

2) I would like to have a list where i only see Updates which are not installed in our network, that would it make way easier for me to check the current Patch-Status in our network.

 

softwareupdates2pj1j.jpg

 

Kind regards

Share this post


Link to post
Share on other sites

While KSC shows Silverlight as criticallly or highly severe vulnerability with fix available (SA49122, SA46046, SA44841, SA48030) for W7/8 machines where Silverlight is not installed there is no point in using KSC's Vulnerabily Assessment functionality -- as I just cannot trust KSC. And the idea to install Silverlight to patch Silverlight's vulnerabilities sounds... e... silly.

Share this post


Link to post
Share on other sites

We need to have Cloud Security Centre from OEM as an option as we are losing cases on this Point

Edited by siddharthashah

Share this post


Link to post
Share on other sites

Hi

 

Please check below image. can't we get highlited serial number in below image as a report? If we can add this feature to sp 1 thats very usefull

post-457443-1412333479_thumb.jpg

Share this post


Link to post
Share on other sites
Can you please tell how can we change the storage location during the setup process?

 

As I wrote, we just "think of a possibility to change this default storage location during the setup process". This means, there were no such an option in KSC 10. But this option will be implemented in KSC 10 SP1.

 

can we use SCCM to get the files/update from the Kaspersky Security Center, Which is running as a WSUS Server means is there any way to integrate with SCCM?

 

Currently there is no supported way to "use SCCM to get the files/update from the Kaspersky Security Center", since we currently support only the client side of the WSUS server-server protocol.

 

Share this post


Link to post
Share on other sites
1) Is there an option to prevent KAS from downloading Software Updates in any available language? My list of Software Updates contains thousand of patches... (for example any Firefox Patch in any language...)

But we DON'T download Software Updates "in any available languages". In this list you just see the whole list of the supported updates, but only those of them which are really required to be installed, are downloaded (when needed).

And now by default we use "Status" filter to show in this list only those updates which are really applied to the managed computers (or you can change this filter to see only those patches which are already assigned to be installed by some patch management tasks, etc.)

 

 

2) I would like to have a list where i only see Updates which are not installed in our network, that would it make way easier for me to check the current Patch-Status in our network.

I'm not sure about your question, but I guess the answer is the same - just use "Status" filter in the software updates list; for a selected update you can see the list of computers where this update is applicable, etc.

 

Share this post


Link to post
Share on other sites
While KSC shows Silverlight as criticallly or highly severe vulnerability with fix available (SA49122, SA46046, SA44841, SA48030) for W7/8 machines where Silverlight is not installed there is no point in using KSC's Vulnerabily Assessment functionality -- as I just cannot trust KSC. And the idea to install Silverlight to patch Silverlight's vulnerabilities sounds... e... silly.

May I please kindly ask you to create an incident in your CompanyAccount for this issue?

Also please provide us with its number.

Thank you!

Share this post


Link to post
Share on other sites
We need to have Cloud Security Centre from OEM as an option as we are losing cases on this Point

Could you please provide some more details?

Thank you!

Share this post


Link to post
Share on other sites

 

Hello

 

In KSC 10 can we collect hardware serial number. (That shows in Computer hardware registry) Is there any method to collect that detail as a report?

:unsure::rolleyes:

 

Share this post


Link to post
Share on other sites

I've been using the Vulnerability and Software Updates function for a few months now and compared with using WSUS previously I've noticed a few things/issues:

A few of these address the same issue - better reporting and a better GUI. Others such as when updates are installed, how errors are reported, and how to manage computers that are "unreachable" also needs improvement in my experience with KSC 10.1.249.

 

As a single IT person managing updates for a small business (50+ employees) this tool is helpful, but I look forward to some improvements to make it a little easier to work with and see what the current status is. I would also like to see alerts to the users suppressed, I'm sometimes not sure the KES updater is even working properly since users are still asked to update themselves at various times, and the files still appear to be downloading when the installer is run. With WSUS if the user installed windows updates the files would already have been installed so that it could start right away.

Share this post


Link to post
Share on other sites

There are a large number of vulnerabilities tied to older versions of Java, but we are forced to use them because our software vendors don't update their code to be compatible with the latest versions of Java. I have to ignore dozens of vulnerabilities, but have to open them one at a time to select the ignore checkbox. It would be handy to be able to select all of them and just select ignore once.

Share this post


Link to post
Share on other sites

I'd like to test this functionality, but I get error message "kaspersky cannot create task systems management functionality is restricted"

when I try to create update task.

 

We have "Kaspersky Endpoint Security for Business - Select EEMEA Edition. 500-999 Node 2 year Public Sector Renewal License: Kaspersky Security for WS and FS" licence for 510 users

 

As for functionality, I'd like to see "Show only latest software versions" checkbox, as I work in environment that doesn't use any software restricted by

specific version of Flash, java and such

Edited by BrankoStulic

Share this post


Link to post
Share on other sites

I'd like to extend out the Vulnerability Scanner to include a few other "compliance" items:

 

- List of TCP/UDP ports being communicated on or services holding open those ports

- List of Services running

- List of local Users & Groups on the machine

- Ability to scan for windows OS patches without internet or WSUS (this could be done using a OVAL scanner & free updates from MITRE)

- A "report card" on individual machines showing system information, AV update jobs success

Share this post


Link to post
Share on other sites

Hi!

