3rd Party Patch Management

In this article, you will learn everything you need to know about the 3rd Party Patch Management module. Thiis product allows you to define policies for software management and automated patching and installation, schedule updates with our HEIMDAL Unified Threat Dashboard (UTD), blocklist applications and allow your users to click and install only the software approved by you. 

1. Description
2. How does 3rd Party Patch Management work?
3. HEIMDAL Agent - 3rd Party Patch Management
4. 3rd Party Patch Management view
5. 3rd Party Patch Management settings

DESCRIPTION

Our 3rd Party Patch Management Management solution will automatically install updates on the 3rd Party Applications HEIMDAL manages based on your configured policies, without the need for manual input. As soon as 3rd Party vendors release new patches, our technology silently deploys them to your endpoints, without the need for reboots or user interruption. HEIMDAL provides you with fully tested, repackaged, and ad-free updates using encrypted packages inside encrypted HTTPS transfers locally to your endpoints. Our distribution is further optimized through a local P2P network only between your machines. This gives you the powerful option to tailor your entire IT environment. You can create policies that meet your exact needs across the Active Directory groups within your organization. Once configured, the deployment is easy and simple. 

HOW DOES 3RD PARTY PATCH MANAGEMENT WORK?

When 3rd Party Patch Management is enabled, the HEIMDAL Agent checks the Windows Registries paths (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall) to see what are the 3rd Party Applications installed on the endpoint(s) and reports their status in the HEIMDAL Dashboard (it identifies an application using the DisplayName and DisplayVersion properties from the application's GUID registries). When a new version of a 3rd Party Application is available, the HEIMDAL Agent will securely download it from the HEIMDAL Security cloud, will decrypt it, and will run the installer with the specified install arguments.
3rd Party Applications can be installed or updated by the HEIMDAL Agent using one of the 3 methods below:
A. Automatic (force) install - the application is automatically installed on the first Group Policy check in case the application is not already present on the endpoint. If the application is already installed on the endpoint, the HEIMDAL Agent will bypass the automatic install;
B. Automatic update - the application is automatically patched (updated) by the HEIMDAL Agent when a newer version is available on the HEIMDAL Patching server;
C. Manual install - the application can be manually installed by the end-user from the HEIMDAL Agent in case the application is not already present on the endpoint.
The Application Blocklist feature allows you to uninstall specific applications that are installed on the endpoints inside your organization (in order for the feature to work, the application in question needs to have an UninstallString property defined in the Windows Registries in the case of MSI Installers and a QuietUninstallString in the case of non-MSI Installers).  

HEIMDAL Agent - 3rd Party Patch Management 

The HEIMDAL Agent displays information about the Monitored Applications, the Vulnerable Applications, the Version number, and the Status of each application. From the HEIMDAL Agent. The statistics displayed in the Patch & Asset Management are covering a 7-day interval.


The HEIMDAL Agent allows the end-user to manually install any of the 3rd Party Applications that are configured to be allowed for installation from the HEIMDAL Dashboard. 

3rd Paty Patch Management allows you to postpone the installation of a new patch in case you are using the application that is being patched.

3RD PARTY PATCH MANAGEMENT view

The Patch & Asset Management - 3rd Party Patch Management view displays all the information collected by the HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the 3rd Party Applications that are installed or monitored by the HEIMDAL Agent and is divided between the 3rd Party Applications monitored on Windows endpoints and the 3rd Party Applications monitored on Linux endpoints.

Windows OS

On the top, you see a statistic regarding the Number of current vulnerabilities, the Total number of applied patches, the Number of updated software, and the Number of monitored software (installed in the Agent and monitored).

The collected information is placed in the following views: Standard, Patches per Endpoint, Assets, and Compliance.

• Standard
  This view displays a table with the following details: Hostname, Username, Software, Version, CVE, CVS, Date, and Status. 
  
  The Standard allows you to view the information regarding the Latest Status (all statuses - up-to-date, patched, and vulnerable), Latest Patch (the latest installed/patched), Currently Vulnerable (displays the endpoints where vulnerabilities are still being discovered; a check is made every sync GP interval), Historically Vulnerable (displays the endpoints that have been discovered with vulnerabilities at a point in time), Up-to-date (all applications that are found to be up-to-date), Uninstalled. You are allowed to select one or multiple entries in the Standard and Hide them from the view. Vulnerable applications (that are listed in the Standard view -> Latest Status, Currently Vulnerable view, and Historically Vulnerable view) can be installed by selecting the Install 3rd Party Software option from the dropdown menu. The Show Hidden Apps radio button allows you to display all the applications that were hidden by the HEIMDAL Dashboard Administrator.  
• Patches per Endpoint
  This view displays a table with the following details: Hostname, Username, and Patches per Endpoint. 
  
