REVIEW: Shavlik Netchk Protect 7 Provides Patch Management, Anti-Malware in a Single Tool

The management console GUI is extraordinarily friendly. The home page shows summary stats for the monitored machines; an RSS feed of security patch-related news down the right-hand column; and common tasks, such as Scan My Machine and Scan My Domain, across the top. The left-hand column contains buttons to manage agent policy, patch templates and deployment templates, as well as some nifty interface innovations.

With Favorites, any task can be saved by right-clicking it and choosing Send to Favorites; repeating the action takes a mere click. Recent scans, reports and deployments are listed like the history in your browser, in a section called Recent Items.

Patch management options are, in a word, fantastic. This mature product makes Microsoft’s WSUS (Windows Server Update Services) look like a kindergarten toy.  It was extremely easy to configure the console to check for new vendor and custom patches, download the patches, scan machines to see if the patches were needed, and deploy the patches based on criticality.

Any variation on this, including a hierarchical distribution server system, can be configured through the combination of Patch Scan Templates, Patch Groups, Machine Groups and Deployment Templates.

Agentless scans are a good way to quickly assess what’s going on in your environment, but for full functionality, it’s best to install the agent. The agent can be pushed from the console, deployed via log-in script or installed manually. 

Shavlik makes patching virtual machines about as easy as it can be. Point the console at vmx files, provide the proper credentials, and Protect 7 will scan and patch them just like a physical machine. In fact, Protect 7 makes no distinction between a physical and virtual machine. The only flaw in this model is that if a virtual machine changes power state between scans, the console can’t find it until you rescan. Given that most patches require a reboot before being applied, manually keeping track of the power state of your VMs rapidly becomes a chore.

The big news in Protect 7 is the addition of the Sunbelt VIPRE anti-malware engine. In my testing, the anti-malware capabilities were excellent, although management could be improved. I installed the agent on a Windows XP Pro SP3 machine that was riddled with malware. After using Protect 7, everything except the pernicious CoolWebSearch was detected and quarantined immediately without affecting system stability.

I deployed a restrictive policy and then attempted my usual test malware downloads and installations. Of the 20 threats, only one could be installed, and it was removed after reboot. Although the agent was configured to scan archives (.zip), I could download viruses in archives. However, I was stopped when I attempted to install them. When you configure Netchk Protect 7 to lock down a workstation, consider it locked down.

Yet, there was something absent from anti-malware support. Perhaps I only noticed it because every aspect of patching is so well-managed, but anti-malware felt not quite fully integrated.

First, you can’t actually do anything with anti-malware from the console. You can only establish a policy to take action on a machine running the agent. This is in contrast to patching, where you can right-click a missing patch and deploy it directly.

Second, configuration changes made from the agent (such as allowing a specific program to run) are neither reported to nor manageable on the console.

Third, there was a lag between threats being reported and threats appearing in the console home page Top 10 Threats list. I could scan a machine, find a threat and see that the threat was found in the threat report. However, the threat wasn’t registered in the actual management interface until I closed and reopened the interface. 

Protect 7 quickly generates informative and easy-to-read reports. My only disappointment was that I could not get a single report containing both detailed patch and threat statuses.

Protect 7 does offer very strong e-mail and export features. I could right-click on any report and choose to e-mail it to a variety of people, or schedule reports to be automatically run and e-mailed. I was extremely pleased to find that the product supports secure e-mail with SMTP authentication.

Matthew D. Sarrel is executive director of Sarrel Group, an IT test lab, editorial services and consulting firm in New York.