Kill Two Birds with One Stone
NetChk Protect combines the functionality of Shavlik's patching and anti-spyware tools in a single console.
There are two ongoing and inescapable tasks that any network administrator must face -- patch management and spyware prevention. Both are as essential as they are incessant.
1: Virtually inoperable or nonexistent
5: Average, performs adequately
If you aren't diligent about applying software updates, you open your network
to security vulnerabilities on out-of-date machines. Waiting a few months to
patch a machine can mean the difference between being hacked and being secure.
Last year, Gartner Inc. predicted that 90 percent of all Internet attacks during
2005 would be against previously patched security holes.
You could set your machines to automatically install all updates from the Windows update site, but that may cause more problems than it solves. This approach doesn't allow for testing, which is essential -- especially in larger environments. It's one thing to have a “bad” patch take down 20 users. It's quite another when that same patch takes down 2,000 users. A tool that automates patch management and facilitates testing is a must.
Keeping a diligent eye on spyware is just as critical as timely patch management. Spyware that sneaks onto your systems can gather personal information about your users' Internet habits, and relay that to advertisers who bombard them with targeted pop-up ads. It can also kill productivity due to computer instability and unbearably slow network performance.
Most anti-spyware products manage one machine at a time. You install the client
and configure locally on each machine, then check in continually to make sure
updates and scans are occurring as they should. Managing spyware this way will
work, but it's inefficient to say the least. In larger environments, it's virtually
impossible. Shavlik's NetChk Protect gives you a central console with which
to manage both patching and spyware prevention for all of your machines.
[Click on image for larger view.]
|Figure 1. From the NetChk
Protect console, you can choose which machines to scan and whether you want
to scan for spyware or patch status.
NetChk Protect works simply and automatically. It will scan your Windows-based
machines and determine their patch status. Then it generates a status report
for each machine, which can be sent to you automatically via e-mail notifications.
Once you know which patches need to be applied, you can push them out immediately or schedule them for later -- during the evening or weekends. After patches are applied, you can reboot your machines automatically or manually.
NetChk Protect uses XML and cabinet (CAB) files maintained by Microsoft to determine the patch state of a machine. It compares the file versions on the computer it's scanning with the XML file versions. Depending on the type of scan being performed (quick scan or full scan), it may also compare the file checksums.
NetChk Protect copies all patches to the target machines and uses Microsoft's Qchain.exe to install them all at once. This lets it deploy all patches with only one reboot. All scanning and patching takes place behind the scenes. The only thing your users will notice is whether or not a reboot is required.
The software offers four levels of patching, depending on which version you select:
- NetChk Patch, Basic Edition: This supports up to 500 machines, provides
limited reporting and can run up to 13 different scanning threads at once.
- NetChk Patch, Audit Edition: This provides all of the functionality
of NetChk Patch, Basic Edition. It supports an unlimited number of machines,
provides more robust reporting and can run up to 256 different scanning threads
- HFNetChkPro: This provides all of the functionality of NetChk Patch,
Audit Edition. It supports the SafeReboot feature, gives you access to different
schedulers, auto-deployment features and pre- and post-installation scripts.
You can export reports in a number of different formats.
- HFNetChkPro Plus: This provides all of the functionality of HFNetChkPro.
It also lets you deploy custom patches, supports a Microsoft SQL database
for storing those patches and can preserve bandwidth over WAN links by using
You have two general options to scan for spyware with NetChk Protect
-- console-based scans and machine-based scans. Console-based scans run over
the network from the console machine. This can cause a lot of network traffic,
but it works without having to copy anything to the target machine. A machine-based
scan copies an instance of the spyware scan engine to the target machine and
runs the scan “locally.” This improves the scan speed, as each machine is responsible
for running its own scan. Machine-based scans also dramatically reduce network
NetChk Protect identifies and categorizes instances of spyware based on its perceived level of threat. The software will kill any destructive or invasive processes associated with the spyware. It then deletes all associated files, folders and registry data.
an hour of installing the software, I had already scanned all eight
of my machines for spyware and missing patches and deployed all
the up-to-date patches.
You can also have the suspected spyware files quarantined in a secure area
if you wish to inspect them later. This also provides rollback functionality.
If a necessary program or file is inadvertently removed, you can easily restore
it from the quarantine area. Removing spyware may or may not require that you
reboot the target machine, but if so you can do it manually or automatically.
The interface for NetChk Protect is very straightforward and easy to navigate. For example, first it will ask you what you want to scan. After completing the scan, it displays a summary report of what it found. Click on details and then right click on the machine, group or domain that you want to patch and choose “Deploy patches.” You can select to deploy all patches or certain patches based on their criticality level. At this point all of the patches are pushed to the selected machines.
Whether scanning for patch status or spyware, you can scan computers by
name, IP address, domain name or Active Directory Organizational Unit (OU) structure
(see Figure 1). You can also create machine groups and target your scans toward
these groups. This lets you establish a test group for safely and securely testing
patches before rolling them out to your entire network.
NetChk Protect supports network scanning of the following clients:
- Windows NT 4.0
- Windows 2000
- Windows XP (although you'll have to disable simple file sharing for the
scan to work properly)
- Windows Server 2003
To scan a machine -- any machine -- you'll need administrative rights to that machine (which shouldn't be a problem). You'll also have to start the Server service and the Remote Registry service, and enable file and print sharing. Finally, you'll need access to the remote machine over TCP ports 139 and 445, and the %systemroot% share (i.e. C$) must be accessible.
Installing NetChk Protect is a breeze. If your system doesn't have all the requisite software components, it will automatically download and install the missing pieces during setup. The readme file says that you won't have to reboot after installation, but I was prompted to reboot my laptop after installing NetChk Protect. It's always a good idea to do so anyway.
When I first started using NetChk Protect, I thought I might be doing something wrong because using it was so easy. Within an hour of installing the software, I had already scanned all eight of my machines for spyware and missing patches and deployed all the up-to-date patches.
I was also pleasantly
surprised to learn that NetChk supports updates for more than just Microsoft products. In my testing, I was able to update my Adobe Reader and RealPlayer software as well.
NetChk Protect does a great job of keeping your machines clean of spyware and
up to date with the latest patches. If you're responsible for patch management
and spyware control for your network, you owe it to yourself to give it a try.
Chad Todd, MCSE, MCT, CNE, is the author of Hack Proofing Windows 2000 Server by Syngress Publishing. He is the co-owner of Training Concepts, which specializes in Windows 2000 and Cisco training.