CyberCNS 3rd Party MS Applications Patching System

  • CyberCNS supports Third party application patching for Microsoft Windows based applications using the CyberCNS Lightweight Agent.

  • For FIPS Compliance enabled customers, please install chocolatey manually for CyberCNS to patch effectively.

  • CyberCNS Patching ability is restricted to end-user devices that have the Lightweight agent installed.

  • Patching supports the integration configured PSA tool, and all Email Integration(CyberCNS SES Email Integration, Email Integration and Office365 Email Integration) to create a ticket into the integration.

  • Please whitelist https://chocolateyrepo.mycybercns.com/chocolatey so that lightweight agent responsible for patching should be able to communicate with CyberCNS Chocolatey server for successful patching.

Enable patching Globally or at the Company level

Navigate to Global/Company Settings > Choose Patching Status, Enable patching and accept the EULA terms to enable the use of third-party application patching capability.

It helps to 'patch' third-party Windows applications that are discovered by lightweight agents.

How to use it?

  • Third-party application patching is enabled under the Remediation Plan view. A blinking icon under the Vulnerabilities column in the Remediation Plan table is seen once enabled as shown below.

  • Click the blinking icon and proceed with the patching wizard.

  • Verify the patching application and choose the asset(s) for which the application is to be patched.

  • Next is to create a ticket into your integration-configured PSA tool. If not required, click on Next.

  • Schedule now or Schedule later can be chosen to patch the application at convenience.

  • Auto Patch Scheduler can also be set to automatically patch the applications chosen.

Patching

  • In the image depicted below, select the application that needs to be patched using the blinking icon next to the corresponding vulnerability.

  • Once the application is selected, click on Patch if direct patching from the CyberCNS portal is required.

  • Click on Next, if ready to patch the application.

  • Select the single asset or multiple assets for the application to be patched and click on Next.

  • To create a ticket into the integration configured PSA tool, select the option to Create Ticket using Integration and click on Next.

  • Choose the Integration required and click on Next. (PSA tool should be successfully integrated before this action).

  • Provide information for all the required fields, and click on Next.

  • Set the time for the application to be Patched. There are two options for Scheduling the patch.

Schedule Now

Schedule Later

Schedule Now

  • Click on the Schedule Now option to patch the application immediately, and click on Next.

  • In the below image can get the Summary of the application and the scheduled time for patching the application.

  • Click on Patch to start the patching process for the application. If any changes are required then click on the Previous option to go back.

  • Once the patching is processed, it is indicated by the Successfully Scheduled, Check the Job section for more details, message.

 

Patching Jobs

  • As soon as the patch is initiated, can observe the job under Jobs > Patch Jobs table view.

  • Once the job is completed, post the assets scan you can check the application is patched with the latest version.

  • When the patch is successfully updated, click on Action and click on Details to get the information on the applications which is patched.

  • Once the applications are patched, automatically next scan will be initiated into CyberCNS. Post which the applications will be pushed under the Remediated status.

Schedule Later

  • In case need to schedule the patching later, select the option Schedule Later, set the Date, and Time, and click on Next.

  • View the product details to patch and click on Patch to patch the application. If any changes are required then click on the Previous option to go back.

  • Once the patching is processed, it is indicated by the Successfully Scheduled, Check the Job section for more details, message.

 

Patching Jobs

  • As soon as the patch is initiated you can observe the job under Jobs > Patch Jobs table view.

  • Once the job is completed, post the assets scan you can check the application is patched with the latest version.

  • When the patch is successfully updated, click on Action and click on Details to get the information on the applications which is patched.

  • Once the applications are patched, automatically next scan will be initiated into CyberCNS. Post which the applications will be pushed under the Remediated status.

  • This completes the documentation about Patching.

Below is the current list of applications supported for Patching.

Patching List.xlsx

Few points to remember

  1. Patching is supported only on assets that have the Online LightWeight agent installed.

  2. In the current version, Patching support is limited for Windows applications.

  3. Key applications required by MSPs have been identified in Chocolatey and those are supported (a list of 500+ applications is available in the CyberCNS documentation <link>)

  4. CyberCNS hosts a private repository of Chocolatey for this patching purpose.

  5. If a remediation entry includes assets, and at least one of those assets is considered patchable(patchable: true) has a lightweight agent installed, and is online, then a patching icon will be displayed to indicate the current patch status.

