In this article, you will learn everything you need to know about the 3rd Party Patch Management module. This product allows you to define policies for software management and automated patching and installation, schedule updates with our HEIMDAL Unified Threat Dashboard (UTD), blocklist applications and allow your users to click and install only the software approved by you.
1. Description
2. How does 3rd Party Patch Management work?
3. HEIMDAL Agent - 3rd Party Patch Management
4. 3rd Party Patch Management view
5. 3rd Party Patch Management settings
DESCRIPTION
Our 3rd Party Patch Management Management solution will automatically install updates on the 3rd Party Applications HEIMDAL manages based on your configured policies, without the need for manual input. As soon as 3rd Party vendors release new patches, our technology silently deploys them to your endpoints, without the need for reboots or user interruption. HEIMDAL provides you with fully tested, repackaged, and ad-free updates using encrypted packages inside encrypted HTTPS transfers locally to your endpoints. Our distribution is further optimized through a local P2P network only between your machines. This gives you the powerful option to tailor your entire IT environment. You can create policies that meet your exact needs across the Active Directory groups within your organization. Once configured, the deployment is easy and simple.
HOW DOES 3RD PARTY PATCH MANAGEMENT WORK?
When 3rd Party Patch Management is enabled, the HEIMDAL Agent checks the Windows Registries paths (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall) to see what are the 3rd Party Applications installed on the endpoint(s) and reports their status in the HEIMDAL Dashboard (it identifies an application using the DisplayName and DisplayVersion properties from the application's GUID registries). When a new version of a 3rd Party Application is available, the HEIMDAL Agent will securely download it from the HEIMDAL Security cloud, decrypt it, and run the installer with the specified install arguments.
3rd Party Applications can be installed or updated by the HEIMDAL Agent using one of the 3 methods below:
A. Automatic (force) install - the application is automatically installed on the first Group Policy check in case the application is not already present on the endpoint. If the application is already installed on the endpoint, the HEIMDAL Agent will bypass the automatic install;
B. Automatic update - the application is automatically patched (updated) by the HEIMDAL Agent when a newer version is available on the HEIMDAL Patching server;
C. Manual install - the application can be manually installed by the end-user from the HEIMDAL Agent in case the application is not already present on the endpoint.
The Application Blocklist feature allows you to uninstall specific applications that are installed on the endpoints inside your organization (in order for the feature to work, the application in question needs to have an UninstallString property defined in the Windows Registries in the case of MSI Installers and a QuietUninstallString in the case of non-MSI Installers).
HEIMDAL Agent - 3rd Party Patch Management
The HEIMDAL Agent displays information about the Monitored Applications, the Vulnerable Applications, the Version number, and the Status of each application. From the HEIMDAL Agent. The statistics displayed in the Patch & Asset Management cover a 7-day interval.
The HEIMDAL Agent allows the end-user to manually install any of the 3rd Party Applications that are configured to be allowed for installation from the HEIMDAL Dashboard.
3rd Paty Patch Management allows you to postpone the installation of a new patch in case you are using the application that is being patched.
3RD PARTY PATCH MANAGEMENT view
The Patch & Asset Management - 3rd Party Patch Management view displays all the information collected by the HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the 3rd Party Applications that are installed or monitored by the HEIMDAL Agent and is divided between the 3rd Party Applications monitored on Windows endpoints and the 3rd Party Applications monitored on Linux endpoints.
On the top, you see a statistic regarding the Number of current vulnerabilities, the Total number of applied patches, the Number of updated software, and the Number of monitored software (installed in the Agent and monitored).
The collected information is placed in the following views: Standard, Patches per Endpoint, Assets, and Compliance.
- Standard
This view displays a table with the following details: Hostname, Username, Software, Version, CVE, CVS, Date, and Status.
The Standard allows you to view the information regarding the Latest Status (all statuses - up-to-date, patched, and vulnerable), Latest Patch (the latest installed/patched), Currently Vulnerable (displays the endpoints where vulnerabilities are still being discovered; a check is made every sync GP interval), Historically Vulnerable (displays the endpoints that have been discovered with vulnerabilities at a point in time), Up-to-date (all applications that are found to be up-to-date), Uninstalled. You are allowed to select one or multiple entries in the Standard and Hide them from the view. Vulnerable applications (that are listed in the Standard view -> Latest Status, Currently Vulnerable view, and Historically Vulnerable view) can be installed by selecting the Install 3rd Party Software option from the dropdown menu. The Show Hidden Apps radio button allows you to display all the applications that were hidden by the HEIMDAL Dashboard Administrator.