• Assets
  The Asset view displays a list of all the 3rd Party Applications that are installed on all the endpoints that run the HEIMDAL Agent in your organization (no matter if the 3rd Party Applications are monitored by the HEIMDAL Agent or not). The detection is made in the following Windows Registries paths (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall). The table includes the following information: Application Name, Version, GUID, Installed Endpoints, Hostname (visible in the Non-Stacked view), Installed Server, Username (visible in the Non-Stacked view), Machine Type (visible in the Non-Stacked view), Uninstallable (3rd Party Applications that can be uninstalled by the HEIMDAL Agent), Supported (3rd Party Applications that are installed and updated through the HEIMDAL Agent), and Date and Time (visible in the Non-Stacked view). The Hide Microsoft Products radio button allows you to hide the Microsoft products from the Assets view. The Filters functionality allows you to filter entries by Monitored and Not Monitored applications. This view filters the data by the client (device) information's last seen status instead of the install/update time of a 3rd Party Application and the check is performed every 24 hours.
  
  Selecting one or multiple 3rd Party Applications allows you to:
  a. Add the selected application(s) to a Group Policy or all Group Policies to be automatically installed or be automatically updated (when a new version is available);
  b. Uninstall the selected application(s) if the Uninstall is supported by the HEIMDAL Agent (the Uninstall is supported for the 3rd Party Applications that are installed using an MSI Installer that creates an UninstallString property or for the 3rd Party Applications that are installed using an EXE Installer that creates a QuietUninstallString property).
  
• Compliance
  This view displays a table with the following details: Hostname, Username, Number of Updates, and Last Seen. 
  
  The Compliant / Non-Compliant filter allows you to switch between the endpoints that are compliant or not. This view does not consider the selected timeframe (from the top of the HEIMDAL Dashboard), but instead, it displays the endpoints filtered by a specific date or an interval, both selected from the green Filter button. When checking for compliance, it is necessary to set a desired date. A compliant machine is an endpoint that has no pending updates before the selected date/interval. A non-compliant machine is an endpoint that has got pending updates before the selected date/interval. Filtering for compliant endpoints will list endpoints with 0 updates, which shows they are up to date. Filtering for non-compliant endpoints is possible only by selecting a specific date but not an interval, as this view can only show the endpoints that have got pending updates before the selected interval. 
  
  The Compliance view is considering the Cyber Essentials norms when deeming an endpoint as being compliant or not. The Cyber Essentials compliant view will display all endpoints that do not have any 3rd Party Patches missing in the last 14 days and have a CVSS score of less than 7 since the application's release date (Heimdal release date), while the Cyber Essentials non-compliant view will display all endpoints that are missing a patch that is not applied and older than 14 days and has a CVSS score higher than (or equal) 7, a patch version lower than the version selected in the Group Policy, and the patch reached End of Life (EOL).
  

The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.

Linux OS

On the top, you see a statistic regarding the Number of current vulnerabilities, the Total number of applied patches, the Number of updated software, and the Number of monitored software.

The collected information is placed in the following views: Standard, Patches per Endpoint, and Compliance.

• Standard
  This view displays a table with the following details: Hostname, Username, Software, Package, Distribution, Version, Date, and Status. 
  
  The Standard allows you to view the information regarding the Latest Status, Latest Patch, Currently Vulnerable, Historically Vulnerable, Up-to-date, and Uninstalled. You are also allowed to select one or multiple entries in the Standard and Hide them from the view. The Show Hidden Apps radio button allows you to display all the applications that were hidden by the HEIMDAL Dashboard Administrator.  
• Patches per Endpoint
  This view displays a table with the following details: Hostname, Username, and Patches per Endpoint. 
  
• Compliance
  This view displays a table with the following details: Hostname, Username, Number of Updates, Last Seen, and Status. 
  
  The Compliant / Non-Compliant filter allows you to switch between the endpoints that are compliant or not.

The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.

3RD PARTY PATCH MANAGEMENT settings

The Patch & Asset Management - 3rd Party Patch Management module allows the user(s) to install or update a specific 3rd Party Application from the list of applications managed by HEIMDAL Security. 

Windows OS

3rd Party Patch Management - turn ON/OFF the 3rd Party Patch Management module;

General Settings

Infinity Management - turn on/off the Infinity Management module to deploy your own 3rd Party Applications/Patches from the stand-alone patch management system. The patches can be configured in the Infinity Management module and applied to any Group Policy;
Keep all applications up-to-date - all current and future 3rd Party Applications that are included in our 3rd Party Patch Management list will be added to automatic update;
Assets View - allows you to track down and manage all the 3rd Party Applications installed on the devices in your organization, even if we do not offer patches for them (supports applications that are installed in the All Users context). The Assets View updates the list of applications every 24 hours, but it can be manually updated by restarting the computer (this one takes the Delay Patching on Start-up option into consideration). 
Software Asset Management - allows you to manage the software license details for an application that is installed in your environment in a dedicated view found under Patch & Asset Management -> 3rd Party Patch Management. You can input Software Name, Version, Publisher, License Type, Quantity, Price, Expiration Date, etc. 

