Using the Patches page you can view the details of all patches that are applicable to the zone and you can also view information about all patches that are applicable for a specific device.
This page can be accessed by clicking the Security tab in the left navigation menu and then clicking the Patches tab. This page displays a list of all patches that are applicable to the zone and it provides the following information:
The Patch Name is the name that identifies a patch. This name typically includes the vendor or manufacturer of the patch, the specific application, and version information.
An example of a patch name is shown as follows. It indicates that Adobe is the vendor, Adobe Flash Player is the application, and 21.0.0.242 is the version information:
Microsoft Patches:
All Microsoft security patches are titled with their Microsoft Security Bulletin number in the format MS0x-yyy, where 0x indicates the year the patch was released and yyy indicates the sequential number of the released patch. These patches are critical and must be installed as soon as possible.
Names of all Microsoft non-security patches include the Knowledge Base (KB) article number. These patches can be installed at your discretion.
The names of Microsoft service packs and third-party patches do not usually contain a KB number and never a Microsoft Security Bulletin number. Test these service packs thoroughly to ensure that they have the expected results.
For more information on the naming conventions for patches, refer to Comprehensive Patches and Exposures (CVE), which is a list of standardized names for patches and other information exposures. Another useful resource is the National Patch Database, which is the U.S. government repository of standards-based patch management data.
The patches shown in the Patches page have different icons indicating their current status. The following table describes the icons for each patch:
Patch Icon |
Significance |
---|---|
Indicates the patches that are disabled. Disabled patches are hidden by default. Use the Include Disabled filter in the Search panel to show these items. |
|
Indicates that only the fingerprint information for the patch has been brought down from the ZENworks Patch Subscription Network. This icon represents the patches that are not cached. |
|
Indicates that a download process for the bundles associated with the selected patch is pending. |
|
Indicates that a download process for the bundles associated with the selected patch has started. This process caches those bundles on your ZENworks Server. |
|
Indicates that the fingerprints and remediation patch bundles that are necessary to address the patch have been cached in the system. This icon represents the patches that are cached and ready for deployment. |
|
Indicates that an error has occurred while trying to download the bundle associated with the selected patch. |
The total number of patches that are available for deployment is displayed in the bottom-left corner of the Patches panel. In the following figure, the total number of available patches is 106:
The Impact is the type of patch defined on the basis of the severity of the patch; the type can be Critical, Recommended, Informational, or Software Installers. Each impact is described as follows:
Critical: ZENworks has determined that this type of patch is critical, and should be installed as soon as possible. Most of the recent security updates fall in this category.
Recommended: ZENworks has determined that this patch, although not critical or security related, is useful and should be applied to maintain the health of your computers. You should install patches that fall into this category.
Informational: This type of patch detects a condition that ZENworks has determined is informational. Informational patches are used for information only. There is no actual patch to be installed.
Software Installers: These types of patches are software applications. Typically, this includes software installers. The patches show Not Patched if the application has not been installed on a machine.
Patch Management impact terminology for its patch subscription service closely follows the vendor impact terminology for patch criticality. Each operating system has a vendor-specific impact rating and that impact is mapped to a ZENworks rating as described in this section. Patch Management, following the recommendations of Lumension Security, increases or steps up the severity of the impact rating. For example, Microsoft classifications for Critical, Important, and Moderate patches are all classified as Critical by ZENworks.
The following table lists the mapping between ZENworks and Microsoft patch classification terminology:
Table 7-1 ZENworks and Microsoft Patch Impact Mapping
ZENworks Patch Impacts |
Windows |
Other |
---|---|---|
Critical |
Critical Security Important Moderate |
NA |
Recommended |
Recommended Low Example: Microsoft Outlook 2003 Junk E-mail Filter Update |
NA |
Informational |
NA |
NA |
Software Installers |
Software Distribution Example: Microsoft Windows Malicious Software Removal Tool (Virus Removal) |
Adobe 8.1 software installer |
The Patched column displays a link indicating the total number of devices to which the corresponding patch has been applied.