Note: The Latest Patch view shows all patches that have been done, even if an application or more has been patched multiple times in a very short time period. -
Patches per Endpoint
This view displays a table with the following details: Hostname, Username, and Patches per Endpoint.
-
Assets
The Asset view displays a list of all the 3rd Party Applications that are installed on all the endpoints that run the HEIMDAL Agent in your organization (no matter if the 3rd Party Applications are monitored by the HEIMDAL Agent or not). The detection is made in the following Windows Registries paths (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall). The table includes the following information: Application Name, Version, GUID, Installed Endpoints, Hostname (visible in the Non-Stacked view), Installed Server, CVSS, Username (visible in the Non-Stacked view), Machine Type (visible in the Non-Stacked view), Uninstallable (3rd Party Applications that can be uninstalled by the HEIMDAL Agent), Supported (3rd Party Applications that are installed and updated through the HEIMDAL Agent), and Date and Time (visible in the Non-Stacked view). The Hide Microsoft Products radio button allows you to hide the Microsoft products from the Assets view. The Filters functionality allows you to filter entries by Monitored and Not Monitored applications. This view filters the data by the client (device) information's last seen status instead of the install/update time of a 3rd Party Application and the check is performed every 24 hours. The CVSS score is also updated in an interval that can be 24 hours to 48 hours (maximum).
Selecting one or multiple 3rd Party Applications allows you to:
a. Add the selected application(s) to a Group Policy or all Group Policies to be automatically installed or automatically updated (when a new version is available);
b. Uninstall the selected application(s) if the Uninstall is supported by the HEIMDAL Agent (the Uninstall is supported for the 3rd Party Applications that are installed using an MSI Installer that creates an UninstallString property or for the 3rd Party Applications that are installed using an EXE Installer that creates a QuietUninstallString property).
c. Create a software license for the selected software to be added in the Assets view (this requires the Software Asset Management product to be enabled). - Compliance
This view displays a table with the following details: Hostname, Username, Number of Updates, and Last Seen.
The Compliant / Non-Compliant filter allows you to switch between the endpoints that are compliant or not. This view does not consider the selected timeframe (from the top of the HEIMDAL Dashboard), but instead, it displays the endpoints filtered by a specific date or an interval, both selected from the green Filter button. When checking for compliance, it is necessary to set a desired date. A compliant machine is an endpoint that has no pending updates before the selected date/interval. A non-compliant machine is an endpoint that has got pending updates before the selected date/interval. Filtering for compliant endpoints will list endpoints with 0 updates, which shows they are up to date. Filtering for non-compliant endpoints is possible only by selecting a specific date but not an interval, as this view can only show the endpoints that have got pending updates before the selected interval.
The Compliance view considers the Cyber Essentials norms when deeming an endpoint as being compliant or not. The Cyber Essentials compliant view will display all endpoints that do not have any 3rd Party Patches missing in the last 14 days and have a CVSS score of less than 7 since the application's release date (Heimdal release date), while the Cyber Essentials non-compliant view will display all endpoints that are missing a patch that is not applied and older than 14 days and has a CVSS score higher than (or equal) 7, a patch version lower than the version selected in the Group Policy, and the patch reached End of Life (EOL).
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Standard and Assets views, besides the standard Grid view, have an additional view called the Stats view, which can be toggled by switching from the Grid view.
This view contains statistical data regarding the 3rd Party patches that are separated into Pie charts and Matrixes data. The info displayed shows the CVSS pie chart graphs and the By release date matrixes.
By clicking the data, you will be redirected to a pre-filtered view (date range and CVSS) where you can visualize only the 3rd party patches that fall under that specific selection.
3RD PARTY PATCH MANAGEMENT settings
The Patch & Asset Management - 3rd Party Patch Management module allows the user(s) to install or update a specific 3rd Party Application from the list of applications managed by HEIMDAL Security.
