A Patchwork Quilt

Patch management is no longer a luxury to have a secure network—it’s a necessity. We test six solutions to the problem of knowing whether or not your servers and desktops are up to date.

A year or so ago, the idea of an automated patch management software solution was seen as “nice to have.” Sure, there was the administrative headache of keeping track of all the various service packs, hotfixes, and so forth, but it was only a headache, not a critical problem. Not any longer.

Effective patching has become a national priority with the country’s cybersecurity plan now urging that the patch management process become simpler. Most administrators are unable to keep pace with the barrage of security alerts coming out at the pace of about one every two to three days. Hence, automation is the only effective solution. But which product should you use to automate patch management?

This review looks at six patch management products for Windows networks. All six programs have the same basic characteristics—they’re designed to scan network clients for their patch status, assess them against an ideal list and deploy patches. All six have access to a database of patches to call upon, a system of obtaining the latest patches and a means of providing administrators with reports about what’s going on. If a patch management product can’t handle these essential functions, steer clear.

Product Information

BigFix Patch Manager 3.0
$2,500 per server; $15 per node per year
BigFix, Inc

Ecora Patch Manager 2.0
$11.50–$39 per node per year Ecora

GFI LANguard Network
Security Scanner 3.2

Starting from $249 for 50 IPs
GFI Software USA, Inc.

PatchLink Update 4.0
$1,249 plus annual subscription from $12-$15 per node based on
PatchLink Corporation

St. Bernard UpdateEXPERT 6.0
$780 for up to 50 IPs per year
St. Bernard Software, Inc.

HFNetChkPro Enterprise 4.0
$23.75 per server or workstation for 100 managed CPUs
Shavlik Technologies, LLC

BigFix Patch Manager 3.0
Patch Manager 3.0 is part of the BigFix Enterprise Suite of products that includes BigFix Enterprise Server, BigFix Enterprise Console, BigFix Enterprise Client and the BigFix Patch Manager Library, as well as the heart of the process—Patch Manager 3.0.

System requirements for BigFix include Windows 2000 Server and IIS. The BigFix Enterprise Client can be installed on any Windows 95 or later client as well as Linux, Mac OS9 or OSX and Sun Solaris.

I found installation smooth except for a few stops and starts. I felt that the troubleshooting aids were limited, but the tech support people were prompt in their response and the suggested fix worked.

BigFix has an agent-based architecture that uses the agent-side intelligence for patch-configuration scanning of the end-user host and for pulling down the patches pushed out by the BigFix administrator. Agent installation is easy and the footprint small. The administrator can create "Fixlet" messages, in which a group of patches are packaged by BigFix, and then push them out to hosts that meet the requirements for the patch. These requirements are stored in the Fixlet messages and include parameters such as registry keys, application-build levels and OS platform.

Fixlets are central to BigFix’s technology. These are intelligent messages that can detect a problem, proactively alert users or administrators to the problem before failure occurs and deploy a one-click solution. (See Figure 1). Administrators have the ability to write customized Fixlets, making BigFix more than just a patch management tool; it can be a customizable network security system that allows creation and enforcement of policies across the enterprise.

Fixlets, part of BigFix suite
Figure 1. Fixlets—part of the BixFix suite—alert you to potential holes in your security and how they could be exploited. (Click image to view larger version.)

The user interface emulates an e-mail inbox for patches, continually receiving new Fixlet messages. The machine’s administrator monitors the inbox and can ignore patches that are irrelevant to the environment and start processes to apply those that are important.

As an agent-based solution, Patch Manager distributes intelligence to every node in a network, creating a two-way dialog between the server and an individual machine or groups of machines. This distributed structure takes advantage of local processing capabilities to improve performance, enable real-time assessment and streamline the overall patch management process throughout large networks. The actual work is done on the client side—a significant advantage in terms of server load balancing and network traffic.

Using agents means minimal impact on bandwidth; Patch Manager can support up to 15,000 machines per server. It also means the system can be left in a permanent “on” state. Scanning and updating can be done continuously, without causing network congestion. Agentless and less robust agent-based solutions normally get around the traffic problem by scheduling scanning and deployment at very long intervals, but this can leave network computers unpatched for appreciable lengths of time.

