Deploying a security fix

Cyberwatch offers patch management. The patching view of an asset lists all the present vulnerabilities with their patch. Deploying a security fix on a vulnerability can fix several vulnerabilities.

Manually apply a corrective action

Corrective actions with the status “To be processed manually” occur on software whose automatic patching is not supported by Cyberwatch.

For such applications, two actions are possible:

  • Uninstalling the software either manually or directly through Cyberwatch
  • Manually patching the software by connecting to the relevant asset

Deploying security fixes

Dependency Management

Linux: If these patches have dependencies, they will also be installed when the patch is deployed. Windows: The patch can be a Microsoft cumulative update.

From the page of an asset

  1. Click on Inventory
  2. Choose the concerned asset
  3. On the page dedicated to the asset, click on the “Patch management” tab
  4. Check the security fixes you want to deploy
  5. Click on the “Schedule selected fixes” button
  6. Choose the deploying period allowed for the deployment, and confirm with the “Schedule selected fixes” button

From the page of a vulnerability

  1. Click on Vulnerabilities Encyclopedia
  2. Choose the concerned vulnerability
  3. On the page dedicated to the vulnerability, check the assets on which you want to deploy the security fixes
  4. Click on the caret right to the “Ignore and comment” button
  5. Click on “Schedule selected fixes”
  6. Choose the deploying period allowed for the deployment, and confirm with the “Schedule selected fixes” button

Update the system

Cyberwatch offers system-wide updates. You can choose to deploy updates to all packages installed on the asset along with their corresponding dependencies on Linux. Available security updates will also be deployed on Windows systems. This can be done:

From the asset’s page

  1. Click on Inventory
  2. Choose the concerned asset
  3. On the page dedicated to the asset, click on the “Patch management” tab
  4. Click on “Schedule all fixes”
  5. Choose the deploying period allowed for the deployment, and confirm with the “Schedule all fixes” button

From the inventory

  1. Click on Inventory
  2. Choose all the concerned assets
  3. Click on “Bulk actions”
  4. Click on “Deploy patches now” or “Deploy patches during the next deploying period” depending on the goal
  5. Click on “YES” on the pop-up window

Uninstalling a package or an application

  1. Click on Inventory
  2. Choose the concerned asset
  3. On the page dedicated to the asset, click on the technologies tab
  4. Find the package/application in the list
  5. Click on the deletion button at the end of the line and confirm the uninstallation request.

Deleting an executable

  1. Click on Inventory
  2. Choose the concerned asset
  3. On the page dedicated to the asset, click on the technologies tab
  4. Find the executable in the list
  5. Click on the deletion button at the end of the line and confirm the request.

This deletion will not modify any configuration or additional files used by this executable, and such files must be deleted by you, outside of Cyberwatch.

Enabling the deployment of corrective actions on Windows OS from Cyberwatch

Windows and Microsoft applications

To apply corrective actions for Windows and Microsoft applications, Cyberwatch deploys Microsoft KBs part of one of these three type:

  • Security updates
  • Critical updates
  • Monthly roll ups

In order to enable Cyberwatch to apply these updates, the WSUS has to be configured to automatically approve updates belonging to one of the above classifications.

Official documentation on how to configure these automatic approvals.

Third-Party Software

To apply corrective actions for third-party software, Cyberwatch uses the Windows Package Manager.

In order to enable Cyberwatch to apply these updates, the Windows Package Manager must be installed on the system; see the Official Documentation.

In addition, the software must be supported by Cyberwatch (List of supported software) and by the Windows Package Manager (winget-pkgs).

Enable deployment through Windows Package Manager

  1. Click on Administration
  2. Expand the Patch Management section
  3. Enable the Patches Deployment option
  4. Enable the Deployment through Windows Package Manager option

List of software covered by the Patch Management module

  • Linux: any software installed with the package manager of the distribution can be patched or uninstalled
  • Windows: Microsoft software (supported by security KBs), third-party software (supported by Windows Package Manager)

List of software uninstallable by Cyberwatch

All applications installed by MSI can be uninstalled via Cyberwatch. Here is the list of applications for which the uninstallation parameters have been checked by our teams:

  • Adobe Acrobat
  • Chrome
  • Firefox
  • Firefox ESR
  • Gimp
  • iTunes
  • JAVA
  • KeePass
  • LibreOffice
  • Putty
  • Thunderbird
  • VirtualBox
  • VLC
  • Wireshark
  • 7-Zip

Back to top