3rd Party Patch Management - turn ON/OFF the 3rd Party Patch Management module;
General Settings
Infinity Management - turn on/off the Infinity Management module to deploy your own 3rd Party Applications/Patches from the stand-alone patch management system. The patches can be configured in the Infinity Management module and applied to any Group Policy;
Keep all applications up-to-date - all current and future 3rd Party Applications that are included in our 3rd Party Patch Management list will be added to automatic update;
Assets View - allows you to track down and manage all the 3rd Party Applications installed on the devices in your organization, even if we do not offer patches for them (supports applications that are installed in the All Users context). The Assets View updates the list of applications every 24 hours, but it can be manually updated by restarting the computer (this one takes the Delay Patching on Start-up option into consideration).
Software Asset Management - allows you to manage the software license details for an application that is installed in your environment in a dedicated view found under Patch & Asset Management -> 3rd Party Patch Management. You can input Software Name, Version, Publisher, License Type, Quantity, Price, Expiration Date, etc.
Manage Applications
Show only Infinity Management applications - displays the 3rd Party Applications added in Infinity Management only;
Push Install - enable the selected 3rd Party Application(s) to be installed on the endpoint(s) if it is not already installed. If the 3rd Party Application is already installed, it will not do anything;
Update - enable the automatic update of the selected 3rd Party Application(s);
Allow Install - make the selected 3rd Party Application(s) available for manual installation by displaying it in the HEIMDAL Agent - 3rd Party Patch Management list:
Install Delay Pop-up - allows end users to delay the installation of 3rd Party applications when the Install delay pop-up is enabled. While applications in the Heimdal supported list of 3rd party vendors are silent, non-disruptive installations, this is a feature recommended if you're using Infinity Management to deploy software packages that can lead to end-user disruption (latency, reboots, etc.). The pop-up presented by the HEIMDAL Agent on the endpoint looks as follows:
Delay - allows you to delay the automatic deployment of the selected 3rd Party Application(s) by 1 to 30 days;
Version - allows you to target the selected 3rd Party Application(s) to the Latest Version or an older version (available in the Patching System). Targeting a version that is older than the Latest Version will downgrade the higher version to the targeted version. This means that Heimdal™ Patch & Assets will not update it anymore (this works ONLY for the 3rd Party Applications that can be uninstalled through the HEIMDAL Agent, where Uninstall is supported);
Check interval - allows you to set the time interval when the HEIMDAL Agent checks for newly available patches;
Delay patching on startup - allows you to set the delay time interval applied on computer startup until the HEIMDAL Agent starts the patching operation;
Install delay pop-up - allows you to give users the possibility of delaying the update/patch operation of 3rd Party Applications that might be in use, according to the delay interval and the number of postpones that is set below (the update/patch can be delayed by 5 to 60 minutes and it can be postponed up to 5 times. Once enabled, you can choose what 3rd Party Application(s) can be updated/patched with the Install Delay pop-up option (from the Install Delay pop-up column in the table above). In case only a few 3rd Party Applications are enabled to be updated/patched with Install Delay pop-up, the HEIMDAL Agent will first update/patch all the 3rd Party Applications that are not marked with Install Delay pop-up, followed by the ones that are marked with Install Delay pop-up.
Patching Schedule - allows you to set a scheduler for the 3rd Party Application patching module:
- You can select one or more days in a week when Heimdal™ Patch & Assets can install the 3rd Party Application(s)/Patches;
- You can select one or more days in a month when Heimdal™ Patch & Assets can install the 3rd Party Application(s)/Patches;
- You can also select a specific interval of any day to exclude the 3rd Party Application patching.
Applications Blocklist
This feature allows you to uninstall a specific 3rd Party Application(s) to restrict the usage of unwanted applications or to get applications removed from all endpoints that are applying the current Group Policy. This feature removes most of the applications that Patch & Asset Management is monitoring and also uninstalls other 3rd Party Applications that are present on the endpoints but not managed by Patch & Asset Management module.
To uninstall a 3rd Party Application you need to specify the name of the application. You can also specify at least the first word of the name (in case the 3rd Party Application has a name composed of more than 1 word) to target multiple 3rd Party Applications that have their name starting with the same word and tick the Starts with a tickbox to be able to add the entry.
- The example below targets the Poly Lens application that is installed on the endpoint(s);
- If you target a specific application you have to add the exact application name (like it is displayed in Control Panel - Programs and Features' list) to be uninstalled (like in the example below: Java 8 Update 291 (64-bit);
Example:
- If you want to uninstall a 3rd Party Application that is in the 3rd Party Patch Management list, you need to make sure that the tickboxes for Install and Update are unticked in order to be able to add the 3rd Party Application in the Application Blocklist.