Part3.Video3.

As efficient as the protection and control components may be, vulnerabilities in the operating system and
programs nevertheless need to be fixed. Certainly, the administrator is able to take care of that, but in
many cases Kaspersky Security Center helps to simplify this task. This chapter explains how to use
Kaspersky Security Center to detect and fix vulnerabilities.

Other things being equal, operating system vulnerabilities are more dangerous than vulnerabilities in
programs, because they are more wide-spread and criminals use them for attacking computers more often.
However, some program vulnerabilities also pose considerable threat. For example, vulnerabilities in
browsers or widespread office applications.

To fix Windows vulnerabilities, it is sufficient to regularly install the updates issued by Microsoft.
The Windows Update system service takes care of that. To fix vulnerabilities in applications by other
manufacturers, it is usually sufficient to install a new program version or a patch issued by
the manufacturer.

The main problem is how to automate the whole process of regular software updating. While the
administrator is provided with the necessary tools (domain policies) for regular installation of Microsoft
updates, regular updates of applications by other manufacturers require a lot of manual work.

Meanwhile, even if the administrator uses domain policies, they cannot control even installation of critical
updates—whether it is completed on all computers or updates’ downloading was interrupted by the user.
The same concerns the applications by other manufacturers: new program versions can also be installed
periodically using domain policies, but the question is—which versions to install? How can the
administrator find out which programs are installed on which computers and which of them are
vulnerable?

This is where Kaspersky Endpoint Security Cloud proves most useful. The administrator can use it patch
management capabilities to monitor the updates available for the operating systems and Microsoft
applications, and also vulnerabilities in the third-party programs installed on the computers.

The Vulnerability assessment task can run daily or weekly, depends on the selected schedule on the client
computers and servers, to provide up-to-date information about operating system security issues and
vulnerable third-party applications. The patch management task enforces the client computers and servers
to download and install necessary patches for the operating system or third-party applications.

The Vulnerability assessment and patch management functionality fully depends on the available license.
To be able to use all the capabilities to full extent Kaspersky Endpoint Security Cloud Plus license is
necessary.

Kaspersky Security Cloud looks for the information about available updates for Windows and other
Microsoft software, and also about vulnerabilities within Microsoft and other manufacturers’ software.
Some of the Windows Updates fix the discovered vulnerabilities: thus, several issues can be covered at a
time.

Kaspersky Security Network Agent gathers information about the updates of the operating system and
Microsoft software that are installed already and yet need to be installed. Kaspersky Endpoint Security
does not participate in this process. Kaspersky Security Network Agent receives information about
available updates either from the Windows Updates service, which connect directly to Microsoft online
update servers or from Kaspersky Endpoint Security Cloud, which checks Kaspersky Lab advisory DB
the proprietary threat and vulnerability database.

Based on the data about available updates, Kaspersky Security Network Agent defines which updates are
installed and which are not, and informs Kaspersky Endpoint Security Cloud.
Kaspersky Security Network Agent also gathers information about vulnerabilities: it automatically
monitors programs’ start and additionally scans all programs installed on the client computer according to
a specified schedule. As we mentioned earlier, the information about vulnerabilities is obtained from
Kaspersky Lab advisory DB made up by Kaspersky Lab experts based on in-house analytics of the most
typical threats and vulnerabilities to information systems.

The information about vulnerabilities, available patches and updates is transferred from the client
computers to the Kaspersky Endpoint Security Cloud workspace, where the administrator can view it,
filter, and use for vulnerability fixing.

The data from the Kaspersky Lab database and Windows Update metadata are used for fixing
vulnerabilities. Windows Update metadata maps the available Microsoft updates against
the vulnerabilities that need to be fixed in Microsoft applications and operating systems. Kaspersky Lab
vulnerability database provides similar information for other vendors.

Windows Update metadata is provided either by the Kaspersky Endpoint Security Cloud or by the local
Windows Update service, depending on yours organizations settings. In the former case, Kaspersky
Security Cloud task loads metadata to the managed workspace; the relevant updates available as first
updates are downloaded to the managed workspace before being distributed to the client computers by the
Kaspersky Security Network Agents.

It means that Kaspersky Security Network Agents installed on the managed devices receives information
about available updates from Kaspersky Endpoint Security Cloud and then enforce local Windows update
service to connect to Windows Update servers and download necessary updates and patches.

Kaspersky Security Network Agents do not control the installation process. Kaspersky Endpoint Security
Cloud uses the Vulnerability assessment task to enumerate all installed applications to define whether
installed applications are updated or vulnerable, and in case if there are some known vulnerabilities found
information about patching and updating third-party applications is delivered to Kaspersky Endpoint
Security Cloud.

To install required updates and fix vulnerabilities Kaspersky Endpoint Security Cloud administrator
should schedule additional patch management task. We will talk about it in the demonstration video.

Vulnerabilities assessment settings are located in the security management section of the security profile.