Patch Manager provides numerous deployment capabilities, such as the ability to schedule the exact deployment date and time, to deploy multiple patches with a single action and to create policies to deploy a fix automatically to any computers that experience a specified future problem. Administrators can control download restart and bandwidth throttling for remote and dial-up connections. BigFix offers the ability to target fixes to specific computers, groups of computers or to Active Directory domains or organizational units.

Other nice features of Patch Manager are the ability to sort patches based on download size, release date, severity and product type and to create hierarchical machine groups to ease management and deployment. Additionally, Patch Manger provides multi-level administrator privileges and relevance evaluation of patches and affected machines.

The program continuously monitors patches until every machine is fixed.

BigFix mirrors all downloads to clients from a central mirror server, thus limiting external communication to the Internet and reducing the load on valuable external access while facilitating the enforcement of network restrictions.

On the client, Patch Manager requires no user input. The BigFix Enterprise Client has virtually no impact on system performance while it checks for new relevant Fixlet messages or applies actions to client computers. In most cases, patches and updates are applied without user knowledge or intervention. In rare cases, where user input is necessary or desirable, the IT administrator can post a message to inform the user of a pending action and request assistance. Thus, the administrator has control over user involvement.

The Fixlet writing function allows you to create and enforce policies across the enterprise, with the same ease and relentlessness as patching. Let’s say you don’t want your users to install Kazaa and tie up company bandwidth downloading mp3 files. You can write a simple Fixlet that will go out and hunt it down and remove it. And it will keep on doing this until the employee with Kazaa fixation either gives up or gets fired.

BigFix Patch Manager 3.0 is an excellent product with an elegant and extensive architecture and richness to its design. At the same time, it’s the most expensive of all the solutions in this roundup. In a vast enterprise with a substantial IT budget, this is not a real problem, and the expense is easily justified. In a small enterprise, the extra cost may be hard to justify, making it necessary to turn elsewhere.

Ecora Patch Manager 2.0
Yes, you read right. There are two Patch Managers being reviewed. Life got more complicated when Ecora’s PatchMeister became Patch Manager 2.0 (reviewed here); and by the time you read this, it will have morphed into Patch Manager 3.0, further confusing it with BigFix’s Patch Manager 3.0.

Patch Manager is the evolution of Ecora’s free patch management tool released last year. Patch Manager is part of Ecora’s Total Configuration Management platform, which includes Enterprise Auditor 3.0. The platform, which uses an agentless architecture, includes features such as cross-platform configuration reporting in Enterprise Auditor, support in Patch Manager for Microsoft Terminal Services and the ability to push patches to SQL and Exchange servers.

Patch Manager 2.0 requires NT 4.0 with SP4 (either Workstation or Server), Windows 2000 or XP. The Remote Registry Service must be enabled. The machine should have at least a 500MHz CPU, 256MB of RAM , Internet Explorer 5.01 SP2 or higher, 35MB of free disk space available for software, as well as sufficient disk space for the patch repository.

Obtaining and installing an evaluation copy of Ecora’s Patch Manager isn’t straightforward. First, I downloaded the product from the Ecora Web site, then I started the installation process. In the midst of that I had to stop and go online again to “create an Ecora account.” OK, why not? Creating an Ecora account appears to be primarily aimed at providing a lot of demographic information (which you can’t not provide), including your e-mail address. But that’s not all. I had to go to my e-mail account and get my super-secret user ID and password. My classified ID is my e-mail account and my password, a randomly generated series of letters that can be changed. Armed with that I could finally finish installing the product, a good 10 to 15 minutes after starting—content in the knowledge that Ecora has lots of marketing related information about me.

After that 15 minute demonstration of why process improvement gurus have jobs, I was expecting installation to be a tedious and laborious process with lots of fits and starts. It wasn’t.

The program is user-friendly and intuitive. The company has reason to be proud of its patent-pending 3-D Patch Views, which allows an administrator to quickly see all missing patches in the environment by machine, application or a particular patch. You can also view the scan analysis by host, application or patch for a quick snapshot of what needs to be resolved.

Patch Manager 2.0 allows user-defined grouping of servers and workstations so analysis or installation can be done by departments, machine types, time zones and so on, as shown in Figure 2. Service packs and hotfixes can be deployed interactively or on a scheduled basis. Either way, the admin simply has to identify groups or individual machines and select one or more patches; Patch Manager automatically installs patches on the specified machines.

