Rolling Review: Shavlik Technologies NetChk Protect 5.9

Shavlik hits a patch management high note with its robust NetChk Protect. When we launched this Rolling Review we cited automation of the patch process, strong change control and the ability to use bandwidth wisely as key decision points, and NetChk delivers well. The scheduler can handle both discovery and deployment of patches as well as continually scan systems for patch compliance, and we could stage a master version of Office. We were also kept well-informed thanks to its ability to generate Microsoft Baseline Security Analyzer-formatted output for scan results. By adding Shavlik's Distribution Server option, IT can control when patches are distributed to target machines. However, companies with Unix or Linux boxes will need to supplement NetChk.

Shavlik includes a patch repository that is checked prior to all scans, enabling NetChk to keep current with the most recent patches. The repository automatically updates Microsoft security- and non-security-related patches within 24 hours of release. Repository connections and the validity of patches applied by NetChk are verified by digital signatures, and communications between host and client machines use secure protocols. Patching of our test VMs was seamless.

Other features time-strapped IT groups will appreciate include the ability to set up automated e-mails of scan or deployment results, a choice between agent-less or agent-facilitated patch deployment, transparent support of virtualized systems, and spyware discovery and remediation. These are small features, but they show a level of maturity and over time will make a difference for organizations that must automate as much of the patch process as possible, yet still want to feel confident with results.

For those who must keep detailed security records, we found reporting both comprehensive and flexible. Reports are generated from scanning and patch deployment results and could be arranged and grouped in multiple ways. We used some of the default reports after our scan to gauge the success of patch distribution by severity and the rate of scan successes. Reports are easily exported into a variety of formats, including PDF, HTML, CSV, and RTF.Let's Get Scanning

NetChk supports most enterprise-class Microsoft OSes and applications, including Office, Exchange, Visual Studio .Net and SharePoint. We found NetChk's agentless option extremely compelling. All capabilities are available—we executed complete scanning, patch installation and removal, and spyware discovery and remediation from the management console without installing any Shavlik software on target machines. Agents are available at no extra charge for environments where connectivity may not be present at all times.

There's also a built-in feature to patch target Office suites to bring them in line with one specified master Office installation, rather than applying patches as they're released. This is useful for companies whose policy is to build and test patches prior to massive deployment—always recommended. When you're ready to deploy patches to target machines, network usage can be moderated by reducing the "copy speed" setting. We would like to see the company add the ability to delay copying of patches without the use of Distribution Server. While we could define when a patch would be applied, it will be copied to target machines immediately. 100% Windows

Unfortunately for those whose networks include Linux, Unix, HP or other platforms, NetChk supports only Windows OSes and applications. It also does not include antivirus capabilities. Note that many antivirus products have patching and updating as core functionality, but this generally results in two separate systems that IT needs to monitor for patch and compliance reporting.

Installation on our server was a breeze, but the initial network scan took some configuration. The native XP firewall initially blocked the console from being able to scan our XP boxes, and even after opening the port, Simple File Sharing needed to be disabled in order for NetChk to be able to log in with appropriate rights to scan. Solutions to both these issues were found on Shavlik's forums.Setting up the first scan was simple. Targets may be defined by hostname, IP, domain, and Active Directory organizational unit; we also had the flexibility to ignore select target machines and to define groups and sub-groups from any combination of the above criteria.

Upon successful scan of our Windows test environment, analysis of the results was clearly presented and easily acted upon. We could view missing patches either by machine or across the entire scan and arrange them by patch number, product name, severity and frequency of occurrence. We could also see which ones are able to be uninstalled.

For deployment, we could select patches manually or use context menu options to install all patches, or all critical patches. Once deployment content is specified, we moved on to method of deployment, choosing now or later, rebooting before and/or after the patch, copy speed, use of distribution centers, e-mail results notification, and so on. In testing the copy speed, we noted a difference between setting 1 and setting 5 for a 12 MB patch, so bandwidth throttling does work. But even larger tests didn't spike network usage enough to be noted on our network traffic monitors we have set up, so no specific metrics were gathered to quantify throttling. However, when we attempted to defer a deployment for later, we observed NetChk copying patch files immediately upon scheduling, not at the scheduled time. Shavlik told us that this behavior is designed to ensure patch availability at scheduled deployment time and avoid delays in deployment due to lags in copying.

Results of the deployment clearly showed when patches failed and in testing also listed a suspected cause for failure. Removal of an installed patch worked flawlessly. NetChk Protect pricing for 300 Windows machines plus 300 VMs running Windows was $19,200, including one year of maintenance.

Michael Biddick is with Windward, a firm that helps organizations improve it operational efficiency. Michael is also contributing editor for Network Computing/Information Week. Write to him at [email protected].0