  6. In addition, the Patch icon will be shown only at the Company level and Asset level Remediation plan. It will NOT be shown at the Global level Remediation Plan.

Application Patch Failures

Patching Error

Reason

Corrective Action

Patching Error

Reason

Corrective Action

Error upgrading application Zoom - exit status 1

This exit status suggests an error occurred during the installation or uninstallation process.

Please Check the error message or log

Timed out - Check agent status

Either Agent is offline OR the CyberCNSAgentV2 service is not running

Agent or Service restart

Error upgrading application Mozilla Firefox - Error retrieving packages from source 'https://chocolateyrepo.mycybercns.com/chocolatey':

No connectivity from Agent machine to Chocolatey server.

Connectivity needs to be verified from Agent machine to the CyberCNS Chocolatey server. Whitelist https://chocolateyrepo.mycybercns.com

Error upgrading application Cisco Webex Meetings - choco : The term 'choco' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:1 + choco upgrade webex-internal -s=https://chocolateyrepo.mycybercns.com ... + ~~~~~ + CategoryInfo : ObjectNotFound: (choco:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException

Powershell Execution Restrictions

Powershell Execution Restrictions. Please enable execution for Powershell.

Error upgrading application Cisco Webex Meetings - exit status 1

This exit status suggests an error occurred during the installation or uninstallation process.

Please Check the error message or cybercns log file for details.

Error upgrading application Microsoft OneDrive - Checksum Mismatch Contact Support

This Checksum Mismatch during the upgrade process of the Microsoft OneDrive application. This typically occurs when the downloaded installation files or packages do not match the expected checksum values.

Latest application is yet to be verified from Chocolatey.

Error upgrading application Adobe Acrobat DC (64-bit) - “exit status 404”

This exit status indicates that the URL you are using is incorrect.

Powershell Execution Restrictions. or Please check the URL you are using and verify if it is correct

Application Has Reached End Of Support. Uninstall Recommended.

The application you are using has reached the end of its support lifecycle. This means that the software vendor or developer has decided to stop providing updates, including security patches and bug fixes, for the application.

Application Uninstall Recommended.

A pending reboot has been detected - Exit status code 0xffffffff

This exit status suggests a compatibility issue between the application and the operating system, or it may occur due to insufficient administrative privileges during installation or uninstallation.

Application needs to be restarted, or Please Check Compatibility of the Application with Operating System or Run the installation or uninstallation command with administrative privileges

Exit status 1605

This exit status occurs when there is an issue with the installation package.

Please Try reinstalling the Application or Ensure that you have the correct installation package

Exit status 1604

This exit status indicates that there is an ongoing installation process that needs to be completed or canceled manually before attempting a new installation

  • Wait for the current installation to complete.

  • Manually cancel the ongoing installation before attempting to install again.

Exit status 1642

This exit status suggests that you should retry the installation or upgrade.

Please Retry the installation or upgrade

Exit status 1638

This exit status indicates that there is an ongoing installation that needs to finish before attempting a new one.

Please Wait for the ongoing installation to finish and retry again.

Exit status 1618

This exit status suggests that a system restart is required before running the installation or uninstallation process again.

Please Restart computer and then run the installation or uninstallation process again.

Exit status 1603

This exit status suggests that you should run the installation or uninstallation command with administrative privileges.

Run the installation or uninstallation command with administrative privileges.

Exit status 4294967295

This exit status is similar to 0xffffffff and indicates a compatibility issue with the operating system or insufficient administrative privileges.

Check Compatibility of the Application with Operating System or Run the installation or uninstallation command with administrative privileges

Exit status 3010

This exit status indicates that a reboot is required.

Reboot your system to complete the installation or uninstallation process.

Exit status 1602

 This exit status suggests that the installation or uninstallation process did not finish successfully.

Retry Installation or uninstallation process did not finish successfully, Retry the installation or uninstallation

Exit status 350

This exit status suggests that you should try restarting the device or system.

Try restarting the device or system.

Things to remember while patching vulnerabilities

  1. Please schedule the patches during the typical downtimes.

  2. Please instruct the users of the systems to not shut down the system during such times.

  3. The system may go into sleep mode, please ensure that network connectivity is still maintained even during sleep mode.

  4. There are certain applications whose patches take effect only after the application/browser restart. So please instruct the users to restart the application or browser or even system restart for the applied patch to take effect as CyberCNS won't initiate a mandatory system restart following the automated patching process.