What is System Health Policy?

Vulnerability Manager Plus periodically scans the systems in your network to identify the missing patches. The missing patches include both the operating system and third party application patches pertaining to that system. Generally, patches are released with varying severities ranging from Low to Critical. Based on these patch severities, Vulnerability Manager Plus classifies the system into three categories to quickly identify the health status of the systems in the network. Health policy of the systems are calculated based on the missing security updates and third party updates. It is recommended to deploy all the security and third party updates to maintain the health status of the systems.  If you do not want a specific missing patch, to impact the system health status, then you can choose to decline the patch. Patches that are declined will not be considered for the System Health Status calculation.

How are the systems classified?

Based on the severity of the missing patches, the systems are categorized as Healthy, Vulnerable, and Highly Vulnerable in Vulnerability Manager Plus. The default health policy is as below:

  • Healthy Systems are those that have up-to-date patches installed

  • Vulnerable Systems are those that have missing patches in "Moderate" or "Low" severity levels.

  • Highly Vulnerable Systems are those that have missing patches in "Critical" or "Important" severity levels.

     
    • The patches that are declined will not be considered for arriving at the system health status.
    • You can choose to exclude all 3rd party patches from system health calculation.

Determine System Health Status

You can customize the criteria to determine the health of a system. You can specify the number of patches, which will be considered as a bench mark to rate a system as highly vulnerable or vulnerable. Refer to the example explained below:

Criteria specified to mark a computer a highly vulnerable:

  • 3 or more critical patches are missing

  • 3 or more important patches missing

  • 0 Moderate Patches are missing

  • 0 Low severity patches are missing.

Criteria specified to mark a computer a vulnerable:

  • 2 or more critical patches are missing

  • 1 or more important patches missing

  • 1 Moderate Patches are missing

  • 0 Low severity patches are missing.

Based on the above mentioned criteria, if 3 or more critical patches are missing, then a system will be marked as highly vulnerable. If only 2 critical patches are missing, then it will be marked as vulnerable. If 1 critical patch is missing system will be considered as healthy. Assume 5 moderate severity patches are missing, then the system will be marked as Vulnerable. If 10 low severity patches are missing, system will still be considered as healthy, since you have not specified any number in the criteria.

 You can configure the above explained settings by following the steps mentioned below:

  1. Select the Admin tab.

  2. Click the System Health Policy link available under Patch Settings.

  3. Specify the number of missing patches to determine the health status of a system, based on severity and count of missing patches

  4. Under Advanced Settings, choose to exclude 3rd party patches from system health calculation

  5. Click Save Changes.

Excluding 3rd Party Patches from System Heath Calculation

Most of the times, significance of missing 3rd party patches do not precede over the patches related to operating system. This could be because of the vast number of 3rd party applications and its real need towards the business. If you consider that your system's health should not be determined based on the missing 3rd party patches. You can configure your system health in such a way, that even if one or more 3rd party patches are missing in your system,  it can still be rated as healthy if all OS related patches are installed on it. You can exclude all the 3rd party patches and choose to include few of those which might be needed.

 
  • You can choose to calculate the system's health, only based on the approved missing patches. This can be specified only if you have chosen to approve patches manually. If patch approval settings is configured as automatic, then all the patches will be approved by default and considered for system health calculation.