Patch Manager uses both registry checks and file integrity checks to validate if service packs or hotfixes are installed, not just remote registry checks. This eliminates guesswork and helps ensure the accuracy of the patch status analysis.

Ecora Patch Manager
Figure 2. With Ecora’s Patch Manager, you can define groupings of servers or workstations, tailoring a solution to your particular situation. (Click image to view larger version.)

Patch Manager can be configured to send an alert via e-mail, SNMP or event log when new patches come out. It also provides automatic information regarding all critical events such as patch push failures, security lapses, and so on. It dynamically updates its database of patches, meaning that subsequent analyses of the environment are performed with the most current patch information.

Patch Manager creates HTML reports for easy printing. The reports can also be exported into a CSV file for further manipulation in Microsoft Excel and other tools.

Patch Manager 2.0 does everything it says it will, but the agentless architecture makes it best suited for smaller networks. Deploying clients may not be an administrator’s favorite job, but the payoff is well worth it in scalability and overcoming excess network traffic.

Patch Manager 2.0 is an adequate product, but its rough edges gave me pause. The release I evaluated included a reporting tool that felt tacked on. There was no policy manager function to allow the setting and enforcement of patch policies or the designation of machines to which to apply the appropriate patches. Patch Manager 3.0, which came out as I was wrapping this review, appears to address some of these issues, if the press releases are accurate.

Version 3.0 will include a reporting center, where admins can run reports to better manage on-going enterprise-wide patch activities. Additionally, you can create reports for management to demonstrate what systems have been patched, where missing patches may exist and whether systems are in compliance with corporate standards.

A Policy Manager feature allows you to set and enforce patch policies that describe what systems to scan and patch, how to scan and apply the appropriate patches, and when to scan and patch each system. Once policies are defined, you can automate the patch analysis and remediation process and schedule patching to occur at the optimal time.

GFI’s LANguard Network Security Scanner (NSS) is a leading security scanner that incorporates patch management. Security scanning and patch management fit well together; using one tool to do both makes the process more intuitive and manageable. NSS works in conjunction with Microsoft’s Software Update Services (SUS).

SUS is a free patch management tool that’s essentially a version of Windows Update intended to run on a network, with each workstation connecting to the SUS Server instead of Windows Update. It’s the marriage of the two products that provides NSS with much of its patch management capability.

NSS requires Windows NT 4.0 SP 6, Windows 2000 or Windows XP Professional and Internet Explorer 5.1 or higher. A well constructed wizard walks you through the installation process, and in no time you’re up and running. However, if you want to use NSS for patch management, GFI strongly recommends that you install Microsoft Software Update Service Server first.

NSS can deploy service packs, third-party software patches and clients, and Microsoft application patches and service packs for Office, SQL Server, Exchange Server and ISA Server. It can also deploy third-party software patches and clients and check that all patches have been installed correctly. SUS alone does none of these things.

Scanning the network requires that the user either enter the IP range directly at the top of the scanner interface or use the Scan Wizard to specify which computers to scan. You can scan domains, specific computers or an entire IP range. One of the nice features of NSS is that it groups all vulnerabilities into separate nodes, allowing users to expand only the information they wish to view.

Once the network scan is complete, missing patches and service packs are detailed under the Alerts node. Right clicking on a patch or a service pack allows you to deploy the missing service pack or patch to a particular computer or all computers. A “deploy patches” dialog allows you to specify what patches to push out to what computers.

After you specify what patches to push out, NSS creates a list of service packs and patches that need to be downloaded to the NSS download directory. You can also create a report listing all missing patches and service packs.

Other nodes include Netbios names; trusted domains; shares; local users and local groups, services, password policy, registry, hot fixes and open ports. This variety of nodes underscores NSS’ principal roots as a security scanner with patch management capabilities added in.

Using NSS is easy and the documentation is excellent. NSS was slower than the other products at scanning and patch deployment, but it’s unclear whether the cause was SUS or NSS. Reports were clear and easy to use. (Figure 3 shows the product in action.)

LANguard Network Security Scanner
Figure 3. LANguard Network Security Scanner combines a network scanner with patch management. (Click image to view larger version.)

