Re: HFNetChk Pro vs. other means to push out updates

From: Marc Fossi (mfossi@securityfocus.com)
Date: 03/20/02 

Date: Wed, 20 Mar 2002 12:30:11 -0700 (MST)
From: Marc Fossi <mfossi@securityfocus.com>
To: Brett Oliphant <brett@securityprofiling.com>

On your website <http://www.securityprofiling.com/sysupdate.htm> it
actually says "SysUpdate currently supports the Microsoft Windows
Platforms; however, support for Solaris, HP/UX, and IRIX is also planned."

Is this information out of date or is the support coming soon?

Marc Fossi, MCSE
SecurityFocus
www.securityfocus.com

On Wed, 20 Mar 2002, Brett Oliphant wrote:

>
>
> This catagory of product is awesome. This is needed for every organization.
> No one has time to do this by hand. However since this is a new catagory of
> product ... aren't we overlooking some important considerations?
>
> There are several packages out there. But long term doesn't this type of
> product need to support third party applications? Doesn't it also need to
> cover other operating systems than just windows NT ? There are still tons of
> Windows 9x out there. And what about unix? Do we care not about the total
> solution?
>
> <caution> Judgement may be skewed for our product SysUpdate does exactly
> what I have said.
>
> Brett Oliphant
> SecurityProfiling, Inc.
> www.securityprofiling.com
> 765.532.3123
>
>
>
> > I'm giving a public webcast presentation on HFNetChk on April 9th.
> >
> (http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com
> /servicedesks/webcasts/wc040902/wcblurb040902.asp)
> > (above URL is wrapped)
> >
> > Among other items, we will discuss how hfnetchk always verifies the
> > existence of patches via fileversions and checksums. The presentation
> will
> > also include a discussion of the next version of the XML schema and
> hfnetchk.
> >
> > In order to assist with performing a quick scan, the default action will
> > first try to determine if the patch may have been applied by looking for
> > the presence of a patch specific registry key. If this key is not found,
> > we assume the patch was not applied and label it as not found. If the key
> > is present, we verify the patch really is installed by checking the
> > fileversions and checksums of all involved files. In any case, we don't
> > rely on the presence of a registry key alone to state that a patch has not
> > been applied. (this has been the default behavior since the first version
> > of hfnetchk)
> >
> > If you are concerned that registry keys may not have been written, or have
> > been overwritten, etc. you can disable the reg checks altogether so that
> > existence or absence of the patch is verified solely by the checksum and
> > file version assessment. Use the -z switch as documented in KB article
> > Q303215. This feature has also been available since the first release of
> > the tool.
> >
> > FIY - SMS ships the same version of hfnetchk - an SMS add-on pack includes
> > the files necessary to automate the hfnetchk scan, file download, and
> patch
> > installation.
> >
> > At 09:44 AM 3/19/2002 -0800, Colin Stefani wrote:
> > >One product we use for patch distribution is PatchLink
> (www.patchlink.com),
> > >which has been good. It's an agent based product that is licensed on a
> per
> > >machine/node basis. We use it for all our servers and then use SMS for
> > >sending out to the workstations, since our workstations are fairly
> > >standardized the patches are all the same but our servers are different
> from
> > >each other in many cases.
> > >
> > >Patchlink takes some tweaking, but the company is helpful and willing to
> > >work with you. It's a commercial product, so it does cost money to use,
> but
> > >we felt it did a better job than HFNetChk in terms of looking at
> > >applications in addition to OS patches as well as the fact is allowed for
> > >silent distribution and automated reboots. It also performs check summing
> > >and version checking of files in addition to registry entries, which at
> the
> > >time of our evaluation hfnetchk didn't do (or do well) and was something
> we
> > >wanted and felt made a patch product more complete.
> >
> >
> > <snip>
> >
>
>
>

Relevant Pages