5 Replies Latest reply on Feb 24, 2012 2:56 PM by Tanner Lindsay
      • 1. Re: Is there is any way to Scan against a different group and patch against different group?
        Frank Wils ITSMMVPGroup

        Actually, this is kind of default as only things in the SCAN folder will be scanned on the devices, but how and what you repair is based on creating repair jobs for individual vulnerabilities or the contents of custom groups. Only when you put vulnerabilities on Autofix you loose control as they will be repaired on all devices that have autofix in enabled in their scan settings and on the agent.




        • 3. Re: Is there is any way to Scan against a different group and patch against different group?



          Thanks for the response, I know we can do this using the repair jobs, may be I need to be more clear. What I need to know whether is there is any way to do it using scan and repair settings which has assigned to agents.


          When creating a Scan and Repair setting I can either select a group to scan against or the types of patches, but I can no where specify that Scan for all and repair only for these. Reason I want this so that I can scan my systems against all the patches and can patch them only against baseline. This way I am not required to create patching jobs everymonth and push it to clients who are already running scan once a day, I'll just have to update my baseline group every month.

          • 4. Re: Is there is any way to Scan against a different group and patch against different group?
            mrspike SSMMVPGroup



            Using the basics of the document I pointed to you can achieve this, but you cannot do it as you are asking.. that I know of.


            You can do it a couple ways...



            Method 1


            • Leave the agent config so that it scans everything in the Scan Folder by default
            • Create a repair task that repairs a group as shown in the document
            • Schedule the repair task when to run, or set as a policy.  If set as Policy have the policy task repeat daily, or weekly, etc...
              • If set as a policy that will repeat, if new patches are added to the baseline group the clients will run the repair again
            • There is no need to recreate the repair task again (I may have said otherwise in the document) each month if you have your scheduled task or policy set to repeat.  Just add new patches to be included in the baseline to the group



            Method 2


            • Set the behavior in your agent config to ONLY scan and repair the baseline group
            • Now, create a new Scheduled Task in the patch tool (let me know if need guidance on this)

              • Set it to use a behavior that you have set that scans the entire baseline (this is a default)
              • Set it to never reboot
              • Set as a Policy that has a Silent, Never Reboot delivery method (or you can set as a scheduled task, but policy is better)
              • In that delivery method, under Type and frequency, set it as required > periodic > weekly
            • Now add your systems (best to use a query that will target all the systems you want, that way if new machines are built they automatically get added to the task... drag the query to the task, not the list of machines.
            • Start the Policy... now once a week your systems will scan the entire Scan Group so that you know about all vulnerabilities, but your systems will only repair by default the ones in the baseline group


            Let me know if you need more info or are confused

            • 5. Re: Is there is any way to Scan against a different group and patch against different group?
              Tanner Lindsay SupportEmployee

              What about using Autofix? You can set the Scan and Repair settings to either scan everything in the Scan folder, or just a particular group. You can then group your baseline patches into another group just for ease of management.


              Once a patch is added to the baseline, you can move it into the group, but then you set it to Autofix. That means that anytime vulscan runs and finds the machine vulnerable to that definition, it will immediately (at the end of the scan) repair the vulernability and install the patch.


              If you have machines where you can't allow Autofix, the Scan and Repair settings can be set to not allow Autofix, as can the Agent Configuration.


              This way, you don't have to create repair jobs or anything like that. Once a patch is approved, you add it to the group and set it to Autofix. Then it rolls out to your environment.