While NSS excels at security scanning, it seems to lack the same zip for patch management. In fact, I had a vague sense throughout that patch management was sort of an afterthought tacked on to the product. The security reports could be better looking, and there’s currently no way to store past scans in a database. Still, this is an adequate product for a small network with limited resources and a desire to combine security scanning and patch management.

PatchLink Update 4.0
A year ago, I reviewed PatchLink Update 3.0 and gave it good marks for being a high quality patch management program. So when I received Patchlink Update 4.0 to review, I met it with mixed emotions: It was like greeting an old friend, but with a bit of trepidation as to whether she had changed. And then while I was in the midst of the review of Patchlink Update 4.0, the Scottsdale, Arizona-based company announced PatchLink Update 5’s imminent release and sent along a beta.

Patchlink Update requires Windows 2000 Server (with Service Pack 2 or higher), plus 256MB RAM, 5GB disk space and a 500MHz processor. Software requirements include IIS and an Internet connection. PatchLink recommends running it on a dedicated computer. In addition, the system can’t have SQL Server running, nor can it be a domain controller. The software does work on a member server. During the process the installer moved quickly and smoothly, even doing a system check to ensure minimum requirements have been met.

Upon completion, the system needs to be locked down, and PatchLink is quite serious about assessing the entire system for security and patch status, strongly urging disabling or turning off unnecessary Windows and network services (such as Remote Registry and Microsoft File and Print Sharing, closing unnecessary TCP/UDP ports and so forth. The installation process sets up a Microsoft Data Engine (MSDE) database, which can be upgraded to a full SQL Server after installation—strongly recommended for large networks.

PatchLink Update 4.0 uses a pure agent architecture. Installation was smooth for both the server and agents, with three methods to choose from: single agent install, multiple agent rollout and a network login scripts distribution. Clients need to have an OS at least as recent as Windows 95 OSR2 with Internet Explorer 4.01. Update Agents are available for NetWare as well as Win2K, NT, Windows 95/98/Me/XP, Unix/Linux, and Java environments.

PatchLink includes an inventory system and subscription service to keep an organization’s patches up to date. It does for Novell Directory Services and Active Directory what Windows Update does for the Windows desktop: It detects software product versions on all networked systems and provides the means to correct them (Figure 4).

PatchLink Update 4.0
Figure 4. PatchLink update tracks patches from Microsoft as well as non-Microsoft vendors. (Click image to view larger version.)

The patented Discovery Agent can detect patch fingerprints across different types of computers connected by nothing more than your existing extranet. PatchLink, the company, monitors Microsoft and other vendors, such as Citrix Systems and Adobe, for newly released patches. It then tests the patches, places them in its proprietary package format and deploys them to customers’ local PatchLink servers over a Secure Sockets Layer at an administrator-set time.

PatchLink automatically caches critical patches on the update server, a marked advantage over agentless products. Non-critical patches are downloaded at the administrator's request. Patches are rolled out using a Web-based distribution system. The Update Agent communicates exclusively via Web protocols, even through a proxy server, if necessary. This means you won’t need to open additional holes in your firewall to update computers scattered around your company’s extranet.

Administrators connect to the PatchLink server through a Web interface—a management method that lets them view reports, deploy packages, create packages and view system inventory. Administrators also have the ability to configure groups of machines with baseline patch settings. If a computer in the group is missing any patches defined in the baseline set, they’re automatically installed on the computer. PatchLink also allows administrators to create their own patches out of the box, enabling them to issue registry changes or distribute software.

In addition to deploying patches, PatchLink also inventories the hardware and software installed on a system and can aid in monitoring licensing levels. If a patch is removed from a machine because of a new application installation or because the operating system was reinstalled to an older configuration, the agent will alert the management console about the missing patches. Conversely, if a patch is found to be defective, the admin can uninstall it.

In terms of disaster recovery, if something happens to the system, you can build a new machine with the same name and reinstall PatchLink Update on it. All the agents will report in as if nothing happened. Administrators will lose historical deployment data, but they won’t have to reinstall all the agents.

PatchLink notes that it’s imperative to test all patches before rolling them out and that the company will only guarantee what the manufacturer says about the patch. Once a patch is tested, it can be sent automatically with a single click.