 

1) In Patch installation Task: Give an Option for "force shutdown running process

Some users tend to constantly ignore the Update dialogs - Sadly this is mostly the untrained high risk user category....

Especially Flash Player is hell to deploy and a big risk!

 

2) Detection of Needed Updates: Use also Applications Registry to detect needed Patches!

In Applications Registry the Program Versions are shown. Why not make a small check f. e. Flash Player 16.0.0.296 is installed ->To immediately install the patch.

This would save the penetration of the disk, and the performance loss while making the vulnerability scan.

 

3) User more detailed Events in installation Task Results.

Example 1: I sometime get just a error message like 1 out of 12 Patches installed -

Nothing listed which patch did the failure or even why.

Example 2: Completed - Nothing to do. -> Maybe show some details somewhere when "Last Successful Vuln Scan" was made - This drives me nuts when some scans are aborted.

Example 3: Task Completed: Updates Installed 0 out of 2 ?? -> Thats not a completion in my opinion if nothing is installed

 

 

Share this post


Link to post
Share on other sites

Correct me if I am wrong, but currently it is not possible to have vulnerabilities fixed automatically without creating a task each time a new , is it?

 

Do you expose an API to to interact with found vulnerabilities?

Share this post


Link to post
Share on other sites

How do I refresh the Vulnerabilities Report? Right now it's reporting on over 1000 computers, yet we have less than 400. I've refreshed it, cleared my event logs, changed the setting to show only critical vulnerabilities. Yet I get the exact same report every time. This has given us very little confidence in the vulnerability reporting capabilities of Kaspersky.

 

Running: KSC 10.1.249 with KES 10.2.23 and KSCNA 10.1.249

 

Thanks,

 

Rob

Share this post


Link to post
Share on other sites

1. Currently when using Kaspersky as WSUS server it fills up my c drive and am unable to relocate the store as the files are stored in C:\ProgramData\KasperskyLab\adminkit\1093\.working. Can this be changed?

Share this post


Link to post
Share on other sites
1. Currently when using Kaspersky as WSUS server it fills up my c drive and am unable to relocate the store as the files are stored in C:\ProgramData\KasperskyLab\adminkit\1093\.working. Can this be changed?

 

KSC 10 SP1 has new feature to change this folder. Just run klsrvswch.exe from KSC folder. :)

post-3568-1426170605_thumb.png

Share this post


Link to post
Share on other sites

The Vulnerability Assessment would be handy if it would just nicely report to KSC without notifying the end user about possible vulnerabilities.

Share this post


Link to post
Share on other sites
KSC 10 SP1 has new feature to change this folder. Just run klsrvswch.exe from KSC folder. :)

post-3568-1426170605_thumb.png

 

I used this feature to realocate the wusfiles to another drive but it seems that all downloaded Windows updates are duplicated to "C:\ProgramData\KasperskyLab\adminkit\1093\.working\FTServer"

So it seems that the same amount of WUS* files now persist on the c: and e: drive of the server with over 200 GB of used space. Everyday I am expandig the virtual disks of the server because it is freezing due to a full hard drive.

And I get patches just for Windows 7/8.1 and Server 2008 R2/2012 and some SQL Servers/Exchange.

 

This is definitely a big roblem and I am thinking of disabling the whole WSUS part of KSC. Is there anything I can do?

 

Share this post


Link to post
Share on other sites
I used this feature to realocate the wusfiles to another drive but it seems that all downloaded Windows updates are duplicated to "C:\ProgramData\KasperskyLab\adminkit\1093\.working\FTServer"

So it seems that the same amount of WUS* files now persist on the c: and e: drive of the server with over 200 GB of used space. Everyday I am expandig the virtual disks of the server because it is freezing due to a full hard drive.

And I get patches just for Windows 7/8.1 and Server 2008 R2/2012 and some SQL Servers/Exchange.

 

This is definitely a big roblem and I am thinking of disabling the whole WSUS part of KSC. Is there anything I can do?

 

You can use junctions to relocate the whole folder do a different location.

Share this post


Link to post
Share on other sites

I've a suggestion for Patch Management....

 

Scrap your current naming convention of "Patch A", "Patch B", "Patch C" etc. and adopt something more sensible along the lines of Microsoft's KBxxxxxxx. At least when they issue an update you can be sure which one is being referred to as, as far as I'm aware, the KB identifier is unique.

 

This Patch X is frankly absurd. In upgrading from KSC9/KES8 to KSC10/KES10 I came across TWO "Patch C"'s for KSC 10 and they were NOT the same!!!! That is just stupid.

 

George

Edited by george.h

Share this post


Link to post
Share on other sites

Please allow the ability to download Microsoft/Windows patches to KSC cache prior to installing. Maybe give us the option to immediately download patches from Microsoft when an update is approved.

 

Currently, my only option is just to hit Start on the "Install application updates and fix vulnerabilities" and wait an unspecified amount of time for patches to download from the Internet. This makes timing on server patch management unpredictable (will I have to wait 15 minutes or 3 hours for the KSC/WSUS cache to complete...?).

 

Thanks

Edited by lepphce1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now