Click a link to display the Devices that are patched with the selected patch.
Displays a link indicating the total number of devices to which the corresponding patch has not been applied.Click a link to display the Devices on which the patch has not been applied as yet. You can deploy the patch to these devices by using the Deploy Remediation option.
The date the patch was released by the vendor is displayed in the right column under Released On. Click the Released On column to sort patches by their release date. All the patches released in the last 30 days are displayed in bold font.
The Search panel on the Patches page offers extensive search and data filtering options that allow you to search for specific patches and filter result sets based on the status and impact of the patches. Searching and filtering can be performed independently of each other or can be combined to provide extensive drill-down capabilities.
To search for a patch:
Type all or part of the patch name in the Patch Name text box.
Select applicable filter options; the CVE identifier must be typed.
Click Search.
To filter from all existing patches:
Leave the Patch Name text box empty.
Select applicable filter options.
Click Search.
NOTE:Click Reset to return to the default settings.
The following table describes the result of selecting each filter option under Status:
Status Filter |
Result |
---|---|
Patched |
Search results include all the patches in the patch list that have been applied to one or more devices. |
Not Patched |
Search results include all the patches in the patch list that have not been applied to any device. |
Not Applicable |
Search results include all the patches in the patch list that do not apply to the device. |
Include Disabled |
Search results include all the patches in the patch list that have been disabled by the administrator. |
The following table describes the result of selecting each filter option under Impact (Impact Filters in Search):
Impact Filter |
Result |
---|---|
Critical |
Search results include all the patches in the patch list that are classified as Critical by ZENworks. |
Recommended |
Search results include all the patches in the patch list that are classified as Recommended by ZENworks. |
Informational |
Search results include all the patches in the patch list that are classified as Informational by ZENworks. |
Software Installers |
Search results include all the patches in the patch list that are classified as Software Installers by ZENworks. |
The following table describes the remaining filter options on the Search panel:
Filter |
Result |
---|---|
Platform |
Search results include all the patches relevant to the operating system in the patch list. |
Vendor |
Search results include all the patches relevant to the vendor in the patch list. |
Cache Status |
Search results include all the patches relevant to their cache status on the local server. |
CVE Identifier |
Search results include all the patches that have the common vulnerabilities and exposures ID that you type. |
Relationships NOTE:This filter is only applicable to the Patches page on a selected patch policy. |
Search results include patches for devices assigned to a patch policy, according to the option selected in the filter menu. For more information, see Understanding the Relationships Filter. |
The Search feature on the Patches page for a patch policy differs from the Search feature on the global Patches page by omitting the Platform filter and adding the Relationships filter. The Relationships filter enables you to limit and define the reporting of patch status according to the devices assigned to the patch policy as described below:
This is the default setting. It displays patch status for the first 500 devices assigned under the Relationships tab of a selected patch policy. If the policy is assigned to more than 500 devices, the complete list of devices can be viewed under Patched and Not Patched column values.
This option displays patch status for patches on designated test devices assigned to the selected patch policy.
Specific devices, device folders, or device groups will be listed under the Test devices option. For example, <computer name>, Workstations, Windows 10 Workstations and so forth can be assigned as a relationship to the patch policy.
When you filter on one of these relationship types, patch status will only be displayed for device patches that fall within that device criteria.
IMPORTANT:Due to the complexity of returning Patched and Not Patched results and the variables involved, a hundred percent accuracy for device counts in patch status is uncommon with large organizations. For example, if your organization has more than 500 devices assigned to a patch policy and you open the Patches page on that policy, the aggregate number of devices in the Patched and Not Patched columns is unlikely to reach 500 with the Relationships.
Using the Device Patches Page you can view information related to all patches, patch policies and remediation bundles assigned to the selected device. You can also perform actions for particular patches and refresh the assignments made to the device. The Device Patches page includes the following panels:
Figure 7-1
This panel lists all the patches that are applicable to the device and provides the following information for each patch:
The Patch Name is the name that identifies a patch. This name typically includes the vendor or manufacturer of the patch, the specific application, and version information.