First you need to set the Vulnerability assessment task schedule. You can run task daily or weekly.
Depends on your needs and security policies of your organization. We recommend that you schedule
Vulnerability assessment task to run once a week. Vulnerability assessment scanning starts on a specified
day and time and slows down the computer to some extent. Select the time when employees do not work,
or when the users do not perform some resource consuming operations. By default a single task is created
for all managed Windows computers in the workspace.

In this demonstration, we choose lunch time to perform the task.

When vulnerability assessment task has been applied to the managed device Kaspersky Security Center
vulnerability and patch management component executable file (VAPM.EXE) is presented in a list of the
running processes.

After the task completes the information about found vulnerabilities and updates is displayed in the
Vulnerability Assessment section. Software vulnerabilities lists all the information vulnerabilities found
across the network. The administrator can filter by:

Vendor (Microsoft or third-party)

 Severity level (Critical, high or warning)

Plan to fix (planned, partially planned, not planned)

As a side note here: Severity level is a specified by Kaspersky Lab experts parameter, based on the
analysis of the particular vulnerabilities and threats related to it.

It defines the danger level the vulnerability exposes the system to. For example, if malware exists that
exploits this vulnerability, its severity level is Critical. The High and Warning levels indicate the relevant
level of potential security risk associated with the vulnerability although Kaspersky Lab have yet to see
these vulnerabilities being exploited.

Click the vulnerability name to see detailed information about it: Severity level, the number of the devices
it has been found, the vulnerable application, detection date and time. Typically it is the time when
vulnerability assessment time run.

Click the View patches link to consult the list of patches that fix this vulnerabilities. Most of the
Microsoft updates and third-party applications have license agreement. The administrator has to accept
the agreement prior to install the patch. Otherwise, the installation will remain the planned status and the
patch won’t be installed even if the patch management task successfully completes on the managed
devices.

Different versions of the same operating system may need different patches. In this case KES Cloud will
detect the version of the operating systems installed on the devices to help the administrator select the
necessary patch.

The general vulnerability status of the network can be evaluated using the Vulnerabilities report. It
represents computers’ distribution by the severity level of the vulnerabilities detected on them. Click
a vulnerability name in the aggregate table to view the list of all computers where it is found.

The vulnerability assessment task only searches on managed Windows devices vulnerabilities, but doesn’t
patch them. In a medium sized enterprise, the administrator might need to automate patch installation. To
achieve this goal you can configure the patch management task in KES Cloud.

A patch management task in KES Cloud enforce Windows manage devices to search and download
updates and patches for windows and third-party applications from the internet.

A patch management task setting are located in the security management section of the security profile.
Follow the Patch installation settings link to open the task settings. Patch and update installation
parameters are regulated by the installation mode specified in the task properties. A rule may belong to
one of the following types:

Install all patches

Install approved patches only

Install approved patches only – this mode means that an administrator is supposed to study all available
updates, accept the license agreement and assign approved status to some of them. This parameter is
enabled by default. It means that if an administrator does not approve patches for installation, no patch
will be installed and it’s installation status will change to approval pending.

To simplify installation you can select the option to Install all patches. In this case all available patches
will be installed automatically, except those where you must accept the license agreement first, which is
typically required when installing the new version of third-party software.
Installation area parameters allows administrator to configure on which types of the devices: workstations
or servers install the updates and patches. By default All devices parameters is selected.

To enable patch management task, administrator should select a schedule when task will be executed.
There are two possible options: daily or weekly. If no schedule is selected task will remain disabled.

Since the same VAPM.EXE process is involved into patch management and vulnerability search, the
patch management task must not run at the same time as the vulnerability assessment task. Please
configure schedule carefully to run the patch management task only after vulnerability assessment task
completes.

If the Postpone installation until the device is turned off option is enabled patch will be installed when
the device is restarted or shut down. Otherwise, patch will be installed according to the schedule. Use this
option if installing the patch might affect the device performance.

Operating system restart option: select what to do if the patch installation requires restart of the device
operating system. Three possible options are available:

Do not restart the device

Restart the device
Prompt user for action - The restart reminder is displayed on the screen user’s device. Prompting
the user to restart manually.

If the Restart the device after it is idle for more than 30 minutes option is enabled, after prompting the
user the application forces the restart of the operating system upon the expiration of the specified time
interval.

When the patch management task completes successfully after the necessary patches have been installed
Kaspersky Security Network Agent will prompt the user to restart the machine. The end-user can choose
to postpone or to restart for 30 minutes. If there are several patches to be installed additional restarts
might be requested.

To be sure that the all necessary patches and the updates have been installed open Programs and Features
and check that new updates are present in the list.

To be make sure that the all patches have been installed and there are no more vulnerabilities navigate to
vulnerabilities assessment section of the security management settings, verify that there are no
vulnerabilities in the list and counter shows 0.

Additionally you can consult the Vulnerabilities report to make sure that you have nothing to worry
about. Pay attention that counter of the devices without vulnerabilities is equal to the amount of the
managed Windows devices. Amount of the devices with vulnerabilities found is equal to 0.