Viewing Endpoint Posture

After the scan is complete, Harmony Endpoint shows the detected Common Vulnerability and Exposures (CVE) and its Common Vulnerability Scoring System (CVSS).

For the supported applications for scan and patch management, see sk181034.

Note - End-users can also initiate the scan and view the vulnerable CVEs from the Endpoint Security client (ComplianceClosed Check Point Software Blade on a Management Server to view and apply the Security Best Practices to the managed Security Gateways. This Software Blade includes a library of Check Point-defined Security Best Practices to use as a baseline for good Security Gateway and Policy configuration. and Posture).

To view the posture for endpoints, click Asset Management > Posture Management.

If you see the following screen, make sure to configure the posture assessment settings. See Configuring Posture Assessment Settings.

Vulnerabilities by Severity

The Vulnerabilities by Severity widget shows the total number of vulnerable CVEs by severity.

Top 5 Risky Apps

The Top 5 Risky Apps widget shows the top five applications with vulnerable CVEs and their average CVSS score.

For example, if Visual C++ 2008 has different CVEs, then the average CVSS score is 9.3.

Top Vulnerable Devices

The Top Vulnerable Devices widget shows the top five vulnerable endpoints (most vulnerable CVEs detected).

The number to the left of the machine name indicates the total number of CVEs detected in the machine.

To view vulnerable CVEs in the machine, click the machine name. It shows the details in the Vulnerability / Devices Table.

There are two types of View available for risk assessment:

  • Vulnerabilities view - Shows all the vulnerable CVEs and their CVSS score detected in the endpoints. See Vulnerability / Devices Table

  • Devices view -– Shows devices that have at least one CVE detected.

Patches By Status

The Patches By Status widget shows the total number of patches by the status.

Click the status to filter the Vulnerability / Devices Table by the status.

Vulnerability / Devices Table

The Vulnerability / Devices table shows the details about the detected CVE and its CVSS score.

Item

Description

Export

Exports the table information. Supported exports are:

  • CSV Files

  • Vulnerability Report

  • Posture Report

For more information on vulnerability and posture reports, see Reports in theViewing Operational Overview, Security Overview and Reports.

Refresh

Refresh the table information.

Search

Enter the required search options.

 

Toggle Filters

Opens the Filters widget. You must specify the filter criteria.

Scan All

Scans all devices for CVEs. See Scanning Devices.

Scan Now

Scans selected devices for CVEs. See Scanning Devices.

Patch

Updates patches to the specified CVEs. See Applying the Patch for CVEs.

Push Operations

Perform any of these Push Operations:

Add Filter

Allows you to filter the columns by a specific value.

Vulnerabilities View

Group by CVE

Lists CVEs by group.

Group by Application

Lists CVEs by application.

Expand All

Expands CVEs listed by application.

Collapse all

Collapses CVEs listed by application.

CVSS Score

CVSS score of the detected CVE.

CVE Number

Click the CVE number to view CVE Details Widget and all impacted devices:

  • Device Name

  • OS

  • OS Version

  • Last Scanned

  • Comment - Add a comment. For example, do not patch this application.

App Name

Application name.

App Version

Application version number.

Last Detected

Date and time the CVE was last detected.

First Detected

Date and time the CVE was first detected.

Affected Devices

Number of machines with vulnerable CVEs.

Comments

Add a comment. For example, do not patch this device.

Patch Name

Full name of the patch.

Device View

Device Name

Click the device name to view the Device Details Widget and all CVEs in the device:

  • CVSS Score

  • CVE Number

  • App Name

  • App Version

  • Last Detected

  • First Detected

  • Patch Name

  • Patch Size

  • Patch Status

    • Available - Patch is available for the CVE.

      • Cancelled - Deployment is cancelled before patch installation is completed.

    • Not Available

      • Update not available - Patch updates are not available. You must manually search, download and apply the patch.

    • In progress

      • Downloaded

      • Executing

      • Checking

      • Pending

      • Update available - Patch updates are available for the CVEs.

      • Downloading - System is downloading the patch.

      • Pending execution - Waiting for other patches in the bulk to be installed.

      • Pending scan - Patch installed successfully. Waiting for the scan.

      • Pending reboot - Patch installed successfully. Waiting for device reboot.

    • Failed

      • Timeout - Connection to the Harmony Endpoint Security Client timed out.