An example of a patch name is shown as follows. It indicates that Adobe is the vendor, Adobe Flash Player is the application, and 21.0.0.242 is the version information:
Microsoft Patches:
All Microsoft security patches are titled with their Microsoft Security Bulletin number in the format MS0x-yyy, where 0x indicates the year the patch was released and yyy indicates the sequential number of the released patch. These patches are critical and must be installed as soon as possible.
Names of all Microsoft non-security patches include the Knowledge Base (KB) article number. These patches can be installed at your discretion.
The names of Microsoft service packs and third-party patches do not usually contain a KB number and never a Microsoft Security Bulletin number. Test these service packs thoroughly to ensure that they have the expected results.
For more information on the naming conventions for patches, refer to Comprehensive Patches and Exposures (CVE), which is a list of standardized names for patches and other information exposures. Another useful resource is the National Patch Database, which is the U.S. government repository of standards-based patch management data.
When you click the patch name link, the Patch Details Page page is displayed.
The Impact is the type of patch defined on the basis of the severity of the patch; the type can be Critical, Recommended, Informational, or Software Installers. Each impact is described as follows:
Critical: ZENworks has determined that this type of patch is critical, and should be installed as soon as possible. Most of the recent security updates fall in this category.
Recommended: ZENworks has determined that this patch, although not critical or security related, is useful and should be applied to maintain the health of your computers. You should install patches that fall into this category.
Informational: This type of patch detects a condition that ZENworks has determined is informational. Informational patches are used for information only. There is no actual patch to be installed.
Software Installers: These types of patches are software applications. Typically, this includes software installers. The patches show Not Patched if the application has not been installed on a machine.
Patch Management impact terminology for its patch subscription service closely follows the vendor impact terminology for patch criticality. Each operating system has a vendor-specific impact rating and that impact is mapped to a ZENworks rating as described in this section. Patch Management, following the recommendations of Lumension Security, increases or steps up the severity of the impact rating. For example, Microsoft classifications for Critical, Important, and Moderate patches are all classified as Critical by ZENworks.
The following table lists the mapping between ZENworks and Microsoft patch classification terminology:
Table 7-2 ZENworks and Microsoft Patch Impact Mapping
ZENworks Patch Impacts |
Windows |
Other |
---|---|---|
Critical |
Critical Security Important Moderate |
NA |
Recommended |
Recommended Low Example: Microsoft Outlook 2003 Junk E-mail Filter Update |
NA |
Informational |
NA |
NA |
Software Installers |
Software Distribution Example: Microsoft Windows Malicious Software Removal Tool (Virus Removal) |
Adobe 8.1 software installer |
The Patched column indicates if the patch has been applied on the device or not. shows the relationship between a specific patch and the total number of devices (or groups) within ZENworks Server that meet a specific status. The patch statistics appear in two columns on the far right side of the Patches page. Each column status is described as follows:
The patches shown in the Patches page have different icons indicating their current status. The following table describes the icons for each patch:
Patch Icon |
Significance |
---|---|
Indicates the patches that are disabled. Disabled patches are hidden by default. Use the Include Disabled filter in the Search panel to show these items. |
|
Indicates that only the fingerprint information for the patch has been brought down from the ZENworks Patch Subscription Network. This icon represents the patches that are not cached. |
|
Indicates that a download process for the bundles associated with the selected patch is pending. |
|
Indicates that a download process for the bundles associated with the selected patch has started. This process caches those bundles on your ZENworks Server. |
|
Indicates that the fingerprints and remediation patch bundles that are necessary to address the patch have been cached in the system. This icon represents the patches that are cached and ready for deployment. |
|
Indicates that an error has occurred while trying to download the bundle associated with the selected patch. |
The name of the patch remediation bundle or policy assignment that includes the signature and is assigned to the device, is displayed in this column. When you click on the Assignment link, the Bundle or Policy Details page is displayed.
