Friday, 11 December 2015

Inventory and CSI Agent

Back to Secunia menu

In order to have an effective third party patching solution you need to know what third party applications are on your computers. There are a number of ways to collect this inventory.

ConfigMgr Software Inventory
I'm not a real fan of software inventory in ConfigMgr. It doesn't gather the information from "Programs and Features" on your devices (ironically that is done by hardware inventory). Rather it just collects a lot of information about files on your systems. You have to configure the file extensions in advance. For me it causes a lot of unnecessary overhead for very little gain.

If you wish to use this method you must add the following file extensions to ConfigMgr software inventory.

Also the ConfigMgr server must have Internet access and be able to communicate with the Secunia cloud service using port 443.

Remote Scanning
This is OK for smaller networks but doesn't scale well to enterprises.

CSI Agent
This method requires that a small lightweight agent is installed on each computer. All computers will need Internet access and be able to communicate with the Secunia cloud service using port 443.This is the method we will use for this blog.

In the CSI Portal navigate to Patching > Agent Deployment.

Select "Create CSI Agent Package".

The Package Configuration wizard is launched. Enter a suitable name.

Make sure that you check the "Use Secunia Custom Naming" box. All third party updates will then have the Secunia name. You will be able to filter by Secunia and you will never exceed the vendor limit of your Software Update Point.

Choose the defaults. Remember that we will be publishing the package to WSUS.

The package has been created.....

.....and is available.

Now we must carry out some preparatory work in ConfigMgr. Open the Software Update Point properties.

Select "Create all WSUS reporting events".

Ensure "Security Updates" is selected.

For products note that we can currently only see Local Publisher and Microsoft.

Manually synchronize the updates.

Almost immediately you will see Secunia as an available option. Check the box.

In time the package will be available in ConfigMgr. This can take a while (almost an hour in this example).

Right click and choose to deploy the package.

Enter a suitable name for the deployment and choose the collection of devices.

This is a required deployment.

Choose as soon as possible.

A reboot is not required.

Select a deployment package.

Click Next to create the deployment.

Now you could wait until the normal updates cycles run. However I'm impatient so I've used the Now Micro Right click tools to immediately run the Software Updates Deployment Evaluation Cycle and the Machine Policy Retrieval and Evaluation Cycle. The agent now installs on the computers.

You can see scan results being reported in the CSI portal.

Detailed scan results.

See the insecure third party applications.

See the top 10 offenders. We will update these applications in the next blog in the series.

Until next time.....

No comments:

Post a Comment