Follow up questions from my 3rd party software update webinar

As promised here are the follow up questions we didn’t time to cover during the 60 min webinar – https://www.brighttalk.com/webcast/8113/116381

Q & A from the webinar

Q1
When you have applied an update for Flash e.g., how do you repair that version if the application gets broken? Repair so it reverts back to "old" version or can the updated version be repaired?A1
Traditionally you are deploying the applications from ConfigMgr and the updates thru CSI. Unless you update the application/package in ConfigMgr then you have to install the old version and upgrade it again.

Another option is to republish the update and mark it as “Always Installable”. You also have an option to perform clean install if you wish to remove old version by using SPS optional parameters. However, you have to be careful with this as it will install the program on all machine regardless if the program was installed earlier or not. This can be controlled by approving the update only for selective collections.

Q2
Is you guys created any automated feature in CSI 7 ?
A2
Not sure I fully understand the question. If posible please add a note to this blog post and tell me a little more.

If the questions is toward automated patching then CSI still require creation of the package via wizard. However, CSI will remember all optional parameter and locale settings previously configured. Scanning via SCCM can be automated and scheduled using Secunia Daemon.

Q3
Can we find readymade templates for closing programs with user driven pop ups when the updates are installed? We don’t want users clicking on software center. :)
A3
That’s not yet possible but a very good feature request. The installation is performed by the Windows Update Agent on the client and as such we are in the hands of the WUA features.

Q4
Do we really have to manually edit the installation script or even make a separate package? What would you recommend? How do other companies handle this?
A4
I can’t speak for all companies, but I know that some a using a custom solution like the Coretech Shutdown tool where you can see if specific applications are running prior to performing the installation. This solution however is not using the Windows Update Agent but the ConfigMgr agent.

In special cases like Java, Secunia SPS would check if Java process is running or file in use. In these cases, it will return appropriate codes and retry the update when file in not in use or at maintenance windows.

Q5
Is the installation path essential for Updates? Or can lets say 7Zip be installed everywhere on the system to be detected and updated? i.e. Disk D: in a special folder called tools…
i still need a updated package/application for normal deployment, how could i minimize work overhead here…
A5
Yes, you need the full path. That’s one of the reasons why you want to scan as many clients as possible to get more accurate data.

Q6
Can CSI detect virtual (App-V) apps too?
A6
To be able to scan a SFT file with CSI you would need to install Microsoft Application Virtualization (App-V) SFT View on the endpoint that holds the SFT files.

All valid .sft and .dsft file name extensions will be scanned by App-V SFT View and will be made available for inspection. For every valid .sft file, a corresponding .dir folder will be displayed. For example, if a file that is named Office.sft is located, a new folder will be displayed in a directory that is named Office.sft.dir.

SFT View runs in the background to automatically generate the .dir folder views of any .sft or .dsft files that are present in a directory; it does not require any user interaction. SFT View does not extract any .sft or .dsft file contents to disk; instead, it creates a view of the contents and represents them as .dir folders.

This virtual file structure is then scanned by CSI to be reported on as any other application would be.

Note! Don’t add this file structure in your patch process because this structure is not valid for patching.

Q5
Running CSI 7 on SCCM2012 with Secunia SC2012 plug-in and Active Directory integration.  How to scan by OU, rather than by IP or HostName?
A5
This answer requires that you have ConfigMgr. You can right click and scan a collection, or simply just deploy the agent package to a collection. This gives you all the control you need to include/exclude computers based on system discovery data and hardware inventory data. 

Q6
Do you have to re-configure the Product selection under the Software Update Point Component every time you add a new product?
A6
No, that is not required. Just select Custom Secunia Naming when deploying the update. After that all updates will have Secunia as the main vendor
image 

image 

Q7
Actually I am working on CSI 6 and it’s very difficult to manage…As it doesn’t have tracebility of any new updates. I have to do all manual task..Why not secunia create a alert if any new updates needs in my environment.
A7
Smart group notification is also a feature in CSI 6. However, smart groups are limited to one type in CSI 6 while CSI 7 offer Host, product and advisory based which gives broader range of selection criteria. (Added some more details)

Q8
Can you setup a group and add workstations so you can test the secunia deployments before you approve them for the rest of the workstations in our enterprise.
A8
Yes, you can deploy agents and scans to specific collections.

Q9
Do you need a Secunia agent on the clients, or are the other options?
A9
No, you can also configure Software Inventory (*.dll, *.ocx and *.exe), create a package in ConfigMgr that will run csia.exe without installing the agent as explained here

Q10
Can v7 have on-premise server yet?  We can’t put our vulnerability data in the cloud.
A10
Yes, there will be an on-prem solution out very soon


Leave a Reply