Shavlik HFNetChkPro offers the following innovative features:
- HFNetChkPro features a more fine-tuned scanning engine than MBSA. Starting with version 3.86, Shavlik’s HFNetChk file references are used as the primary source of information (with the option of evaluating file checksum, depending on whether you perform a QuickScan or a FullScan). This allows the detection of patches both applied explicitly (in this case, registry verification might be used) and effectively installed (i.e., patches superceded by other patches or roll-up packages), and it takes advantage of the same superceded information to apply only those necessary.
This is in contrast to the MBSA 1.2 scanning engine, which by default requires a registry key indicated in the XML file be present on a target computer for a patch to be considered installed. If for some reason relevant registry subkeys under HKEY_LOCAL_MACHINESOFTWAREMicrosoftUpdates (the remaining portion of the path depends on the operating system version on the target machine) are missing, patches appear as “Not Found.” To get around this problem, Microsoft simply omitted the registry key entries for most of the patches in its version of mssecure.xml file. Another option is to bypass the registry check with -hf -z switch when running MBSA.
- Customizable scanning templates contain settings for security scans (e.g., the location of MSSecure.xml file, log creation, and checksum verification).
- Flexible deployment options enable the choice of precreated or custom deployment templates, which define settings for patch deployment (such as reboot behavior, user notification, and backup files for uninstall). Patches can be auto-deployed immediately following the scan, with an automatic copy sent to target machines (which requires subsequent manual installation), or scheduled deployment (according to a specified date and time). Integration with Active Directory allows scans and deployment based on Organizational Unit structure.
- Remote PatchPush Tracker can be applied following patch deployment to immediately validate installation status by analyzing messages target computers send to an administrative workstation.
- Patch uninstallation support is available via the Uninstall Selected option in the graphical interface (this option is not available via command line switches).
- Increased security is offered through redundant digital signature verification. Patches are checked three times for digital signatures before being installed on a target machine. (It is done during the initial download, prior to copying to a target machine, and immediately before installation). Access to a directory where patches are temporarily stored is restricted to Local System accounts and members of local Administrator groups.
- Knowledge management functionality includes built-in threat analysis from TruSecure and Microsoft to indicate patch criticality. It is also possible to attach custom annotations to patches, allowing information-sharing between members of administrative teams.
- The intuitive graphical interface includes drag-and-drop functionality.
- Extensive documentation and reporting consists of 11 built-in, customizable reports producing results in a number of formats (PDF, HTML, XLS, CSV, and RTF) referencing Shavlik’s supplied details about each patch, such as file names, versions, dates, and criticality levels, as well as company’s internal information (such as annotations). HFNetChkPro supports SQL Server databases for storing scan and deployment results (by default, JET database ShavlikScans.mdb is used).
As of press time, HFNetChkPro supports only Windows-based systems; however, the company indicates it is working on versions of tools intended for Linux and Sun Solaris.
This concludes our overview of patch management solutions from Shavlik Technologies. The next article will look at similar products from other vendors.