With this article, our Windows patch management series shifts its focus to products from third-party vendors. In general, these products fall into three categories: 1) free products with relatively limited capabilities, such as basic vulnerability detection and patch installation (akin to Microsoft Baseline Security Analyzer); 2) full-blown products with additional comprehensive reporting and deployment features (such as the soon-to-be-released Windows Update Services); and 3) patch management add-ons that integrate into current enterprise management systems (similar to the SMS Software Update Services Feature Pack).
Our Windows Patch Management series shifts its focus to examine patch management products from third-party vendors. First up: Shavlik Technologies, one of the pioneers in this space.
We kick off our discussion with a look at Shavlik Technologies, which was one of the pioneers in this area. Its solutions fall into the first two of the aforementioned categories.
In general, Windows patch management products fall into three categories:
|
Shavlik is a privately owned security company founded in 1993. Its technological advancements have been significant enough to attract attention from Microsoft, resulting in cooperative efforts and the development of the Microsoft Baseline Security Analyzer (MBSA), which is based on Shavlik’s HFNetChk (the acronym designating HotFix Network Checker) released in 2001. HFNetChk is a feature-limited version of Shavlik’s flagship product HFNetChkPro. Both products are based on the same scanning technology, which relies on information stored in an XML file for verifying patch level. This file, called mssecure.xml, and already discussed in our series, is available for download in the compressed and digitally signed (to ensure its authenticity and integrity) version, msssecure.cab, from two Web sites — Microsoft’s, at http://download.microsoft.com/download/xml/security/1.0/nt5/en-us/mssecure.cab, and Shavlik’s, at http://xml.shavlik.com/mssecure.cab.
Both vendors currently use their own copies of the XML file for their tools. While Shavlik decided to make this switch starting with version 3.83 of HFNetChk, it still offers an option to override the default and point to the Microsoft Web site with the application of an -ms switch (you can also point to an alternative location of mssecure.cab with -x switch when running MBSA). When a scan is initiated, tools check the version and locale of the operating system, service pack level, components and applications installed. Based on this information, applicable security patches are determined.
Before we dive deeper into the functionality of Shavlik’s patch management solutions, a quick skim of the available solutions is in order:
MBSA and Shavlik’s HFNetChk scanning engine have a number of similarities. Neither requires agents on client’s computers (the same applies to HFNetChkPro, when it comes to patch installation). This not only eliminates the need for complex and time-consuming deployment (by allowing their immediate use), but it also fits well in the centralized administration scenario. On the other hand, some admins might consider this a drawback, as network utilization is increased due to increased management traffic as a result of the tools running on an administrative workstation. The HFNetChkPro thread setting (the number of threads can range between from 1 to default 64 — you can configure it with graphical interface or -t command line switch) can mitigate this problem with its control of a number of target computers on which patches are simultaneously scanned or deployed. Configuring scanning on a per-IP subnet-basis further helps with bandwidth throttling.
The agentless nature of Shavlik’s utilities has other implications. A user who initiates a scan must be a member of a local Administrators group on target computers. While this might be inconvenient in some scenarios (especially when it comes to vulnerability detection in multidomain environment), it provides a level of security, preventing unauthorized information gathering. In addition, remote systems must be running Server service, Remote Registry service, File and Print Sharing, and default administrative shares. They also require XML parser, which is included with IE 5.0 or later and can be added to IE 4.0 by installing MSXML 4.0 SP1 downloadable from http://www.microsoft.com/xml. When scanning computers residing behind a firewall, TCP ports 139 and 445 and UDP ports 137 and 138 must be open. Finally, patching requires Windows Task Scheduler be enabled on target computers.
Marcin Policht obtained his Master of Computer Science degree about 20 years ago and has been since then working in the Information Technology field, handling variety of responsibilities, but focusing primarily on the areas of identity and access management, virtualization, system management, and, more recently private, hybrid, and public cloud services. He has authored the first book dedicated to Windows Management Instrumentation and co-written several others dealing with subjects ranging from core operating system features to high-availability solutions. His articles have been published on such Web sites as ServerWatch.com and DatabaseJournal.com. For his contributions to the Microsoft technical community, he has been awarded the title of Microsoft MVP over the last ten years.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.