Manage Applications 

Show only Infinity Management applications - displays the 3rd Party Applications added in Infinity Management only;

Install - enable the selected 3rd Party Application(s) to be installed on the endpoint(s) if it is not already installed. If the 3rd Party Application is already installed, it will not do anything;
Update - enable the automatic update of the selected 3rd Party Application(s);
Allow Install - make the selected 3rd Party Application(s) available for manual installation by displaying it in the HEIMDAL Agent - 3rd Party Patch Management list:

Delay - allows you to delay the automatic deployment of the selected 3rd Party Application(s) by 1 to 30 days;
Version - allows you to target the selected 3rd Party Application(s) to the Latest Version or to an older version (available in the Patching System). Targeting a version that is older than the Latest Version will downgrade the higher version to the targeted version. This means that Heimdal™ Patch & Assets will not update it anymore (this works ONLY for the 3rd Party Applications that can be uninstalled through the HEIMDAL Agent, where Uninstall is supported);
Check interval - allows you to set the time interval when the HEIMDAL Agent checks for newly available patches;
Delay patching on startup - allows you to set the delay time interval applied on computer startup until the HEIMDAL Agent starts the patching operation;

Patch install delay pop-up - notifies the end-user when a 3rd Party Application is being installed (when it is performed from the Active Clients view). The install delay allows you to configure the installation delay by 5 to 60 minutes and the number of postpones the end user is allowed to postpone the installation;
Patching Schedule - allows you to set a scheduler for the 3rd Party Application patching module:

• You can select one or more days in a week when Heimdal™ Patch & Assets can install the 3rd Party Application(s)/Patches;
  
• You can select one or more days in a month when Heimdal™ Patch & Assets can install the 3rd Party Application(s)/Patches;
• You can also select a specific interval of any day to exclude the 3rd Party Application patching.

Applications Blocklist

This feature allows you to uninstall a specific 3rd Party Application(s) to restrict the usage of unwanted applications or to get applications removed from all endpoints that are applying the current Group Policy. This feature removes most of the applications that Patch & Asset Management is monitoring and also uninstalls other 3rd Party Applications that are present on the endpoints but not managed by Patch & Asset Management module.
To uninstall a 3rd Party Application you need to specify the name of the application. You can also specify at least the first word of the name (in case the 3rd Party Application has a name composed of more than 1 word) to target multiple 3rd Party Applications that have their name starting with the same word and tick the Starts with a tickbox to be able to add the entry.

• The example below targets the Poly Lens application that is installed on the endpoint(s); 
• If you target a specific application you have to add the exact application name (like it is displayed in Control Panel - Programs and Features' list) to be uninstalled (like in the example below: Java 8 Update 291 (64-bit);

Example: 

• If you want to uninstall a 3rd Party Application that is in the 3rd Party Patch Management list, you need to make sure that the tickboxes for Install and Update are unticked in order to be able to add the 3rd Party Application in the Application Blocklist.

Linux OS

3rd Party Patch Management - turn ON/OFF the 3rd Party Patch Management module;

General Settings

Infinity Management - turn on/off the Infinity Management module to deploy your own 3rd Party Applications/Patches (.msi, .exe, .bat files) from the stand-alone patch management system. The patches can be configured in the Infinity Management module and applied to any Group Policy;
Keep all applications up-to-date - all current and future 3rd Party Applications that are included in our 3rd Party Patch Management list will be added to automatic update;
Update non-Heimdal supported packages - allows you to update non-Heimdal packages installed on the endpoint. 

Manage Applications 

Show only Infinity Management applications - displays the 3rd Party Applications added in Infinity Management only;

Install - enable the selected 3rd Party Application(s) to be installed on the endpoint(s) if it is not already installed. If the 3rd Party Application is already installed, it will not do anything;
Update - enable the automatic update of the selected 3rd Party Application(s);
Check interval - allows you to set the time interval when the HEIMDAL Agent checks for newly available patches;
Patching Schedule - allows you to set a scheduler for the 3rd Party Application patching module; 

• You can select one or more days in a week when Heimdal™ Patch & Assets can install the 3rd Party Application(s)/Patches;
  
• You can select one or more days in a month when Heimdal™ Patch & Assets can install the 3rd Party Application(s)/Patches;
• You can also select a specific interval of any day to exclude the 3rd Party Application patching.

Applications Blocklist

This feature allows you to uninstall a specific 3rd Party Application(s) to restrict the usage of unwanted applications or to get applications removed from all machines that are applying the current Group Policy. This feature removes most of the applications that Patch & Asset Management is monitoring and also uninstalls other 3rd Party Applications that are present on the endpoints but not managed by Patch & Asset Management module. To uninstall a 3rd Party Application you need to specify the name of the application and a version option (exact version, lower versions, or higher versions).

• the example below targets any Spotify application and versions 2.23.7.10 and higher of WhatsApp;
• using the Starts with option will remove any package named Spotify or WhatsApp with the specified version or higher.

Example: 

• If you want to uninstall a 3rd Party Application that is in the 3rd Party Patch Management list, you need to make sure that the tickboxes for Install and Update are unticked in order to be able to add the 3rd Party Application to the Application Blocklist.