Shavlik Kicks Off Patch Management Review Like A Rock Star

The first entry in our Rolling Review, NetChk Protect, is a natural for all-Microsoft shops.

NetChk supports most enterprise-class Microsoft operating systems and applications, including Office, Exchange, and SharePoint. We found NetChk's agentless option extremely compelling. All capabilities are available--we executed complete scanning, patch installation and removal, and spyware discovery and remediation from the management console without installing any Shavlik software on target machines. Agents are available at no charge for environments where connectivity may be spotty.

There's also a handy built-in feature to patch target Office suites to bring them in line with one specified master Office installation, rather than applying patches as they're released. This is useful for companies whose policy is to build and test patches before massive deployment--always recommended. When you're ready to deploy patches to target machines, network usage can be moderated by reducing the copy speed setting. We'd like Symantec to add the ability to natively delay copying of patches, without the use of Distribution Server. As it is, while we could define when a patch would be applied, it was copied to target machines immediately.

Shavlik Technologies NetChk Protect 5.9; $19,200 for 300 Windows machines plus 300 VMs running Windows, includes one-year maintenance.

We're testing patch management products at our Real-World Labs at Windward Consulting Group. We'll assess breadth of platform support, how well a product discovers patches and our environment, rollback abilities, testing and staging capabilities prior to production, reporting, and bandwidth control.

Lumension Security

BigFix, BladeLogic, BMC Software, CA, Configuresoft, Ecora Software, IBM, Kaseya, LANDesk Software, Novell, Opsware, and Symantec
Installation on our server was a breeze, but the initial network scan took some doing. The native XP firewall initially blocked the console from being able to scan our XP boxes, and even after opening the port, Simple File Sharing needed to be disabled in order for NetChk to be able to log in with appropriate rights to scan.

Setting up the first scan was simple. Targets may be defined by host name, IP, domain, and Active Directory organizational unit; we also had the flexibility to ignore select target machines and define groups and subgroups from any combination of the above criteria. Upon successful scan of our Windows test environment, analysis of the results was clearly presented and easily acted upon.

For deployment, we could select patches manually or use context menu options to install all patches or all critical patches. Then we moved on to method of deployment, choosing now or later, rebooting and copy speed options, e-mail results notification, and more. In testing copy speed, we noted a difference between setting 1 and setting 5 for a 12-MB patch, so bandwidth throttling does work. But even larger tests didn't spike network usage enough to be noted on our network monitors.

However, when we attempted to defer a deployment, we observed NetChk copying patch files immediately, not at the scheduled time. Shavlik told us that this behavior is designed to ensure patch availability and avoid delays in deployment because of slow copying.

Results of the deployment clearly showed when patches failed and in testing also listed a suspected cause for failure. Removal of an installed patch worked flawlessly.

NetChk Protect pricing for 300 Windows machines plus 300 VMs running Windows is $19,200, including one year of maintenance.