At first glance, NetChk Protect looks to offer a strange brew of features as it combines patch management with anti-spyware, but Shavlik groups them neatly together under its active vulnerability management umbrella. The idea is that you keep all your legitimate applications fully up to date with the latest security patches while keeping dangerous applications off the network.
The best of the new features is support for custom patch deployment. This uses a custom patch file editor to download and apply essential updates to non-Microsoft and legacy applications. A new machine-centric view of systems being protected displays trees with domains at the top and each system underneath shows the list of discovered applications and their patch status.
Unlike many management products, Shavlik tries to avoid agents where possible and can remotely scan systems and deploy patches without them, but includes agents to support scenarios such as remote sites with low internet bandwidth links and mobile workers that are frequently away from the network.
For testing we loaded the core product on a Boston Supermicro dual 3GHz Xeon 5160 system running Windows Server 2008 Enterprise - a simple process that took less than 30 minutes to complete. You can start assessing your security posture straight away as you can select immediate scans of local and remote systems from the intuitive main console and opt to check for patches or spyware. If you have firewall software running on local LAN systems you'll need to do some work opening up ports, but Shavlik does provide a comprehensive list.
The results from our test patch scans were particularly good. One target systems was running an unpatched version of Windows Server 2003 R1 and NetChk came back with a list of more than 60 required patches. Patch scans rarely took more than a minute for each test system. The results are initially provided as an executive summary with plenty of charts, but you can drill down into each report to find out a wealth of information about the patch status of individual systems.
One issue we had was the number of applications supported by NetChk. One client was loaded with a wide range of common apps, but the patch scan missed quite a few. We were somewhat perplexed to see the patch status for Adobe Acrobat and Reader displayed, but not for Photoshop or Elements. We also noticed that NetChk was unable to correctly identify Windows Server 2008.
Patch deployment is swift as you can select individual patches or all of them and either send them to the selected systems immediately or at a specific time. Deployment templates can be used to determine functions such as the type of installation, when the client reboots, plus pre- and post-install tasks.
We found spyware scans were a lot slower and required more host resources. We created a group of four machines and a general spyware scan on all of them took more than 16 minutes. We also noticed that CPU utilisation on some of the less well-specified clients during the scan could be as little as 50 per cent. You can limit the amount of CPU resources the scan is allowed, but this will make the scan take even longer. The results do go some way to make up for this as the reports are just as detailed as the patch scans.
To remediate you must deploy agents, and for this you need to set up a distribution server. This didn't take long and we could then push agents out to selected clients and groups from the central console. Agents are controlled with policies that determine whether they can scan for patches and spyware and take remedial action. For the latter you can also set real-time protection, where you decide what actions on the client are to be blocked, prompted for or allowed.
NetChk Protect delivers a vulnerability management solution that's swift to deploy and easy to use. The patch scanning and remediation facilities are easily its strongest features as the spyware scans require a lot of resources in order to offer valuable protection to client systems.