Compliance Scan Configuration for Delayed OS Updates but Latest AV Signatures

tagayev · ‎09-16-2024

Hello Fortinet Community,

I’ve deployed the FortiNAC Persistent Agent and implemented compliance scans to ensure our systems are secure. Our policy is to delay operating system updates by one month, but we want antivirus signatures to always be up-to-date.

I understand it's possible to delay OS definitions downloads, but this also delays AV updates.

Is there a way to configure compliance scans to check that the OS has all critical updates with a one-month delay while ensuring AV signatures are always the latest?

Any guidance or best practices would be appreciated!

Thank you!

FortiNAC

ndumaj · ‎09-17-2024

Hi @tagayev

Yes, you can do that on the configuration EPC Guide using the Windows tab and select the category Anti-Virus select the AV latest patch, then select the category operating system select the patch for each window that you need.
BR

- Happy to help, hit like and accept the solution -

scitlak · ‎09-18-2024

Hi,

I believe you can not perform a scan for critical updates with a month's delay since PA makes a query to the Microsoft Update repository and scans your host depending on query results. If OS Critical update is available on the Microsoft repository and missing on your host, Scan will fail.

You may look at the below KB to have more information.

Hosts Unexpectedly failing Security or Cr... - Fortinet Community

However, you may configure a custom scan with a hotfix option and you may check your hosts with a specific KB ID.

Of course, you will need to change the KB ID every month.

Compliance Scan Configuration for Delayed OS Updates but Latest AV Signatures

Nominate a Forum Post for Knowledge Article Creation