Domain: shavlik.com
Stories and comments across the archive that link to shavlik.com.
Comments · 19
-
Re:Security through head in sand
WSUS does Office patching, not an issue
What's a lot harder is patching Adobe products and the like. We're currently investigating Shavlik Netchk Pro for patching apps
-
Re:Depends a lot on your point of view
-
Re:Enterprise FF/TB Managment
Shavliks HFNetChkPRO 5 now pushes out Firefox Updates..
http://www.shavlik.com/support/updates_hf5.aspx
The scan list gets updated on a very freequent basis.. maybe a day or 2 behind the software releases for Firefox.. hopefully they will add support for thunderbird soon as well. (I think I'll email them about it.)
I scan my network, select a small grouip of test machines from the scan result, and click deploy all patches.. patches all get pushed out and scheduled to install automatically, then machines are scheduled to reboot after hours to complete the MS patching.
If all goes well, then I Repeat until all machines in my environment are patched..
Price is reasonable too. (when you compute the time necesary to manually patch all your systems )
I'm sure some other patch systems can do this as well.. -
Useful links for everyone concerned
Microsoft Security Bulletins RSS feed, to receive notifications of new patches ASAP
MBSA and HFNetChk, automated tools to check if your system is up to date (see also the qfecheck command to check the status of installed patches)
Windows Update: analyze and update your system from a web page
Microsoft Systems Management Server (prices and licensing), a solution for the management of Windows networks. Comes with support for automated deploying of patches
-
hfnetchk
windows comes packed with this tool for monitoring and managing patch levels on multiple hosts, though it's not installed by default
if you need to patch entire network, see the hfnetchk homepage for pro/enterprise version -
May help some
Have a look at that: http://www.shavlik.com/
It works only for Windows, though. But reports patches, missing or not, for Windows, Office, and some other products. Probably some option to export current state, or make a report.
Lets you push patches too, forcing installation. -
Re:Microsoft hosed their own update service!
50 Win2k desktops, you say?
HFNetChkLT should be exactly what you wanted. -
Re:I think the windows update botton on the taskba
That's because the version on their site is oooold. Microsoft didn't write MBSA - Shavlik Technologies did. Last I saw there was an MBSA version that could actually download the patches there. Looks like they took it shareware?
-
Two thoughts
1) M$ (and the media) hyped this security patch to the hilt, IMHO, because WU was the target. Other worm exploits that have been cited in the news can be prevented by patches that come out a year or two ago. It would be nice to have the other 30 or so patches released this year equally hyped.
2) Re: WU says you're patched but you're not... I'm sorry, but nothing impresses me more than Shavlik's HFNetChkLT for Win2K, NT, and XP. SCan with this and then download the patch from the M$ Security Bulletins through Technet and install manually. -
Re:A good arguement for...
Screw Windows Update, I, luckily, started testing Shavlik's HFNetChkLT for patch deployment about 12 hours before the worm started. Very nice. Has problems deploying Service Packs (particularly Office), but does patches perfectly. Either way, it will let an administrator of a corporate network check every member of the domain for patches from a single point and that point doesn't even have to be a server. My laptop has been deploying patches pretty solidly for the last day and a bit.
-
Re:On the way?
OCG:
Incorrect. Windows Update and Auto Update are shoddy excuses for patch management, especially taken alone. Ordering and chaining of patches is horrendous, and the mechanism that "validates" patch installation is worse. HFNetChkPro is a far superior product, especially when combined with Software Update Services and the aforementioned practice of testing on non-critical servers (or, optionally, reasonable replicas of your operating environment). Any admin on any platform that doesn't rigorously regression-test a patch before deploying, while still not as villainous as the lazy slob who doesn't patch until the worm is spotted, still needs to be ousted from duty and have his home DSL line snipped permanently as well. That goes for Windows, LINUX, BSD, C-64 or whatever else. If it (your platform of choice/force) has the capacity to pollute the environment and there is a fix available but you turn out to be the ultra inertially-challenged and you turn a blind eye until the inevitable happens, you need to either commit suicide for the sake of us all, or, ignoring that, run for President. Hell, you can say you invented patches.
I don't run auto update anywhere on my network, but all my servers and workstations are patched. Snort is detecting the bugger outside the walls, and the din is getting higher. Anyone going to wager if it gets farther than Nimda? -
SP4 products are not affected by this flaw
FYI...