      • Download failed

      • Replaced

      • Not installed

    • Updated

      • Interrupted - The patch installation by Harmony Endpoint interrupted by other services, such as Windows update, that is either installing or installed the patch.

  • Comment

OS

Operating System name.

OS Version

Operating System version.

Last Scan Status

Shows the status of the latest scan. The supported statuses are:

  • Timed Out

  • Waiting For Client

  • Blade Not Installed

  • Starting Scan

  • Scan Started

  • Succeeded

  • Failed

  • Not Scanned

  • Aborted

Last Scanned

Date and time the machine was last scanned.

Number of Vulnerabilities

Number of vulnerabilities detected in the machine.

Number of Apps At Risk

Number of applications in the machine with vulnerable CVEs.

Comments

Add a comment. For example, do not patch this device.

Device Details Widget

To view the Device Details widget, in the Vulnerability / Devices Table, under the Device Name column, click a device name.

The Device Details widget shows:

  • Operating System name.

  • Operating System version.

  • Date and time the device was last scanned.

  • Number of vulnerabilities detected in the device.

  • Number of applications at risk.

  • Comment

CVE Details Widget

To view the CVE Details widget, in the Vulnerability / Devices Table, under the Vulnerabilities view, click a CVE number.

  • CVSS score of the device.

  • The application with the CVE.

  • The version of the application with the CVE.

  • Date and time the CVE was last detected.

  • Date and time the CVE was first detected.

  • Patch name available for update.

  • Size of the patch available for update.

  • Comment

Scanning Devices

You can scan devices for vulnerable CVEs or to verify if the patch has been applied or not.

Note - To start the scan for the first time:

  1. Go to Asset Management > Computers.

  2. Select the devices for which you want to scan.

  3. Right-click and select Vulnerabilities > Scan Now.

You can start subsequent manual scans by clicking Scan Now in Asset Management > Posture Management or by using the Run Diagnostics push operation.

To scan the devices:

  1. Go to Asset Management > Posture Management.

  2. To scan specific devices:

    1. From the View list, select Devices.

    2. Select the devices and click.

  3. To scan all the devices affected by the CVE:

    1. From the View list, select Vulnerabilities.

    2. Select the CVE and click .

Mitigating Vulnerable CVEs

You can mitigate vulnerable CVEs by either isolating or applying the patch.

Isolating a Device

You can isolate a device from the network until you patch its vulnerable CVEs.

To isolate devices:

  1. Go to Asset Management > Posture Management.

  2. To isolate specific devices:

    1. From the View list, select Devices.

    2. Select the devices and click Push Operation > Isolate Device.

  3. To isolate all the devices affected by the CVE:

    1. From the View list, select Vulnerabilities.

    2. Click the vulnerability.

    3. Select the devices and click Push Operation > Isolate Device.

    Harmony Endpoint initiates the Isolate Device push operation. For more information, see Push Operations.

Applying the Patch for CVEs

Notes:

  • Make sure that the Enable patch updates & reboot enforcement checkbox is selected for the policy. Otherwise, the patch is not applied to the endpoint. For more information, see Configuring Posture Assessment Settings.

  • A single patch can fix multiple CVEs.

To apply a patch for CVE:

  1. Go to Asset Management > Posture Management.

  2. To apply patches for specific vulnerabilities:

    1. From the View list, select Vulnerabilities.

    2. Select the CVEs and click .

      The Patch Details window appears.

    3. Click Update Patch.

  3. To apply the patches for specific device:

    1. From the View list, select Devices.

    2. Select and click the specific Device Name.

      The Device Details window appears.

    3. Select the CVEs and click .

      The Patch Details window appears.

    4. Click Update Patch.

Verifying the Applied Patch

  1. Scan the device to verify that all CVEs are patched.

  2. If all the CVEs are patched and if the device is isolated (To verify, go to Asset Management > Organization > Computers, from the View list, select Host Isolation, and then view the Isolation Status column) from the network, then add the device back to network. To add:

    1. Go to Asset Management > Posture Management.

    2. From the View list, select Devices.

    3. Select the devices and click Push Operations > Release Device.

  3. If required, reboot the device. To reboot:

    1. Go to Asset Management > Posture Management.

    2. From the View list, select Devices.

    3. Select the devices and click Push Operations > Reboot Device.