PatchLink Update 4.0 proved to be every bit as good or even better than its noteworthy predecessor, and still remains a solid, reliable product that has a deserved reputation as a leader in the field.

PatchLink Update 5.0 adds Windows Server 2003 compatibility and also provides user management functionality defined as "role-based administration"; fully customizable graphical reporting; and the ability to assess patch compliancy by groups of computers, application or severity. Role-based administration gives you the ability to designate who is permitted to release patches and updates throughout an entire organization—and how. Fully customizable graphical reporting based on the Microsoft .NET framework and powered by Crystal Reports facilitates an IT administrator's responsibility for justifying patch compliance and provides an effective method for briefing management on an organization's current patch status and/or network vulnerability.

PatchLink Update 6.0, planned for an end-of-year release, is targeted at providing security and reducing vulnerabilities on hubs, routers, switches and PDAs, as well as “obsolete” firmware.

St. Bernard UpdateEXPERT 6.0
St. Bernard’s UpdateEXPERT 6.0 (Figure 5) addresses the issue of patch management architecture in an interesting way. It’s the only product that addresses the problem of choosing between agent-based and agentless architectures by allowing the user to select the method.

The rationale is that this hybridization (or duality) provides support in situations where there’s a need to manage servers and workstations that are isolated or otherwise locked down but still require an agent. In these situations, an agentless solution can be deployed for most workstations, with the optional client agent deployed on the locked down machines. UpdateEXPERT uses Remote Procedure Calls (RPC) to manage machines for systems not using client agents. With the agent, it’s possible to throttle bandwidth and distribute the workload back to the managed machines.

St. Bernard's UpdateEXPERT
Figure 5. St. Bernard’s UpdateEXPERT is the only pro-duct in this roundup that gives admins the choice of agent-based or agentless configurations. (Click image to view larger version.)

UpdateEXPERT requires NT 4.0, Windows 2000, or XP Professional on a Pentium Class machine with a meager 32MB of RAM. The Console and the Agent Installer require that Internet Explorer 5.x or higher be installed. When the Console or Agent Installer runs on NT 4.0 systems, Service Pack 4 or higher must be installed. Disk space requirements vary depending on which components of UpdateEXPERT are installed. But you can generally get away with a paltry 25MB on the machine that is doing all the work and maintaining the local patch repository.

The components of the product that can be installed are the Console, the Master Agent, the Leaf Agent and the Agent installer. Installation is straightforward with the usual options, including whether to perform a typical install or a custom install. The latter allows you to install the Console and Master Agent independently, but will always put the Agent installer on your machine.

During my testing, installation was smooth and without incident.

As with all the other products I evaluated, UpdateEXPERT enables the identification of patches and available fixes, scanning workstations and servers and deploying them to any number of networked machines, validating the process. Essentially UpdateEXPERT determines what software patches are applicable and which ones can be safely implemented for each system and then “pushes” the remediation process by deploying updates out to individual workstations.

The process is fairly straightforward. The system administrator chooses what machines to manage. UpdateEXPERT discovers the patch levels for the machines’ OSs and applications. Using a user-defined list of required patches, UpdateEXPERT compares the individual system’s software patches against this baseline of required patches and produces a conformance report. Then it accesses the patch management database maintained in support of the product, identifies what updates are applicable and which ones can be safely implemented given the configuration of the total system and the repairs being considered.

The program offers recommendations on how to update the machines with patches and warns/prevents “impending doom” due to mismatches, missing prerequisites and the like. UpdateEXPERT automates the patch management process of managing and deploying updates out to individual workstations and servers. Remediation can be customized by department or by individual workstation or server or configured to begin after hours.

After all this is completed, UpdateEXPERT, validates the process and delivers “executive” and conformance reports based on a user-defined set of required patches (baseline) and a summary of action taken during and after remediation.

St. Bernard engineers maintain an Internet-accessible “metadatabase” of patch information and instructions. The database is sophisticated enough to build tailored scripts and an update itinerary for each software location.

There’s a clever integration of a Web site into UpdateEXPERT so that its own expertise (and knowledge of the location of reliable fix resources) is kept up to date. This helps the product organize and streamline the job to avoid errors and omissions. It also keeps the administrator aware of time-critical changes, emergencies and vulnerabilities that may have been missed or require significant research. It presents the status of each station and each server (in terms of updates and vulnerabilities) in a clear format. It notes exceptions, creates relevant scripts and where possible actually installs fixes through the network, tests and validates them, and records the results in its database (which can be interrogated by the administrator at any time).

