Re: HFNetChk Pro vs. other means to push out updates

From: Brett Oliphant (brett@securityprofiling.com)
Date: 03/20/02


From: "Brett Oliphant" <brett@securityprofiling.com>
To: <focus-ms@securityfocus.com>
Date: Wed, 20 Mar 2002 12:23:15 -0500


This catagory of product is awesome. This is needed for every organization.
No one has time to do this by hand. However since this is a new catagory of
product ... aren't we overlooking some important considerations?

There are several packages out there. But long term doesn't this type of
product need to support third party applications? Doesn't it also need to
cover other operating systems than just windows NT ? There are still tons of
Windows 9x out there. And what about unix? Do we care not about the total
solution?

<caution> Judgement may be skewed for our product SysUpdate does exactly
what I have said.

Brett Oliphant
SecurityProfiling, Inc.
www.securityprofiling.com
765.532.3123

> I'm giving a public webcast presentation on HFNetChk on April 9th.
>
(http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com
/servicedesks/webcasts/wc040902/wcblurb040902.asp)
> (above URL is wrapped)
>
> Among other items, we will discuss how hfnetchk always verifies the
> existence of patches via fileversions and checksums. The presentation
will
> also include a discussion of the next version of the XML schema and
hfnetchk.
>
> In order to assist with performing a quick scan, the default action will
> first try to determine if the patch may have been applied by looking for
> the presence of a patch specific registry key. If this key is not found,
> we assume the patch was not applied and label it as not found. If the key
> is present, we verify the patch really is installed by checking the
> fileversions and checksums of all involved files. In any case, we don't
> rely on the presence of a registry key alone to state that a patch has not
> been applied. (this has been the default behavior since the first version
> of hfnetchk)
>
> If you are concerned that registry keys may not have been written, or have
> been overwritten, etc. you can disable the reg checks altogether so that
> existence or absence of the patch is verified solely by the checksum and
> file version assessment. Use the -z switch as documented in KB article
> Q303215. This feature has also been available since the first release of
> the tool.
>
> FIY - SMS ships the same version of hfnetchk - an SMS add-on pack includes
> the files necessary to automate the hfnetchk scan, file download, and
patch
> installation.
>
> At 09:44 AM 3/19/2002 -0800, Colin Stefani wrote:
> >One product we use for patch distribution is PatchLink
(www.patchlink.com),
> >which has been good. It's an agent based product that is licensed on a
per
> >machine/node basis. We use it for all our servers and then use SMS for
> >sending out to the workstations, since our workstations are fairly
> >standardized the patches are all the same but our servers are different
from
> >each other in many cases.
> >
> >Patchlink takes some tweaking, but the company is helpful and willing to
> >work with you. It's a commercial product, so it does cost money to use,
but
> >we felt it did a better job than HFNetChk in terms of looking at
> >applications in addition to OS patches as well as the fact is allowed for
> >silent distribution and automated reboots. It also performs check summing
> >and version checking of files in addition to registry entries, which at
the
> >time of our evaluation hfnetchk didn't do (or do well) and was something
we
> >wanted and felt made a patch product more complete.
>
>
> <snip>
>



Relevant Pages