3 Replies Latest reply on Jun 22, 2016 8:28 AM by wcoffey

    What's the difference between "Not vulnerable" and "Not vulnerable and patch installed"?

    DMoenks Apprentice

      I couldn't find an answer to my question in the documentation provided for the new rollout projects feature, but I'm quite curious how each of those works.

      The following assumptions are based on imaginary 100 clients and a success rate of 80%.

       

      This is how I suspect them to work:

      • Not vulnerable
        When the given percentage of clients is not vulnerable a specific content would succeed to the next step, e.g. if at least 80 clients don't need a patch it would succeed
      • Not vulnerable and patch installed
        When the given percentage of clients installed a content it would succeed to the next step, e.g. if at least 80 clients installed a patch it would succeed

       

      Based on this assumption my real questions are the following:

      • What if I configured the success criterion to be Not vulnerable and at least 80 of the clients don't need the patch at all?
        Would it succeed without any testing (as none of the vulnerable clients actually needs to install it to reach the success rate)?
      • What if I configured the success criterion to be Not vulnerable and patch installed and less then 80 of the clients actually need the patch?
        This way the success rate could never reach 80% even if all clients needing the patch would install it successfully.

       

       

        • 1. Re: What's the difference between "Not vulnerable" and "Not vulnerable and patch installed"?
          wcoffey SupportEmployee

          We are working on enhancing this product so I'm glad to see interest and questions being presented. Rollout Projects is the newest tool to our our suite so your communication is crucial. Please feel free to chime in on the following discussion: https://community.landesk.com/thread/31994

           

          Not Vulnerable means the definition was not detected as a vulnerability on the device when a security scan was performed, the device never needed the patch based on the detection logic in the definition.

           

          Not vulnerable and patch installed is similar to "Not vulnerable" but the only difference is that the vulnerability definition being scanned has been repaired through the patch process.

           

          A device reboot may be required for most patches so those devices will need to be rebooted before the system sees that patch as fully installed.

           

          Currently if a patch is not detected when a security scan is performed for the target group in that step, no repair will be done for those patches.


          The following definitions will NOT move to to the next target group:


          • Definitions in which no scan record has been found
          • Definitions that are not applicable to the platform in that target group


          Undetected patches will  move to the next target group. Content that is not detected as vulnerable won't play against your success rate.  

          • 2. Re: What's the difference between "Not vulnerable" and "Not vulnerable and patch installed"?
            DMoenks Apprentice

            To be honest, I still don't get it.

             

            How's that...

            Not Vulnerable means the definition was not detected as a vulnerability on the device when a security scan was performed, the device never needed the patch based on the detection logic in the definition.

            ...compatible with that?

            Currently if a patch is not detected when a security scan is performed for the target group in that step, no repair will be done for those patches. The undetected patches will never move to the next target group. [...] Content that is not detected as vulnerable won't play against your success rate but also won't move to the next step.

            The former tells me that Not vulnerable would move definitions to the following step if enough clients are not vulnerable, the latter tells me that this would never happen.

            I've even watched an introductory video about rollout projects found on Vimeo, but the presenters sound pretty confused too when talking about this setting (starting at about 0:25:00).

             

            What I try to achieve basically matches the example patch rollout project found in the LDMS manual's topic on rollout projects:

            1. Regularly download all Microsoft security patches, add them to a rollout project and deploy those to a random group of 50 clients (we've got an LDAP group for this)
            2. On meeting a success rate of 80% for any one patch move that one to the next step and deploy it for all clients
            3. On meeting a success rate of 80% for any one patch move that one to the next step and activate autofix

            Keep content together is disabled for all steps.

             

            Would this even work with patches for "niche products" which are installed on less than 10% of all clients?

            • 3. Re: What's the difference between "Not vulnerable" and "Not vulnerable and patch installed"?
              wcoffey SupportEmployee

              Thanks for elaborating on your concern and for catching an error and my previous comment. The previous thread has been corrected.

               

              "Would this even work with patches for "niche products" which are installed on less than 10% of all clients?"


              To answer your question, Yes.....Currently we do not consider "affected products" in the advancement logic when the workflow processor runs. We only evaluate the "affected platform" and the information contained in the scan record which will let me know if there is a vulnerability detected. Please follow-up with me if you have additional questions.