This site is for AVG Business products only. For articles on Avast Business products, see Avast Business Help. If you are in the right place but cannot find what you are looking for, please contact AVG Business Support for further assistance.

Patch Management Overview

This Article Applies to:

  • AVG Business Cloud Console

 

Patch Management allows you to keep all your devices up to date with the latest feature and security patches for over 150 software vendors. This not only gives endpoint users all the latest features of their software, but also addresses the newest security threats. The Cloud Console makes it easy to identify and deploy any missing patches.

To download the up-to-date list of all supported patches, click here.

 

Patch Management provides the following features:

  • Patches direct from vendor: Automatically retrieve patches for Windows and third-party applications to keep your devices up to date.
  • Flexible deployment schedules: Schedule and deploy approved patches at desired times or manually deploy to groups or individual devices.
  • Intuitive dashboard: Manage all software patches and view graphical summaries of installed, missing, or failed patches from any device.
  • Customization: Choose software vendors, products, and the severity of patches to install or exclude from deployment.
  • Master agent capabilities: Download all missing patches to a master agent that seamlessly distributes patches to all managed devices in the network.
  • Patch scan results: Learn more about missing patches including specific updates, bulletin links, release dates, descriptions, and more.
  • Comprehensive reporting: Keep track of the health and security of device software and applications.
  • Patch alerts: Receive notifications when a new patch is found to be missing from one or more devices or has failed to deploy.

This service is offered both as part of the Ultimate Business Security bundle and as an add-on. A 30-day free trial is also available, which you can start anytime via the Subscriptions page of the console. For more information, see Activating Patch Management.  

Before attempting to set up Patch Management, make sure all Patch Management System Requirements are met.

Patch Scans

Patch scans are essential to patch management, as they identify which patches should be installed across your network. The Business Hub enables you to remotely scan your devices for missing patches.

You can perform these scans manually or schedule automatic scans, and you can choose which of your devices will be scanned. To learn more, see Scanning Devices for Missing Patches.

Patch Detail and Management

The Patches page of the Cloud Console is usually where most time is spent when handling patches.

Under the Pending OS patches and Pending third-party patches tabs of the Patches page, all detected missing patches are listed. Those that are then installed or ignored are automatically moved to the Resolved patches tab.

The Resolved patches tab displays records for the past three months (the historical data up to one year is available in the Patch report). Ignored patches that are still valid are retained in the page (so that they can be reverted to their pending state if needed), while invalid/superseded patches (those where the retention period is exceeded) are removed from the list.

 

The following information is available for each patch:

  • Name
  • Type (Security, Non-security)
  • Severity (None, Low, Moderate, Important, Critical)
  • CVSS score (0-10)
  • How long ago the patch was released
  • Number of devices on which the patch is/was missing
  • Status (In progress, Missing, or Scheduled for pending patches and Installed or Ignored for resolved patches)
  • Action(s) that can be taken (Install or Ignore for pending patches and Install or Revert for ignored patches)

The higher the CVSS (Common Vulnerability Scoring System) score, the more important the patch is to the device's security, which should help you decide which patches are more critical when missing. The CVSS score is a maximum score, which relates to vulnerabilities associated with the patch. A single patch can have multiple vulnerabilities, meaning multiple CVSS scores. The score can change over time as the vulnerabilities are evaluated further.

The CVSS score is decided by the vendor of the patch, while the severity is decided by the patch API provider. This is why there can be a difference in severity vs. CVSS.

All available information can be sorted in ascending or descending order. The Severity, Released, and Status columns can also be filtered. Lastly, you can use the search option in the Patch name column to quickly locate a specific patch.

Although the data cannot be filtered to show only patches related to a specific device, any device with Patch Management enabled will have the Patches tab available in their Detail drawer, providing an easy way to view/manage only that device's patches.

Holding the cursor over certain entries in the table will display additional information. For example, hovering over the In progress status of a patch will display its current exact status with the progress bar (e.g. Pending restart or Downloading), while the tooltips in the Release column will show the exact date and time of a patch's release.

Clicking a patch's name will open its Detail drawer, which provides more information about the patch and shows which devices have/do not have the patch installed.

You can install the detected missing patches manually, or you can set up automatic patch deployment. For more information, see Deploying Missing Patches.

Also, you can omit certain patches from being deployed to devices by either ignoring them manually or adding them to patch exclusions. For more information, see Ignoring Patches and Configuring Patch Management Exclusions.

Patch Widget

The patch widget on your console's Dashboard displays at-a-glance information about the current state of patches (Missing, Scheduled, In progress, Failed to install).

Also, the alerts widget includes the patch-related alerts, and the subscriptions widget displays the count of the subscribed vs. used devices for Patch Management.

Patch Alerts

Alerts in the AVGCloud Console provide insight on the current state of the devices across your network. Via these alerts, the console notifies you of security or network issues that need your attention, improving reaction times and limiting exposure.

There are four patch-related alerts:

  • Patch missing (information)
  • Patch failed to deploy (warning)
  • Device requires restart - Patch (warning)
  • Critical patch missing (critical)

They can be monitored on the Alerts page, Devices page, and Dashboard, and each can be handled by selecting an action from the drop-down menu next to it. In most cases, you can either perform a recommended action to resolve/inspect the issue triggering the alert, or you can dismiss the alert.

To learn more, see Managing Alerts and Alert Actions.

Patch Report

The Patch report provides details about patches for devices with Patch Management enabled, allowing you to keep track of the health and security of device software and applications.

For more information, see Patch Report.

Patch-Related Policy Settings

Patch Scans, Installations, and Cache Clearance

The Patch Management policy settings allow you to define the frequency of patch scans and to choose whether and when automatic patch deployment occurs. It is recommended you configure your patch deployment to start right after patch scanning so any missing patches are deployed as soon as possible.

Also, you can decide when the local patch cache is cleared. This functionality is used to free up end devices' hard drive space for future patches.

Patch Exclusions

By default, all detected missing patches will be installed when automatic patch deployment is enabled. If you need to exclude certain patches from being automatically deployed, you can do so via the Patch Management exclusions settings of a selected policy. Once a product (application) is added to the Patch Exclusions list, the patches for that product will stop being deployed. If needed, you can edit or delete these exclusions at any time.

Note that excluding a vendor or an app will not prevent scanning for the patch, it will only prevent its installation.

For more information, see Configuring Patch Management Exclusions.

Required Restarts

You can configure device restarts to occur automatically when a service requires it. This includes the Patch management service - when patches require a restart to complete the installation, devices will follow the settings defined here.

For detailed instructions, see Configuring Automatic Restarts.

FAQ

Yes, as long as they allow the communication in the requirements.

No, it should be disabled, apart from the feature updates which cannot be installed via Patch Management at this time. Follow the instructions in Recommended Windows Update Configuration for Patch Management to disable Windows update.

Not at this time.

Yes, when enabled, the patches will be downloaded from the Update Agent.

 

Other Articles In This Section:

Patch Management System Requirements

Recommended Windows Update Configuration for Patch Management

Automatic vs. Ad Hoc Patching

Related Articles:

Activating Patch Management

Scanning Devices for Missing Patches

Configuring Patch Management Exclusions