Patch Management

Modified on Tue, Feb 24 at 8:38 AM

You can find this module at the Company level only.

Patch Management works with both Probe and Lightweight agents.

With the Probe agent, the system first downloads patches and then copies them to the remote asset for installation. This method is ideal for patching devices without a Lightweight agent. In contrast, systems with the Lightweight agent manage patching locally, downloading and applying packages directly.

If you plan to use the Patch Management feature with the ConnectSecure agent, consider adding ‘connectsecurepatch.exe’ to any allow or trusted sources for execution.

Our patch agent retrieves necessary packages from the official website, so the remote asset must have access to download them.

Additionally, the patch agent initiates OS patching by triggering the Windows Update Manager to apply relevant security updates listed in the portal. We can also control whether the system reboots after successful patching for OS updates only. Reboots apply to OS Patches only.

Our Patching Strategy

Curated Repo: 500+ application patches maintained internally, with the 130 most-used apps tested and optimized continuously.
Smart Flexibility: Microsoft Win-Get is used as a fallback to cover supported apps from our curated repo, leveraging Microsoft’s continuous updates.
Balanced Approach: This design combines reliability (our repo) with breadth (Win-Get), ensuring the best coverage without unnecessary risk or overhead.
Enrichment Over Time: The ConnectSecure team will analyze the patch logs and add over time based on the data, continuously improve and extend the supported applications

Check out the Patch Management Guidefor additional help.

Here is a listing of the supported applications for patching: Application Patching List

ConnectSecure may report two versions of the same software when one is located under the CyberCNSAgent installation path and another under a user profile. This can happen when the installer does not remove older versions or when different architecture types (32-bit vs 64-bit) are involved.

Detection logic first checks whether the application is 32-bit or 64-bit. If that cannot be determined, it defaults to checking the OS bit version. This may result in both versions being listed if they reside in separate paths.

Patch Management - Details

Access the Patch Management from the Assets category. The tables are built into sections for Windows App, Windows OS, and Linux OS patching, and Patch Jobs.

This module is designed to bring all available patching data to the tables for manual patching.

Windows Application Patching

To view the list of Windows application(s) not part of the Operating System, that needs to be patched. The table below will show only those applications for which the ConnectSecure Patch Agent can cover.

Manual Application Patching

Tap the three-dot Action menu to apply an available application patch, then choose Patch Now or Patch Later.

Patch Later option lets you set a later date and time to patch

Otherwise, Patch Now will run the selected patch and asset(s) immediately.

3rd Party - Application Patching does not reboot machines; there is no option to do this.

Automatic Application Patching

See the Patch Scheduler found at the Company or Global level.

Windows OS Patching

To view the list of Windows OS patches that need to be installed, please check the table and review the details provided.

Manual OS Patching

Tap on the OS Patching tab, then use the three-dot Action menu to select Patch on any available records.

You will be prompted to select the patch installation's machine(s) and reboot settings.

ConnectSecure is passing the flag for reboot to the Microsoft Update Manager, so Microsoft will show prompts to force a reboot.

Automatic OS Patching

See the Patch Scheduler found at the Company or Global level.

Linux OS Patching

Linux OS patching will download and use the dependency ‘connectsecurepatch_linux’

To view agent dependency status, tap on Overview > Agent > Dependency Status

Linux OS Patching enables administrators to deploy operating system security updates and patches to supported Linux distributions directly from the ConnectSecure platform. This functionality ensures consistent vulnerability remediation, centralized patch job management, and post-deployment verification through automated rescanning.

Supported Linux Distributions

The following Linux operating systems are currently supported for OS patching.

Red Hat Enterprise Linux (RHEL)

Version	Codename
RHEL 4	Nahant
RHEL 5	Tikanga
RHEL 6	Santiago
RHEL 7	Maipo
RHEL 8	Ootpa

Ubuntu

Version	Codename
Ubuntu 14.04 LTS	Trusty Tahr
Ubuntu 16.04 LTS	Xenial Xerus
Ubuntu 18.04 LTS	Bionic Beaver
Ubuntu 20.04 LTS	Focal Fossa
Ubuntu 22.04 LTS	Jammy Jellyfish
Ubuntu 24.04 and Latest	Noble Numbat

