Windows Patch Management, Shavlik Technologies

by Marcin Policht

Our Windows Patch Management series shifts its focus to examine patch management products from third-party vendors. First up: Shavlik Technologies, one of the pioneers in this space.

With this article, our Windows patch management series shifts its focus to products from third-party vendors. In general, these products fall into three categories: 1) free products with relatively limited capabilities, such as basic vulnerability detection and patch installation (akin to Microsoft Baseline Security Analyzer); 2) full-blown products with additional comprehensive reporting and deployment features (such as the soon-to-be-released Windows Update Services); and 3) patch management add-ons that integrate into current enterprise management systems (similar to the SMS Software Update Services Feature Pack).

We kick off our discussion with a look at Shavlik Technologies, which was one of the pioneers in this area. Its solutions fall into the first two of the aforementioned categories.

In general, Windows patch management products fall into three categories:
  1. Free products with relatively limited capabilities
  2. Full-blown products with additional comprehensive reporting and deployment features
  3. Patch management add-ons that integrate into current enterprise management systems

Shavlik is a privately owned security company founded in 1993. Its technological advancements have been significant enough to attract attention from Microsoft, resulting in cooperative efforts and the development of the Microsoft Baseline Security Analyzer (MBSA), which is based on Shavlik's HFNetChk (the acronym designating HotFix Network Checker) released in 2001. HFNetChk is a feature-limited version of Shavlik's flagship product HFNetChkPro. Both products are based on the same scanning technology, which relies on information stored in an XML file for verifying patch level. This file, called mssecure.xml, and already discussed in our series, is available for download in the compressed and digitally signed (to ensure its authenticity and integrity) version, msssecure.cab, from two Web sites — Microsoft's, at http://download.microsoft.com/download/xml/security/1.0/nt5/en-us/mssecure.cab, and Shavlik's, at http://xml.shavlik.com/mssecure.cab.

Both vendors currently use their own copies of the XML file for their tools. While Shavlik decided to make this switch starting with version 3.83 of HFNetChk, it still offers an option to override the default and point to the Microsoft Web site with the application of an -ms switch (you can also point to an alternative location of mssecure.cab with -x switch when running MBSA). When a scan is initiated, tools check the version and locale of the operating system, service pack level, components and applications installed. Based on this information, applicable security patches are determined.

Before we dive deeper into the functionality of Shavlik's patch management solutions, a quick skim of the available solutions is in order:

  • HFNetChk.exe, which at press time is in version 3.86, is the most basic command line utility, available as a free download from the Shavlik Download Center at http://www.shavlik.com/downloads.aspx. Its /hf switch gives it a close resemblance to MBSA (not surprising, since both tools originate from the same team of developers). HFNetChk evaluates security patch levels on the target computer (or computers) running Windows NT 4.0, 2000, or XP for the base operating system as well as a number of Microsoft products and components, such as IIS 4.0 and 5.0, SQL and Exchange, MDAC, Microsoft Office, and Internet Explorer 5.01 or later. Although the most recent version (3.86) is a bit old — it was last updated November 20, 2002 — the next release, v4.0, is currently in Beta and will be in production soon.

  • HFNetChkPro Security Patch Management, in version 4.3 as of press time, is a GUI-based product (with an optional command line interface) that offers a comprehensive set of patch management features. HFNetChk serves as the scanning engine, but HFNetChkPro's feature set goes far beyond vulnerability detection, including flexible and dependable patch deployment functionality.

  • Account Inspector 3.9a, Enterprise Inspector 2.2, and HFNetChk Admin Suite Security Patch Management (including a free version for a limited number of computers) are security analysis and configuration tools integrated with HFNetChk as the patch scanning engine and HFNetChkPro as the patch deployment mechanism.

MBSA and Shavlik's HFNetChk scanning engine have a number of similarities. Neither requires agents on client's computers (the same applies to HFNetChkPro, when it comes to patch installation). This not only eliminates the need for complex and time-consuming deployment (by allowing their immediate use), but it also fits well in the centralized administration scenario. On the other hand, some admins might consider this a drawback, as network utilization is increased due to increased management traffic as a result of the tools running on an administrative workstation. The HFNetChkPro thread setting (the number of threads can range between from 1 to default 64 — you can configure it with graphical interface or -t command line switch) can mitigate this problem with its control of a number of target computers on which patches are simultaneously scanned or deployed. Configuring scanning on a per-IP subnet-basis further helps with bandwidth throttling.