The date the patch was released by the vendor is displayed in the right column under Released On. Click the Released On column to sort patches by their release date. All the patches released in the last 30 days are displayed in bold font.
The date on which the patch signature was installed on the device, either through a remediation bundle, or through a patch policy. If the patch was not installed by ZENworks, this field will be empty.
The name of the user who installed the patch on the device. If the patch was installed by ZENworks, then the value will be ZENworks. Else, if the patch was installed manually, for example, a Windows update, then the value will be Other.
The total number of patches that are available for deployment is displayed in the bottom-left corner of the Patches panel. In the following figure, the total number of available patches is 106:
NOTE:The total number of patches that are available for deployment is displayed in the bottom-left corner of the Patches panel.
The Assigned Patch Policies panel displays all the enabled patch policies that are assigned to the device. This panel includes the following information:
The names of the enabled patch policies that are assigned to the device.
The published version of the patch policy.
The schedule of when the policy is enforced on the device.
Links to the source of the assignment, either the Device object's Summary page, the Device Group object's Summary page, or the Device Folder's Summary page. When you click the source, the object's Summary page is displayed. If there are multiple sources, they are displayed as an expandable hierarchy.
This panel displays all the patch bundles that are assigned to the device. This panel includes the following information:
The remediation deployment name. When you click this link, the Bundle Summary page is displayed.
The path to the folder in which the bundle is saved.
The date on which the bundle assignment was created.
The schedule of when the deployment is enforced on the device. For example, Every Sun, Mon, Tue.
Links to the source of the assignment, either the Device object's Summary page, the Device Group object's Summary page, or the Device Folder's Summary page. When you click the source, the object's Summary page is displayed. If there are multiple sources, they are displayed as an expandable hierarchy.
The Search panel on the Patches page offers extensive search and data filtering options that allow you to search for specific patches and filter result sets based on the patch status, impact of the patches and assignment status. Searching and filtering can be performed independently of each other or can be combined to provide extensive drill-down capabilities.
To search for a patch:
Type all or part of the patch name in the Patch Name text box.
Select applicable filter options; the CVE identifier must be typed.
Click Search.
To filter from all existing patches:
Leave the Patch Name text box empty.
Select applicable filter options.
Click Search.
NOTE:Click Reset to return to the default settings.
The following table describes the result of selecting each filter option under Status:
Status Filter |
Result |
---|---|
Patched |
Search results include all the patches in the patch list that have been applied to one or more devices. |
Not Patched |
Search results include all the patches in the patch list that have not been applied to any device. |
Not Applicable |
Search results include all the patches in the patch list that do not apply to the device. |
Include Disabled |
Search results include all the patches in the patch list that have been disabled by the administrator. |
The following table describes the result of selecting each filter option under Assignment Status.
Status Filter |
Result |
---|---|
Assigned |
Search results include all the patches in the patch list that have been assigned to one or more devices. |
Not Assigned |
Search results include all the patches in the patch list that have not been assigned to any device. |
The following table describes the result of selecting each filter option under Impact (Impact Filters in Search):
Impact Filter |
Result |
---|---|
Critical |
Search results include all the patches in the patch list that are classified as Critical by ZENworks. |
Recommended |
Search results include all the patches in the patch list that are classified as Recommended by ZENworks. |
Informational |
Search results include all the patches in the patch list that are classified as Informational by ZENworks. |
Software Installers |
Search results include all the patches in the patch list that are classified as Software Installers by ZENworks. |
The following table describes the remaining filter options on the Search panel:
Filter |
Result |
---|---|
Platform |
Search results include all the patches relevant to the operating system in the patch list. |
Vendor |
Search results include all the patches relevant to the vendor in the patch list. |
Cache Status |
Search results include all the patches relevant to their cache status on the local server. |
CVE Identifier |
Search results include all the patches that have the common vulnerabilities and exposures ID that you type. |
Relationships NOTE:This filter is only applicable to the Patches page on a selected patch policy. |
Search results include patches for devices assigned to a patch policy, according to the option selected in the filter menu. For more information, see Understanding the Relationships Filter. |