Debian

Version	Codename
Debian 7	Wheezy
Debian 8	Jessie
Debian 9	Stretch
Debian 10	Buster
Debian 11	Bullseye
Debian 12	Bookworm
Debian 13	Trixie

CentOS

Version
CentOS 4
CentOS 5
CentOS 6
CentOS 7
CentOS 8

Other Supported Linux Distributions

Version
Alma Linux
Alpine Linux
AWS Linux
Cloud Linux
Fedora
Gentoo Linux (In Progress)
Oracle Linux
Rocky Linux
SUSE Linux

Prerequisites

Before initiating Linux OS patching, confirm the following:

The ConnectSecure agent is installed and actively communicating on the Linux endpoint.
Patch Management is enabled for the company under Company Settings.
The target system appears under the Linux OS Patching asset list.

How to Perform Linux OS Patching

Step 1: Verify Agent Installation

Ensure the ConnectSecure agent is installed and operational on the target Linux machine.

You can validate agent connectivity under:
Agents → Lightweight Agents

Step 2: Enable Patch Management

Navigate to:

Company Settings → Patch Management

Confirm that Patch Management is enabled for the selected company.

Step 3: Access Linux OS Patching

Go to:

Patch Management → Linux OS Patching

This page displays all supported Linux assets eligible for OS patch deployment.

Step 4: Trigger a Patch Job

Select the target asset(s).
Click Patch.
Confirm the action.

The system will initiate a patch job similar to Windows OS patch deployment.

Step 5: Monitor Patch Job Status

To review progress:

Patch Management → Patch Jobs

From this view, you can:

Monitor job status (Pending, In Progress, Completed)
Review patch deployment results
Validate any failures or partial deployments

Step 6: Perform Post-Patch Self-Scan

Once the patch job completes:

Trigger a Self Scan on the asset.
Allow the scan to update vulnerability and remediation data.

This step ensures:

Newly installed patches are reflected in the portal
Remediated vulnerabilities move to the Remediated tab
Vulnerability posture is updated accurately

Verification

After the self-scan completes:

Navigate to:

Agents → [Select Asset] → Problems → Remediation Plan

Confirm that previously identified vulnerabilities now appear under the Remediated tab.

Best Practices

Schedule patch jobs during approved maintenance windows.
Perform a self-scan immediately after patch completion to avoid reporting discrepancies.
Review high-severity and critical vulnerabilities first when prioritizing patch deployment.
Ensure system reboots (if required by the OS) are completed to finalize patch application.

Related Views in the Platform

Linux OS Patching Dashboard
Patch Jobs
Remediation Plan
Agents Overview

Patch Jobs

View the patch job details and sort on the columns.

Tap the Created or Updated date fields to view additional patch job details, including the Asset Name, Status, From Version, and to version values.

When a Patch Job is in initialized Job Status, selecting the three-dot action menu reveals the option to terminate the job.

If a patch job has already moved to a state such as Pending or Partial, it cannot be terminated using the Terminate function.

Agent Offline Behavior

If a patch job is initiated while an agent is offline, the job will remain pending and will automatically execute once the agent reconnects within a 24-hour window.

During this 24-hour period:

The agent continuously checks for pending patch jobs.
The agent will attempt to execute the patch job up to three times upon reconnecting.

This behavior applies to both:

Manually triggered patch jobs
Scheduled patch jobs

If the agent does not reconnect within 24 hours, the patch job will be marked as Failed.

Patch Job Failures

If you see "FAILED" under the Job Status for patching, click on the Created date and time column to view more details that can assist with resolution.

Date Filter

Allows users to filter table data by selecting a specific date. The table will update to display entries that match the selected timeframe.

Patch Agent Logs

We have a local patch log file on the remote agent machine located here:

C:\Program Files (x86)\CyberCNSAgent\logs\cyberpatch.log

Patch Management - Toolbar Options

Alerts

View our timeline style of System Events captured for each company. You can set an optional date filter range to target a specific date range of events.

Info

Tap here to view your V4 Getting Started Info.

https://cybercns.atlassian.net/wiki/x/MIDKfw

Help Link

Click to access the related documentation page; this link is functional on all screens and will take you to the appropriate documentation page.

Layout Settings

Here, you can change the UI look and feel using various options, including the Theme for color, the Scheme for dark and light mode, the Layout for toolbar and module positions, and the toggle to set the table view default.

I prefer the Teal color, Light mode, and Classic layout with an asset table view.