Vulnerabilities are increasing at an alarming pace, making accurate and up-to-date patch scans essential for effective risk mitigation. Proactive scanning helps identify systems missing critical patches, allowing for timely remediation and improved security posture. Endpoint Central performs continuous, automated scans without the need for scheduling. The lightweight agent that runs in the background with minimal impact on CPU and memory resources performs this scanning operation. The entire scanning process is quick, typically completing within a few minutes.
Before implementing the patch scan in the agent machine, it is required to check if the Vulnerability DB is synced. The Vulnerability Database is automatically updated every day. This can also be updated manually (not required for cloud based servers). To update the Vulnerability DB manually, navigate to the Threats & Patches tab on the Endpoint Central console. In the left pane, go to Update Now tab, and click on Update Now under Update Vulnerability DB. After the Vulnerability DB has been updated, a patch scan is done. If you wish to change the schedule of Vulnerablity DB Update, click on Change. You will be redirected to the Patch Database Settings page; where you can also select the patches that you wish to manage using Endpoint Central. To learn more about Patch Database Settings, refer to this page.
The agent has to be installed in the endpoint and onboarded. A patch scan can be initiated after the agent installation. This patch scan occurs only if the Perform Patch Scanning checkbox has been enabled. To enable this checkbox, navigate to Admin -> Agent settings -> General Settings tab. Under Actions to be performed after agent installation, enable the checkbox "Perform Patch Scanning".
Verify the scan's successful execution by navigating to Systems -> Scan Systems under the Threats & Patches tab.
A patch scan is triggered under the following conditions:
The patch scan can also be implemented manually through the console or the Agent Tray icon.
Choose Initiate Patch Scan option by right-clicking on the Agent Tray icon -> Scan -> Initiate Patch Scan.
To initiate patch scan manually through the console, follow the steps below:
After synchronizing with the patch database, Endpoint Central collects information on the latest patches, newly disclosed vulnerabilities, and supported misconfigurations. Post which the agents will automatically scan the computers for missing patches, unaddressed vulnerabilities, and misconfigurations. The scan happens right after the database is synced. The end-user can go to the patch DB settings to change the sync timings.
Following the first successful scan after agent installation or onboarding, the product identifies the applications installed on the managed endpoint where vulnerabilities are detected or patches are missing. You can view these applications by navigating to Systems -> Scan Systems, clicking on your computer name, and selecting Installed Software.
After that, the agents will scan the endpoints in the above-mentioned scenarios, post which the latest scan data (about detected vulnerabilities, misconfigurations and missing patches) is updated in the product.
The user can get reports of missing patches, detected vulnerabilities and misconfigurations after the scan is completed. Navigate to Reports -> Schedule Reports -> Scan Report. You can get it easily by scheduling the reports to be emailed 2 hours from the database sync. Also, you can configure it at any frequency you wish.
Note: Patch scan cannot be restricted to certain machines— There's no option to schedule scan as the Endpoint Central automatically scans your endpoints during the above-mentioned scenarios. Vulnerability and patch scans are not separate processes; they occur simultaneously as part of the same scan.
If you have any further questions, please refer to our Frequently Asked Questions section for more information.
