BigFix is in many ways similar to PatchLink, the other agent-based product we tested. Both have excellent Microsoft product coverage, great scanning engines, high patch-intelligence features and the ability to efficiently manage large numbers of distributed hosts. BigFix uses agent-side intelligence for patch-configuration scanning of the end-user host and for pulling down the patches pushed out by the BigFix administrator. Agent installation is easy, and the footprint is very small. The admin can create "Fixlet" messages, in which a group of Microsoft patches are packaged by BigFix, or custom patches/packages and then push them out to hosts that meet the requirements for the patch. These requirements are in the Fixlet messages and include parameters such as registry keys, application-build levels and OS platform.
Because BigFix is designed for deployment in large enterprise networks, "temporal distribution" features let the administrator control the network load by ensuring that distributing a patch to the portion of the network requiring it does not spike traffic.
The user interface emulates an e-mail inbox for patches, continually receiving new Fixlet messages. The administrator monitors the inbox and can ignore patches that are irrelevant to the environment and start processes to apply those that are important. One downside: The BigFix Enterprise Suite price tag dwarfs those of all the other products we tested.
UpdateExpert battled Gravity Storm's Service Pack Manager 2000 for our favorite non-agent-based tool and eventually nosed ahead thanks to its user interface, which is quite intuitive. In most respects, however, the tools are similar. Both provide powerful grouping features and per-machine authentication capabilities, and support a variety of client and server applications.
UpdateExpert can manage bulk patch installations in two ways. First, as you research patches through URLs to Microsoft's TechNet site, patches can be marked "required" or "not required." Next, while viewing individual host-patch levels, you can filter by "required" and determine which machines need to be patched. Second, you can create "profiles" that define OS-level patch configurations per OS/service pack platform (though there's no support for application-level patches). A "conformance report" can be run against the profile to audit machines for compliance. We would like to see these features consolidated and cleaned up so filters and reports could both be applied for a given user-defined configuration.
Version 6.0, which will be released this fall, will include an agent-based architecture and will undoubtedly have other major changes.
UpdateExpert 5.1, $12,190. St. Bernard Software, (800) 782-3762, (858) 676-2277. http://www.stbernard.com
Shavlik Technologies HFNetChkPro Enterprise 3.8
Shavlik's HFNetChkPro Enterprise is a souped-up, GUI-ized version of the plain old HFNetChk utility Microsoft provides for free. Using the non-agent-based paradigm, HFNetChkPro Enterprise scans your network on provided criteria, such as domain or IP range, and gives you the news. The easy-to-use interface quickly filters out patches that are not applicable to a given machine. Useful canned reports let you generate needed data based on the included information. While none of the non-agent-based products allow automatic, in-the-background downloading of all patches, HFNetChkPro Enterprise at least makes it easier on the user by letting you select and download the patches in one fell swoop.
By using the Test Install feature, you can gain insight into the tool's mode of operation. The network protocol and service prerequisites include remote registry service, workstation service, NetBIOS and scheduler service. HFNetChkPro logs into the host, creates a temporary directory, and uploads and installs the patch or patches.
HFNetChkPro's obvious weakness is its lack of flexibility for providing authentication information on a per-machine basis. So unless you have all the hosts that you want to scan in a domain or Active Directory, in which case you can scan based on your domain administrator credentials, you're out of luck. Well, almost--you could create scans for each host that has different authentication credentials, which is what we did in our test network. But doing so adds unnecessary complication.
Another "gotcha" is the difficulty in pushing out a particular patch to a set of hosts. Shavlik provided a functional workaround involving unchecking all the patches except the desired one via the deployment wizard, but you will probably want to wait for the 3.9 release, due later this month, which should address this issue.
Service Pack Manager, or SPM, presents an intuitive and easy-to-use interface. As with all the non-agent-based products we looked at, you'll be up and scanning machines in a matter of minutes.
After scanning your network servers, you'll be able to drill down using one of two views: operating systems or applications. From here, you can quickly start pushing out patches. First, you'll need to select which patches to download from the Microsoft sites to the local SPM server, a process that unfortunately cannot be automated.
The Netgroup feature lets you create custom groups of servers, which can then easily be scanned and patched based on their function. SPM nails this concept, and other vendors should take note. The Hotfix Profiler feature represents more well-thought-out ways to manage your servers. The administrator programs the patch-level conditions that define a problem--for example, Code Red--and you can rapidly determine which of your servers are vulnerable.
SPM's interface takes some getting used to. The layout is clear enough, but the manner in which you push out patches (from the operating system and product tabs) is not intuitive. SPM finished just behind the other non-agent-based products mostly because of its lack of reporting features. However, its scanning engine leads the pack, and along with the product's grouping features, this may put SPM at the top of your list.
Patrick Mueller, CISSP, is a senior security analyst for Chicago-based security consultancy Neohapsis. Send your comments on this article to him at pmueller@neohapsis.com.
REPORTS
Analyize In-Line NAC strategies and products.
ANALYTICS Plan and design your enterprise blade server deployments
InformationWeek U.S. IT Salary Survey 2008
Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Download Today
REPORTS
ANALYTICS
Follow 