The agentless nature of Shavlik's utilities has other implications. A user who initiates a scan must be a member of a local Administrators group on target computers. While this might be inconvenient in some scenarios (especially when it comes to vulnerability detection in multidomain environment), it provides a level of security, preventing unauthorized information gathering. In addition, remote systems must be running Server service, Remote Registry service, File and Print Sharing, and default administrative shares. They also require XML parser, which is included with IE 5.0 or later and can be added to IE 4.0 by installing MSXML 4.0 SP1 downloadable from http://www.microsoft.com/xml. When scanning computers residing behind a firewall, TCP ports 139 and 445 and UDP ports 137 and 138 must be open. Finally, patching requires Windows Task Scheduler be enabled on target computers.

>> HFNetChkPro's Features

Shavlik HFNetChkPro offers the following innovative features:

  • HFNetChkPro features a more fine-tuned scanning engine than MBSA. Starting with version 3.86, Shavlik's HFNetChk file references are used as the primary source of information (with the option of evaluating file checksum, depending on whether you perform a QuickScan or a FullScan). This allows the detection of patches both applied explicitly (in this case, registry verification might be used) and effectively installed (i.e., patches superceded by other patches or roll-up packages), and it takes advantage of the same superceded information to apply only those necessary.

    This is in contrast to the MBSA 1.2 scanning engine, which by default requires a registry key indicated in the XML file be present on a target computer for a patch to be considered installed. If for some reason relevant registry subkeys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates (the remaining portion of the path depends on the operating system version on the target machine) are missing, patches appear as "Not Found." To get around this problem, Microsoft simply omitted the registry key entries for most of the patches in its version of mssecure.xml file. Another option is to bypass the registry check with -hf -z switch when running MBSA.

  • Customizable scanning templates contain settings for security scans (e.g., the location of MSSecure.xml file, log creation, and checksum verification).

  • Flexible deployment options enable the choice of precreated or custom deployment templates, which define settings for patch deployment (such as reboot behavior, user notification, and backup files for uninstall). Patches can be auto-deployed immediately following the scan, with an automatic copy sent to target machines (which requires subsequent manual installation), or scheduled deployment (according to a specified date and time). Integration with Active Directory allows scans and deployment based on Organizational Unit structure.

  • Remote PatchPush Tracker can be applied following patch deployment to immediately validate installation status by analyzing messages target computers send to an administrative workstation.

  • Patch uninstallation support is available via the Uninstall Selected option in the graphical interface (this option is not available via command line switches).

  • Increased security is offered through redundant digital signature verification. Patches are checked three times for digital signatures before being installed on a target machine. (It is done during the initial download, prior to copying to a target machine, and immediately before installation). Access to a directory where patches are temporarily stored is restricted to Local System accounts and members of local Administrator groups.

  • Knowledge management functionality includes built-in threat analysis from TruSecure and Microsoft to indicate patch criticality. It is also possible to attach custom annotations to patches, allowing information-sharing between members of administrative teams.

  • The intuitive graphical interface includes drag-and-drop functionality.

  • Extensive documentation and reporting consists of 11 built-in, customizable reports producing results in a number of formats (PDF, HTML, XLS, CSV, and RTF) referencing Shavlik's supplied details about each patch, such as file names, versions, dates, and criticality levels, as well as company's internal information (such as annotations). HFNetChkPro supports SQL Server databases for storing scan and deployment results (by default, JET database ShavlikScans.mdb is used).

As of press time, HFNetChkPro supports only Windows-based systems; however, the company indicates it is working on versions of tools intended for Linux and Sun Solaris.

This concludes our overview of patch management solutions from Shavlik Technologies. The next article will look at similar products from other vendors.

This article was originally published on Wednesday Jul 14th 2004
Mobile Site | Full Site