St. Bernard also deserves an extra- large 24-carat gold star for its excellent documentation. It’s well-written, clear, concise and extremely useful. The online help is also clear and well-organized.

UpdateEXPERT has a few flaws. First is its limited scope—it’s Microsoft-centric and doesn’t support other platforms. Also, while combining agentless- and agent-based architectures in the same product sounds like the best of both worlds, it really doesn’t solve the inherent flaws in agentless architecture vis-à-vis large networks. Trying to keep track of which system is using which methods is an extra administrative task that doesn’t add much value.

For UpdateEXPERT to establish itself as a major player in the field, it needs to go beyond Microsoft and come to a decision about architecture. Having said that, I would strongly urge anyone responsible for choosing a patch management product for a small Windows network hosting only Microsoft applications to thoroughly evaluate this product. There’s a depth and richness here waiting to be discovered.

Shavlik HFNetChkPro Enterprise 4.0
HFNetChkPro 4.0 is the enterprise version of the HFNetChk utility provided free by Microsoft. The enterprise edition adds a management GUI and the ability to push patches out to systems. The architecture is agentless. Installation takes only minutes, with minimal difficulty. System requirements include Microsoft Data Access Components (MDAC) 2.6 SP2 or later, Windows Installer Version 2.0, XML Parser 3.0 SP2 and Jet 4.0 SP3. If any of these components are missing, the installer informs you and provides a link to the Microsoft site to access them.

HFNetChk Pro uses the base HFNetChk engine, which is based on the XML and cabinet (CAB) files Microsoft maintains, to determine which patches are installed and which are missing from the system. Shavlik also has added its own information to the XML file, such as information pertaining to patches and vulnerabilities in MDAC and Java Virtual Machines. When checking for missing patches, HFNetChk Pro uses a combination of checks, including file versions, checksums and registry keys. HFNetChk advises you in its reports of any errors.

As Figure 6 shows, the GUI is spectacular, as is the scan configuration wizard. You have the option to scan one machine, one domain, multiple machines, multiple domains, IP address ranges or variations thereof. You can create a text file listing what should be scanned and import that data into HFNetChk. Scans can be named and listed in the favorites section of the program, which is used to store frequently used scans, for easy launching. Scans also can be scheduled to run periodically.

HFNetChkPro reports on necessary (or required) patches and/or explicitly installed patches. You also can customize thread settings that control how much network traffic the product creates.

There are also automated find-and-fix features that control what machines are scanned and how patches are deployed. In addition, the success of patch installation for each server is tracked. After deploying patches, HFNetChkPro rescans the network to ensure they’re installed correctly. The new PushPatch Tracker shows in real time what’s happening on each server being scanned. This is a major improvement over the previous version’s static console that only showed final results.

Shavlik's HFNetChkPro
Figure 6. Shavlik’s HFNetChkPro has a great-looking, highly informative GUI. (Click image to view larger version.)

Newly added templates let you customize scans by groups of servers or products. The program includes tools that permit you to assess the vulnerabilities addressed by new patches.

After HFNetChkPro deploys patches, it rescans the network to ensure the patches installed correctly. Servers that accepted the patch without problems are displayed in green, while servers that experienced problems are displayed in red.

Guarding against information overload, HFNetChkPro allows administrators to display patch data and advisories based on their severity rating and criticality. Even with this filter on, the system will issue reminders about low-priority patches and routine maintenance updates.

HFNetChkPro also adds a new feature that collects security bulletins and advisories from primary and third-party sources. It's an interesting feature, but it's unclear if it adds value since providing a plethora of opinions doesn’t really help a user sort through the noise—which will only grow in volume as Shavlik adds more contributors to the system.

Patch management takes place through a drag-and-drop method whereby administrators can select a group of computers or IP addresses, drop them on an icon that represents a rule, such as search for a particular patch, and install it if it is missing. The tool works in conjunction with Shavlik's new PushPatch Tracker, which shows in real time what’s happening on each server being scanned. This is a major improvement over the previous version’s static console that only showed final results.

