Enhanced Vulscan Self-Update Feature
In LDMS version 2016.3 and later releases, the Self-Update feature that runs during vulnerability scans has been enhanced to grant additional capability and flexibility.
In version 2016.0 SU5 and older, vulscan checks the ldlogon folder to see if any of the core-side self-update files are newer than those same files found on the client. If so, those files would get updated regardless of OS version and LDMS agent version. In version 2016.3 and later, the self-updating process is smarter and vulscan includes the option to check for a minimum OS version and/or a minimum LDMS agent version if configured to do so. If the core is not so configured, then self update will occur as usual.
The main benefit to this new system is that you can cause vulscan self-update to use one set of files for devices that meet or exceed your OS and Agent version specifications, and a different set of self-update files for devices that are below your specifications. This is most helpful if you are still managing Windows XP or Server 2003 devices.
Support for Windows XP and Server 2003 has ended. See these documents for more information:
Which Files Are Updated?
The following files are monitored and can be updated:
Initial Setup and Configuration
If you wish to implement OS and Agent version checking for self-update, create a SelfUpdate subfolder in ldlogon and create an AppliesTo.ini folder within:
The appliesto.ini folder should have the following text:
In the example above it is configured for LDMS agent version 10.1 and OS version 6.1 (Windows 7) and is appropriate for the scenario of preventing XP devices from self-updating to the new agent version. However you should change this to correspond to the actual versions you want to use if you have a different use case.
How it Works
When vulscan runs on a client, it will check with the core server to see if ldlogon\selfupdate folder exists and contains the appliesto.ini folder. If found, vulscan will use the enhanced process and will use the files in the Self-Update folder for devices meeting or exceeding the versions specified. Devices not meeting the agent and OS versions will self update from the ldlogon folder. If the self-update folder or the appliesto.ini file are not found, vulscan will self-update all devices from the ldlogon folder.
Therefore, place the self-update files from your LDMS 2016.0 SU5 WinXP agent into the ldlogon folder, and place the updated files that match your upgraded core version into the self-update folder. This will cause XP devices to retain self-healing properties through vulscan self-update, but use only the correct files for it's agent version of 2016.0 SU5. Devices newer than XP will self-update using the correct and proper files that you have placed into the self-update folder.