Windows 2000 machines running SP4 are not affected by this flaw. I suggest anyone running anything less than this starts deploying SP4 instead of this individual patch. Shavlik has excellent products to make your patch deployment easier. -
Re:How big are these things?Probably because they're not doing internal testing of the updates, and the admin is too overworked to keep on top of the updates to download them to a central server. Best practices though, dictate that the admin download needed updates, test them on lab machines, and automatically rollout to clients. The rolling out to clients is the difficult part. Most updates can be installed unattended via CLI, but some can't. Of course, with a little effort (and something like AutoIt), all of them can be made unattended. All that's left is a way of knowing which updates have already been applied. I recommend a central database or checking the registry (with Perl or VBScript...whichever you're more comfortable with).
Of course, if you use Microsoft's Software Update Service, then it's basically like running your own Windows Update server...and it's a free addon to Win2K servers. Client side is very similar to the Automatic Updates feature introduced in 2000 SP3 (or XP SP1)...but instead of checking MS's server it checks your own. Admins have control over what updates will be applied.
There are also 3rd party tools like HFNetChk Pro (with a free Lite version, but it has major limitations as far as rollouts are concerned) and UpdateExpert. They basically simplify mass scanning and rollout to many machines.
Of course, for ISP's the only thing I can think of would be to just download the files and host on a website...then educate your customers.
-
Command Line HfNetChk
There's also HfNetChk 3.86, which allows command-line analysis:
HFNetChk.exe is the multi-threaded command-line tool you can use to assess a computer or selected group of computers for the absence of security patches. You can use HFNetChk to assess patch status for the Windows NT 4.0, WIndows NT Terminal Server, Windows 2000, Windows XP operating systems, as well as hotfixes and service packs for IIS 4.0, IIS 5.0, SQL Server 7.0, SQL Server 2000 (including MSDE), Exchange Server 5.5, Exchange Server 2000, Windows Media Player, Front Page Server Extensions, Microsoft Java Virtual Machine, Microsoft Data Access Components (MDAC), and Internet Explorer 5.01 or later.
-
Try HfNetChkLt
HFNetChkLt from Shavlik will identify more vunerabilities, and its engine is updated more often than M$' MBSA.
-
Try HfNetChkLt
HFNetChkLt from Shavlik will identify more vunerabilities, and its engine is updated more often than M$' MBSA.
-
Re:Windows Update is crap
If Microsoft ever gets serious about patch management, they'll have a common tool that sysadmins can use to patch any and all of their MS software with a common interface and no unnecessary transmission of system-specific data to MS. Is that too much to ask?
And then Shavlik (who developed HFNetChk, and still maintain their own free version, along with more useful tools) and St. Bernard, et. al would complain that MS is cutting into their business.
For the home user, I don't know of a single situation (sans driver updates, which aren't done by default) that Windows Update has left a known, serious security vulnerablity unpatched. For corporate servers and workstations, you should invest in a corporate solution...that costs money.
-
Re:I'm thinking
The same could be said about any person who runs a computer connected to the internet. One of the problems is that people get on the internet without proper knowledge of networking, services, hotfixes/patches, or even really the basic OS they are using. It's really not that difficult to maintain an NT4/2k/XP box. Either use Microsoft's free hotfix checking utility, or Shavlik's free personal sercurity advisor. Heck, Microsoft has even designed a patch "push" system so you don't have to restart the server to install most hotfixes.
-
IIS and Updates
The truth is, IIS isn't a bad web server. Why everyone makes it out to be is beyond me. Everything has exploits. Everything is going to have "patches" or "fixes". If you properly configure your IIS server (remove "internet printer" ISAPI driver, default directories, etc.) and make sure security measures are in place (Running OS on a different partition/security than the "inetpub" partition).. and keep up with the patches (by checking Shavlik's personal security advisor or by using Microsoft's HotFix checker) you'll be fine. It's amazingly stupid that the patches to protect against CodeRed came out almost a year ago, along with patches to protect against NIMDA. It's ridiculous if someone, who is knowingly running IIS on a server (NT4 or otherwise) does not keep up with such fixes. Now then again, there are a lot of people who install Win2k with default options.. and that includes IIS (I believe so anyhow?).. and in that case, the user most likely will not know to keep up with patches/hotfixes. Then again, Windows 2000 isn't a "consumer" OS, it's meant for a business environment where hotfixes/patches/systems should be managed by an IT staff.