Patch deployment can be performed with a mouse click. One patch can be shuttled out to all necessary systems, or all patches required on a single system can be deployed. The software downloads the patches from Microsoft and stores them in a selected location. The patch to be installed is copied to the target machine and installed at the scheduled time. You can control system reboots and shut down SQL or IIS servers, backing up files for uninstall or using quiet mode for installation. When deploying multiple patches to a single machine, HFNetChkPro creates a batch file for deployment and uses the Microsoft-supplied utility Qchain.exe to install all patches at once with only one reboot.

You can generate reports by machine, patch, operating system, machine detail or missing service packs. Documentation was adequate, though occasionally I found some of the help functions a bit obscure.

HFNetChkPro 4.0 is a good product but it doesn’t belong in the upper tier of solution options. One reason is the agentless architecture, and the other is that it’s built for Microsoft-centric environments and seems designed only for security patches. If you’re looking for a simple patch management application that’s fairly sophisticated for a small network, this is definitely a product you should look at; but if you have more, you’ll need to look elsewhere.

Making the Choice
So, which product should you select for your own patch management needs? If you’re working with a dynamic network containing hundreds or thousands of nodes and a constantly-changing architecture, you should look at the agent-based products, BigFix Enterprise and PatchLink Update. Of the two, BigFix is best for the larger environment (>10,000 nodes) but has the largest price tag. Patchlink Update has an excellent interface and a long history of incremental improvements that keep it at the forefront, which is why I’m partial to it. Smaller networks may benefit from the relative simplicity and central management of agentless products. St. Bernard’s UpdateEXPERT and Shavlik’s HFNetChkPro are the leaders here, though there are other worthy contenders.

The bottom line, though, is that if you’re responsible for protecting a network of any size from the thousand perils on the Internet, you need to get a patching strategy in place. Using any of the products in this roundup is much better than just hiding and trying to pretend the problem doesn’t exist. Not doing something about patching is tantamount to criminal neglect.

comments powered by Disqus

Reader Comments:

Sat, Sep 18, 2004 Anonymous Anonymous

Still impressive a year later -- will there be any updates

Mon, Jan 26, 2004 Marc Phoenix, AZ

As a matter of fact, if you don't mind bringing your network to a crawl, feel free pushing 10,000 patch updates over your network at the same time. Also without agent's you loose control of your management. I believe the author did a good job of positioning these products. For those thinking SUS is the answer, well its free,...but so is the worm it lets through your non-Microsoft Patches. It only patches MS (currently win 2k and above), no MS Office, SQL Server IIS, etc (yet)., No software deployment other than patches, No agent to help distribute bandwidth, no reboot control, No disaster recovery, etc. PatchLink does all of this, is not as expensive as SMS or Big Fix, and even tests the patches and adds a signature and fingerprinting to make the patches tamper proof, then checks to make sure the patch is compatible with the systems before deployment. SUS does non of this and I've read many message boards that say SUS allowed an incompatible patch to be installed. Don't forget to do your homework, but make sure you look at the real patch management companies like PatchLink or Big Fix etc. Band Aid products aren't worth it.

Fri, Sep 5, 2003 Rob Missouri

Great review, however, we're going to wait for SMS 2003 and it's built-in patch mangement for Office/OS etc. Due for release ~Nov 11th.

Thu, Aug 21, 2003 alpero turkey

I agree with "7/29/2003: Mike from Seattle".

Tue, Aug 19, 2003 Dan Sacramento

Well done. I have some concerns about Patchlimk's security model, but it and BigFix have a good handle on a key problem. Thanks to BF we had the patch in place when MsBlast hit the other day!

Thu, Aug 14, 2003 Ben New Orleans

I've used HFNetChk and Update Expert and both have 'failed' to install patches where they've given me positive reports. I will definitely have to check out PatchLink. Agents are definitely the way to go for 'assured' deployment. Good overall review of options.

Sat, Aug 9, 2003 PatchGuy Connecticut

Well done. Really like the details. Agent based is the way to go for larger networks. I do feel BigFix's fixlets are superior to PatchLink's "anti-patch" solution though.

