Perhaps the most time- and resource-consuming task on IT professionals’ security to-do list is patching applications and operating systems. The rise in popularity of virtual machine technology only intensifies the issue.
Add to that the nightmare of malware. No longer simply a nuisance, today’s malware threatens personal, corporate and customer data, not to mention the havoc it can wreak on both physical and virtual machines.
Most companies deal with this by putting up strong defenses in the form of firewalls, anti-malware gateways and endpoint protection suites. In the event that a threat gets through, it’s more common to reformat and redeploy than it is to clean and reconfigure. And after a machine is redeployed, it needs to be patched.
Shavlik Netchk Protect 7 promises to solve both patching and malware issues with a single agent for each physical and virtual machine, as well as a single management console. For the most part, Protect 7 delivers, but several shortcomings disappointed me during testing.
Protect 7-which is priced starting at $40 per seat with volume discounts available-is a great patch management product, a very good client anti-malware product and an extremely user-friendly management console. However, anti-malware is not fully integrated into the management console, and I experienced some quirkiness with the management GUI.
The management console was stable on a Vista Ultimate 64 workstation, which is where I did most of my testing. I experienced scan result updating issues, and I had major stability issues on my initial Windows Server 2003 EE test machine.
There is a requirement, which I did not see in the documentation, that the management console not run on a domain controller. After I called to report the problems I was having, tech support informed me that “… the machine SID fails. When a machine becomes a DC it gives up its machine SID to be the Domain SID. For now, we have made it part of our requirements to not install the console on a DC.”
The instability made it impossible to test on Windows Server 2003. I lost agent configurations, and patch deployments were abruptly terminated. This seems too important a requirement to be buried on a list in the manual, but I technically can’t blame Shavlik because it was there. That said, perhaps it would make sense if the installation could check to see if it is being installed on a domain controller, or even the program could check when it starts. Anything rather than crashing every few minutes would be better.
Installing Netchk Protect 7 went as smoothly as could be. An installation wizard scanned my server for requirements (but not for whether the server was a domain controller), then downloaded and installed required components as needed. On first run, a setup wizard gave me the option to import old scan templates and configure automatic e-mailing of results.
Friendly Management Console GUI
The management console GUI is extraordinarily friendly. The home page shows summary stats for the monitored machines; an RSS feed of security patch-related news down the right-hand column; and common tasks, such as Scan My Machine and Scan My Domain, across the top. The left-hand column contains buttons to manage agent policy, patch templates and deployment templates, as well as some nifty interface innovations.
With Favorites, any task can be saved by right-clicking it and choosing Send to Favorites; repeating the action takes a mere click. Recent scans, reports and deployments are listed like the history in your browser, in a section called Recent Items.
Patch management options are, in a word, fantastic. This mature product makes Microsoft’s WSUS (Windows Server Update Services) look like a kindergarten toy. It was extremely easy to configure the console to check for new vendor and custom patches, download the patches, scan machines to see if the patches were needed, and deploy the patches based on criticality.
Any variation on this, including a hierarchical distribution server system, can be configured through the combination of Patch Scan Templates, Patch Groups, Machine Groups and Deployment Templates.
Agentless scans are a good way to quickly assess what’s going on in your environment, but for full functionality, it’s best to install the agent. The agent can be pushed from the console, deployed via log-in script or installed manually.
Shavlik makes patching virtual machines about as easy as it can be. Point the console at vmx files, provide the proper credentials, and Protect 7 will scan and patch them just like a physical machine. In fact, Protect 7 makes no distinction between a physical and virtual machine. The only flaw in this model is that if a virtual machine changes power state between scans, the console can’t find it until you rescan. Given that most patches require a reboot before being applied, manually keeping track of the power state of your VMs rapidly becomes a chore.
The big news in Protect 7 is the addition of the Sunbelt VIPRE anti-malware engine. In my testing, the anti-malware capabilities were excellent, although management could be improved. I installed the agent on a Windows XP Pro SP3 machine that was riddled with malware. After using Protect 7, everything except the pernicious CoolWebSearch was detected and quarantined immediately without affecting system stability.
I deployed a restrictive policy and then attempted my usual test malware downloads and installations. Of the 20 threats, only one could be installed, and it was removed after reboot. Although the agent was configured to scan archives (.zip), I could download viruses in archives. However, I was stopped when I attempted to install them. When you configure Netchk Protect 7 to lock down a workstation, consider it locked down.
Yet, there was something absent from anti-malware support. Perhaps I only noticed it because every aspect of patching is so well-managed, but anti-malware felt not quite fully integrated.
First, you can’t actually do anything with anti-malware from the console. You can only establish a policy to take action on a machine running the agent. This is in contrast to patching, where you can right-click a missing patch and deploy it directly.
Second, configuration changes made from the agent (such as allowing a specific program to run) are neither reported to nor manageable on the console.
Third, there was a lag between threats being reported and threats appearing in the console home page Top 10 Threats list. I could scan a machine, find a threat and see that the threat was found in the threat report. However, the threat wasn’t registered in the actual management interface until I closed and reopened the interface.
Protect 7 quickly generates informative and easy-to-read reports. My only disappointment was that I could not get a single report containing both detailed patch and threat statuses.
Protect 7 does offer very strong e-mail and export features. I could right-click on any report and choose to e-mail it to a variety of people, or schedule reports to be automatically run and e-mailed. I was extremely pleased to find that the product supports secure e-mail with SMTP authentication.
Matthew D. Sarrel is executive director of Sarrel Group, an IT test lab, editorial services and consulting firm in New York.