Wednesday, November 21, 2012

Patch Management work cycle

So, GFIMAX does patch management for every software known to man(1) and it does it right in the same interface you work in day in, day out.

But just what do those gremlins in there actually do??  How does the Site Concentrator get so smart and download everything needed for every machine?

Wizardry and magic!

OK, maybe not so much.  The Patch Management process doesn’t actually download anything until the end device requests it at the time of installation.  The following steps occur on an independent Server or Workstation.

  1. The Vulnerability Check scans the machine and compares it to a GFI database of known available patches. This is done at least during the Daily Safety Check (there are other times it occurs described later). This is reported/alerted on the Dashboard.
  2. A missing patch is Approved in the Dashboard. This has no effect on the agent at this time; it only changes display of Vulnerability Check and the Patches Tab. (If a patch is already or automatically set to Pending, we won’t Alert on it as Missing.) 
  3. The patch is installed according to one of three options:
    1. Patch Management Policy schedule 
    2. Workstation/Server menu selection: Install Now
    3. Workstation/Server menu selection: Install Later
      When this scheduled time occurs, the end device requests the patch to be downloaded, and then installs it.
  4. After patches are installed, a Vulnerability Check is run again. This updates the status of patches on the dashboard: from Installing to Installed, Failed, or Requires Reboot. If a patch fails, an alert email is sent out if configured to do so in the Patch Management policy. 
    1. If one of the Reboot options is selected, the dashboard sends the Reboot command if this Check indicates it is necessary.

Site Concentrator

If a Site Concentrator exists, the request from the end device goes to that machine first, as it is configured as the end device's "proxy." The Site Concentrator either has it already for dissemination or downloads it. The patch remains on the Site Concentrator for approximately 30 days before being automatically deleted. A request for that patch by any other device in that time-frame will go directly to the Site Concentrator: the traffic will not leave the LAN.

If the Site Concentrator cannot be contacted, after 3 failed attempts the end device will automatically download the patch directly from its Internet location.(2)  This means that even a roaming laptop will still be protected regardless of where it physically resides.  And it will save external bandwidth at its home office because it will communicate with the Site Concentrator automatically.

(1) That man lives in a small house in the woods of Romania.  We're not sure how often he gets out.

(2) As of this writing, this behavior applies to all MAX communication except the Managed Antivirus definition update.  Currently MAV updates must be downloaded from the Site Concentrator if one is configured.  The download will not failover to the Internet for those definitions.
UPDATE 2015:  This note only applies to MAV based on the (old) Vipre engine.  MAV based on Bitdefender is supported through a Site Concentrator in the same manner as all other features.