Patch Management Best Practices

Applies To: WatchGuard Patch Management This topic applies to the WatchGuard endpoint security module, Patch Management. Patch Management is available with Endpoint Security Elite, 360, Prime, Basic, and WatchGuard EDR.

We recommend you follow these best practices for WatchGuard Patch Management:

• Verify that Patch Management Works Correctly
• Install All Critical Patches Regularly
• Isolate Computers with Unpatched Critical Known Vulnerabilities
• Make Sure Programs Installed on your Computers are Not End-of-Life
• Review the Installation History
• Review the Patch Status of Computers where Incidents Occurred

Verify that Patch Management Works Correctly

To confirm that Patch Management works correctly, make sure that all computers on your network:

• Have a Patch Management license allocated and Patch Management installed and running. To identify issues, use the Patch Management Status tile on the Patch Management Dashboard.
• Can communicate with the WatchGuard server. To identify computers that might have connection problems, use the Time Since Last Check tile on the Patch Management Dashboard.
• Run the Windows Update service with automatic updates disabled. To disable automatic Windows updates, select the Disable Windows Update on Computers option in the Patch Management Settings.

Some patches require the computer to restart before installation can complete. If FastBoot is enabled on a Windows computer, patches that require the computer to restart are not applied when the computer shuts down. This is because FastBoot does not fully reboot the computer as Patch Management requires. For more information, go to Restart Scenarios for Managed Endpoints.

Install All Critical Patches Regularly

When software vendors discover flaws in their products, they publish updates and patches to fix the flaws. We recommend that you install critical patches at least once a month.

To review available patches, use the Available Patches list. Filter the list to identify critical patches or patches for specific computers. For more information, go to Review Available Patches.

If Patch Management cannot get a download URL to install a critical patch automatically, download the patch manually so you can install it. For more information, go to Download Patches Manually.

Isolate Computers with Unpatched Critical Known Vulnerabilities

For critical known vulnerabilities that represent an extremely serious threat, such as WannaCry ransomware, you might decide to isolate computers that have not yet received published patches that fix the vulnerability.

In these cases, you can use the Available Patches list to identify computers that have not received the critical patches. To isolate computers, select the check box in one or more rows, then in the toolbar, click Isolate Computer.

Caution: We recommend that you isolate unpatched computers when the missing patches pose a very serious threat. Endpoint Security denies all communications to and from isolated computers except those required to perform remote forensic analysis and to use remediation tools. If a computer or server performs an important function for your business and requires a critical patch, such as a DNS server, make sure that you have contingency plans in place before you isolate it.

For more information, go to Isolate a Computer in Endpoint Security.

Make Sure Programs Installed on your Computers are Not End-of-Life

End-of-life programs do not receive patches or updates from the software vendor. To reduce the attack surface, replace any end-of-life programs installed on your computers.

To identify end-of-life programs, use the End-of-Life Programs list. For more information, go to Review End-of-Life Programs.

Review the Installation History

To review the status of patch installations and identify computers where installation errors occurred, use the Installation History list For more information, go to View Installation History.

Review the Patch Status of Computers where Incidents Occurred

Patch Management correlates incident data with patch status for each computer ,so that you can identify infected computers or computers with detected threats have available patches. When incidents occur, we recommend that you install any available patches on the affected computer.

When you install patches, Patch Management must download the patches from the software vendor. Because this can take time, we recommend that when there are incidents, you should first isolate the affected computer. This can minimize the risk of infection to other computers on the corporate network until the patch installation occurs.

To identify available patches, in the Security Dashboard, click a threat, select the affected computer, then click View Available Patches. The Available Patches list opens and shows available patches for the computer. For more information, go to Review Available Patches.

You can also see an overview of available patches and end-of-life programs for a computer on the Computer Details page. For more information, go to Computer Details in Endpoint Security.

To identify a computer where an incident was detected and install required patches:

1. Select Status.
2. In one of these widgets, click a computer or incident:
   • Threats Detected by the Antivirus
   • Malware Activity
   • PUP Activity
   • Exploit Activity
   • Currently Blocked Programs Being Classified
     Information about the threat detected on the computer appears.
3. In the Affected Computer section, click View Available Patches.
   The Available Patches list opens, filtered by the selected computer.
4. Select all available patches for the computer.
5. From the action toolbar, click Install.
6. Create a patch installation task. For more information, go to Patch Management Best Practices.

Related Topics

Patch Management Best Practices — Cache Optimization

Patch Management Installation Errors

Patch Management Supported Systems & Applications (external link)