Secure Access Service Edge (SASE) provides the vulnerability fixing feature to scan for Windows system vulnerabilities on the PCs of your enterprise and deliver patch installation tasks to fix the vulnerabilities. The feature allows you to fix system vulnerabilities on the PCs of your enterprise, minimize attack surfaces, and ensure network security.
Prerequisites
SASE is activated.
An Alibaba Cloud account or a Resource Access Management (RAM) user that has permissions to access SASE is used.
The version of the SASE client that is installed on the office terminals is V4.5.1 or later.
Step 1: Create a scan task
To use the vulnerability fixing feature, you must create a scan task. Then, SASE runs the scan task on terminals.
If you want to periodically scan terminals, you can create a scheduled scan task. If you want to immediately scan terminals, you can create an immediate scan task for which you must specify an end time. If a user does not log on to the SASE client before the end time, the data on the terminal of the user cannot be scanned.
Log on to the SASE console.
In the left-side navigation pane, choose .
On the Scan History tab, click Create Task. In the Create Immediate Task panel, configure the parameters and click OK. The following table describes the parameters.
Parameter
Description
Task Name
The name of the task.
Scan Scope
The applicable user group for the task.
All Users: The task is applicable to all users whose terminals are installed with the SASE client.
Some Users: The task is applicable to specific users. You must select the user groups whose terminals you want to scan.
Exception User
The users who are excluded from the task. You can enter multiple user names. Separate multiple usernames with commas (,).
Task End Time
The end time of the task.
Log on to the SASE console.
In the left-side navigation pane, choose .
On the Scan History tab, click Scheduled Scan Task above the task list.
On the Scheduled Task page, click Create Scheduled Task.
In the Create Scheduled Task panel, configure the parameters and click OK. The following table describes the parameters.
Parameter
Description
Task Name
The name of the task.
Priority
The priority of the task. A small value indicates a high priority. Valid values: 1 to 100.
Task Status
Specifies whether to enable the task.
Scan Scope
The applicable user group for the task.
All Users: The task is applicable to all users whose terminals are installed with the SASE client.
Some Users: The task is applicable to specific users. You must select the user groups whose terminals you want to scan.
Exception User
The users who are excluded from the task. You can enter multiple user names. Separate multiple usernames with commas (,).
Frequency
The execution frequency of the task. For example, if you select Every 3 Days and 00:00-24:00 from the drop-down lists, the system runs the task on online terminals every three days.
Step 2: View the scan results and patch details
SASE monitors patch information released by Microsoft and other sources in real time and displays the information. The information includes Common Vulnerabilities and Exposures (CVE) and security bulletins of various vendors. SASE also displays the results of scan tasks.
On the Vulnerability Patches tab, view the statistics for uninstalled patches and at-risk devices, the latest announcements of patches from various vendors, and the scan results.
The risk level of each patch is set by the patch information provider.
In the Latest Announcement section, click Details to view the details of the announcements released by various vendors.
View the details of a patch and the devices that are affected by the patch. Such information helps you determine which vulnerabilities need to be fixed.
Find the required patch and click Details in the Actions column. In the Details panel, view the information in the Basic Information and Vulnerability Details sections.
Step 3: Fix vulnerabilities for affected devices
Fix a vulnerability for all affected devices with a few clicks
Before you perform a quick fix, make sure that the patch to be installed is compatible with all affected devices. Otherwise, incompatibility issues and blue screen errors may occur, and the use of the devices may be adversely affected.
Find the required patch and click Quick Fix in the Actions column. In the Fix Settings dialog box, configure the Patch Download Speed Limit parameter and click OK. The quick fix is performed on all affected devices.
If you set the Patch Download Speed Limit parameter to 0, the speed is unlimited. We recommend that you set the parameter to 1000 in KB/s. You can also specify a value based on the bandwidth of your office network.
Fix a vulnerability for a specific affected device
Click Fix Settings above the patch list. In the Fix Settings dialog box, configure the Patch Download Speed Limit parameter and click OK. This limit is imposed on all devices.
Find the required patch and click Details in the Actions column. In the Details panel, click the Device Information tab and click Fix All in the Device with Patch Installed section.
On the Device Information tab of the Details panel, find the affected device and click Fix in the Actions column. Alternatively, select multiple affected devices and click Batch Fix to fix the vulnerability for the selected devices.
Step 4: View the fix status of devices
Go to the Device Information tab of the Details panel. View the number of devices on which the patch is installed, the number of devices for which the vulnerability is fixed, and the list of affected devices.
To remove an affected device from the list, find the device and click Delete in the Actions column.
Related operations
View a scheduled scan task
On the Scan History tab, click Scheduled Scan Task above the task list.
On the Scheduled Task page, view the scheduled tasks that are created.
Click the
icon in the Priority column to change the priority of the scheduled scan task. Click the switch in the Task Status column to enable or disable the scheduled scan task based on your business requirements.
Click Details in the Actions column. In the Create Scheduled Task panel, modify the parameters based on your business requirements.
Click Delete in the Actions column to delete the scheduled scan task.
View scan records
You can view scan records on the Scan History tab.
You can query scan records by task type, task status, and task name.
The system generates a scan record each time it executes a scheduled task and names the scan record in the Task name-Task execution time format to facilitate subsequent use.
You can click Cancel Task in the Actions column to cancel an immediate scan task that is in the In Progress state. You cannot cancel a scheduled scan task on the Scan History tab. If you want to cancel a scheduled scan task, you must go to the Scheduled Task page or delete the task.
References
For more information about how to troubleshoot vulnerability fixing issues, see FAQ about terminal protection.