Tue, Aug 5, 2003 Jack H. TX

Excellent article. Very well presented. We have been continuously evaluating Patch Management tools since February and we have evaluated Shavlik, Update Expert, PatchLink Update and BigFix. It seems these companies are copying each other’s marketing messages . The information regarding removal of any application such as Kazaa which was called Anti-Patch was first described to us by PatchLink in February which we intent to use. PatchLink seems to work well for us. We have about 329 server and 6730 workstation.

Mon, Aug 4, 2003 Anonymous Anonymous

Fantastic and informative review - right on in regards to PatchLink Update -- an excellent PM tool for the enterprise with cross-platform capabilities that make it security must for both large and small organizations.

Mon, Aug 4, 2003 Jon CA

The 3 comments made by the 3 stooges (being 'John Mazzola', 'Will', and 'WHAT') are ridiculous. First of all please if your going to comment on a technical article, spell your comment correctly so all can read it. Secondly if you haven't tried the agent based architecture you have no room to talk. It is the single MOST accurate architecture available. If you care more that you have an easy install then a solid patch management solution then disregard this and return to your agent-less mess.

I thought the article was well done, and after testing both agent-less (shavlik) and agent based (PatchLink) I am completely sold on agent-based architecture. It is accurate, and does not consume precious network bandwidth like the agent-less versions. The install does take longer, but once your set up, you can rest assured you will not be dealing with false-negatives and false-positives on your network patch status.

Mon, Aug 4, 2003 GW Anonymous

John M. I do not understand your comment. Agents allow you to manage from ONE central location. Even the agents, in PatchLink Update, can be deployed from ONE central location.

Mon, Aug 4, 2003 WHAT NO SMS/SUS???

You have got to be kidding me, you don't include the SMS Security Update Inventory Tool (part of the SMS feature pack)?? Shame on you!

Fri, Aug 1, 2003 John Mazzola CT

Poor review! The whole point of patch management is so that I can manage patching from one central location instead of using agents as you say.

Fri, Aug 1, 2003 Will Anonymous

Deplying an agent to patch pcs? Its quite cleat that the reviewer has never managed a network!

Wed, Jul 30, 2003 Ted Anglace Portsmouth NH

As the product manager for Ecora, I appreciate being included in this review but I have to respond to the statement that "...agentless architecture makes it best suited for a smaller network of no more than 100 or so nodes." Ecora has plenty of customers who are using Patch Manager on much larger networks. It is not clear if the author actually tested the products in a large environment, but if not, then it is not fair to cite scalability metrics for any of the products.

I also believe that the accuracy of the scanning engine results should have been analyzed in more detail. If scans are not accurate and trustworthy, the product features are of minimal value. Thanks!

Wed, Jul 30, 2003 Bill G Redmond, WA

Use SUS!!

Tue, Jul 29, 2003 Mike Seattle

What kind of review is this? I can get the same information from reading the vendor websites? How about testing each product to ensure that they do what they say they do? I'm sure some products are better than others when it comes to finding and deploying missing patches. Please help us out - do a technical review and let us now which products actually detect missing patches properly and which products are able to install and rollback the same patches.

Tue, Jul 29, 2003 Joe Atlanta

I thought your review of the security patch market was decent, but your conclusion was way off. I manage a very large network and I do not want to install agents -- way too time consuming.

Tue, Jul 29, 2003 Anonymous Anonymous

OK - so who wants to install 10,000 agents to push critical patches? Agent-less does not work for just small networks

Tue, Jul 29, 2003 allen black texas

nice article... i agree with the idea of last year's nice-to-have to this year's must-have status... it is an important part of a security policy...

I would have really like to see a chart or something that breaks down the products with a grade & a summarized list of pro's & con's... most assessments have this in addition to the good information provided.

Tue, Jul 29, 2003 Anonymous Anonymous

Thanks for the great article. It would have been good to also include Microsoft SMS 2.0 with the relatively new add-on, Software Update Services (for SMS). This is part of the SMS Feature Pack.

Mon, Jul 28, 2003 Joe San Diego

Awesome review! I just finished an evaluation process of my own for my company with four of the products you reviewed and I decided on Patchlink. It is a comprehensive solution that fits our midsized company's need well. I must admit that I was skimming your article quickly to see if you came to the same conclusion! Thanks for helping to affirm my decision.

Mon, Jul 28, 2003 Anonymous Anonymous

Great review

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.