Knowledge Base

Patching

New bucketAV versions are released regularly, including OS security updates (check the release notes). New releases are tested extensively to ensure that the latest patches work well with bucketAV’s software.

The customer is responsible for updating the product.

If you require more timely patching, we integrate with AWS Systems Manager. You can use Patch Manager to install updates on your schedule. Learn how to configure Patch Manager.

We do not provide support for EC2 instances you modified.

The signatures database is updated ~ every 2 hours automatically.

We recommend patching bucketAV by updating to the latest version.

AWS Systems Manager Patch Manager configuration

To configure AWS Systems Manager Patch Manager:

  1. Prepare bucketAV:
    1. Set the SystemsManagerAccess configuration parameter to true.
    2. Expand the IAM permissions of the bucketAV Scan Fleet with a AWS managed policy by adding arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore to the ManagedPolicyArns configuration parameter.
    3. If you have configured values (not *) for the S3BucketRestriction configuration parameter or S3ObjectRestriction configuration parameter, you must add the following buckets (replace REGION with AWS Region, e.g., us-east-1; get the value from the top right in the AWS UI):
      • S3BucketRestriction: arn:aws:s3:::aws-ssm-REGION,arn:aws:s3:::patch-baseline-snapshot-REGION
      • S3ObjectRestriction: arn:aws:s3:::aws-ssm-REGION/*,arn:aws:s3:::patch-baseline-snapshot-REGION/*
  2. In AWS Systems Manager, create a new maintenance window.
    1. Set a name and schedule. Step 1
    2. Click Create maintenance window.
    3. Click on your created maintenance window.
    4. Register a new target. Step 2
    5. Set a name and target by tag. Use tag key aws:cloudformation:stack-name and set the value to the stack name of bucketAV (if you followed the docs, the name is bucketav). Click Add. Step 3
    6. Click Register target.
    7. Register a new Run command task. Step 4
    8. Set a name, select the command document AWS-RunPatchBaseline, add the targets defined in the previous step, set rate control concurrency to 1 targets and the error threshold to 1 errors, and set parameters Operation to Install and RebootOption to RebootIfNeeded. Step 5
    9. Click Register Run command task.

To configure AWS Systems Manager Patch Manager:

  1. Prepare AWS account:
    1. Create a IAM policy to grant access to S3 buckets required by AWS Systems Manager Patch Manager.
  2. Prepare bucketAV:
    1. Set the SystemsManagerAccess configuration parameter to true.
    2. Expand the IAM permissions of the bucketAV Scan Fleet with the AWS managed policy by adding arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore to the ManagedPolicyArns configuration parameter as well as the customer managed IAM policy created earlier.
  3. In AWS Systems Manager, create a new maintenance window.
    1. Set a name and schedule. Step 1
    2. Click Create maintenance window.
    3. Click on your created maintenance window.
    4. Register a new target. Step 2
    5. Set a name and target by tag. Use tag key aws:cloudformation:stack-name and set the value to the stack name of bucketAV (if you followed the docs, the name is bucketav). Click Add. Step 3
    6. Click Register target.
    7. Register a new Run command task. Step 4
    8. Set a name, select the command document AWS-RunPatchBaseline, add the targets defined in the previous step, set rate control concurrency to 1 targets and the error threshold to 1 errors, and set parameters Operation to Install and RebootOption to RebootIfNeeded. Step 5
    9. Click Register Run command task.

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email