SideBar    Setting Up the Test Network

False positives—incorrectly reporting that a patch is missing—aren't as serious as false negatives, but installing extra hotfixes adds an unnecessary load on the network and might result in file-version conflicts. Nevertheless, I'd rather have a product recommend a fix I don't need than miss one I do need.

False positives can occur for three reasons:

  1. You've already installed the hotfix.
  2. A more recent hotfix or service pack superseded an earlier fix, and therefore the earlier fix need not be installed.
  3. The hotfix isn't relevant to your configuration.

If a product recommends installing a hotfix in any of these scenarios, it's a false positive. HFNetChkPro and SysUpdate reported the fewest false positives.

False negatives—not reporting a missing hotfix—can be serious. When I ran Windows Update on one of my test systems, it overlooked three hotfixes that I needed to install. False negatives are usually the result of not properly detecting installed products. Hotfixes for products such as MSXML, Windows Media Player (WMP), and MDAC threw off many of the patch managers because of the inconsistent ways that these products track product versions. Another reason for false negatives is that the patch manager simply doesn't check for a certain product. You must be familiar with your patch manager's product coverage to ensure that you don't miss important fixes. Because product coverage is constantly changing for all the patch managers, check with the vendor to get the most recent list of supported products. At the time of testing, Ecora Patch Manager, PatchLink Update, and HFNetChkPro had the most comprehensive product coverage.

Patch Deployment
After you determine which patches each system requires, you need an efficient means to deploy the patches. Every product we tested has some method of remote installation, with varying degrees of automation. For example, BigFix Patch Manager lets you automatically install approved patches for existing systems as well as for new systems that you add to the network. Most of the products also have flexible scheduling of patch downloading and installation as well as bandwidth control.

Many hotfixes require a reboot after installation. All the test products give you some form of control over remote rebooting, some more control than others. Ecora Patch Manager provides a snooze feature that lets end users delay reboots after patch installation. SysUpdate provides a similar feature, although you can disable this feature through Group Policy. BigFix Patch Manager has an interesting feature that lists not only systems that need rebooting but also those that require an administrator to log on locally to the system to finish an update operation.

PatchLink Update and BigFix Patch Manager provide the most sophisticated mechanisms for custom patch deployment, including the ability to build custom patches from scratch. This functionality lets you distribute updates for products not supported by the patch manager. UpdateEXPERT also provides some limited capabilities for custom patches.

Patch Information
Microsoft Security Bulletins often address more than just installing patches. Sometimes a Security Bulletin recommends specific best practices for security or recommends manual remediation steps. For example, Microsoft Security Bulletin MS02-064 (Windows 2000 Default Permissions Could Allow Trojan Horse Program) states that the vulnerability requires an administrative procedure rather than a patch; you need to tighten the default permissions on the root directory of the system drive. Win2K Service Pack 4 (SP4) doesn't include a fix, and if you search for Win2K SP4 on Microsoft's Security Bulletin search page (http://www.microsoft.com/technet/security/current.asp), the bulletin doesn't appear. Thus, you might not realize that the problem and fix apply to the SP4 version. Such situations require custom instructions from the patch-management solutions so that administrators can manually address them.

Although most of the products provide at least a summary of each patch and a link to the related Microsoft Security Bulletin, HFNetChkPro provides detailed patch information and detailed threat analysis from both TruSecure and Microsoft. HFNetChkPro also provides cross-references to Common Vulnerabilities and Exposures (CVE—a standardized list of names for known security vulnerabilities and exposures) and BugTraq identifiers.

Product Coverage
The patch-management solutions we evaluated had varying degrees of product coverage: Some cover a broad range of OSs; others concentrate on Microsoft products. Although broad support can be important in many environments, bear in mind that broader isn't always better. If you have a Microsoft-only shop, you might benefit more from a company that has more expertise in patching Microsoft products. PatchLink Update provides the broadest overall product coverage, yet still has respectable coverage of Microsoft products.

Another feature that might be important for your organization is the distribution of non­security-related patches. UpdateEXPERT provides the most coverage of nonsecurity patches, and Service Pack Manager 2000 and PatchLink Update also provide some coverage of these patches. As mentioned earlier, BigFix Patch Manager lets you create custom patches, so you could conceivably use the product to distribute any software or software updates; simply research and add any updates yourself.

If you need support for international languages, be sure to check patch managers carefully before investing in a solution. Few of the products we tested support non-English patches. However, patch manager product coverage continually changes, so these products might add that support at some point.

Prev. page     1 2 [3] 4     next page



You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

A vague narrative of truisms and "what esle is new" commments about patching, mixed with some useful details. A comparison table of specific features for each package would be much better.

Milton F. Lopez- December 03, 2003

Is there any reason why Microsofts SUS, SMS, and BSA weren't included in the review?

Steve- December 11, 2003

We have been evaluating a product called Novadigm Patch Manager. Is there a reason why some of the more main stream products were not included in your evaluation? Thank you for your time.

Monique Ludwig- December 12, 2003

This is an excellent article. I was browsing the net to search for a Microsoft Patch Management Products and accidentally hit this page. I got the information I was looking for except that the article does not have anything about the Microsoft Software Update Services. Good Article indeed...

Thanks Author.

Regards,

C Mugilan- December 13, 2003

Excellent work. This market needed some more definition. The thoroughness of the feature sets and non-biased presentation is a credit to your publication. Thank you for setting a new standard.

T Wadsworth- December 17, 2003

Good job. I have just started patch management in our company and it is a big task, with articals like above everything becomes more clear everyday. Thank You for thinking of us.

Madeleine- December 19, 2003

I've been running HFNetChk Pro for quite a while now, and while it works OK, I still get frustrated with Office patches, especially Office 2K. We have some mixed version clients due to custom Access DBs, and it's virtually impossible to update both versions of office at the same time. From what I see in forums for other products, this is not limited to HFNetChk, but is common on all patch management systems. The requirement for source files from install media is frustrating. Hopefully MS can address this soon... Nice article, though. I plan on evaluating Patchlink since I need an app that's more scalable. I'd also like to work with a console that's multi-threaded, too...

Charlie Kaiser- February 09, 2004

I may have missed this feature in the products, but I see a need for a "exclusion list" of servers requiring specific sign off before patching. Many of the servers that I have to patch are FDA Validated machines requiring testing on QA machines before ANY patching. The Validated servers require very specific Change Management protocols before changing anything on the production systems. I see this as an important feature for any organization that supports FDA Validated systems.

RON- February 09, 2004

I use Service Pack Manager 2000 (Gravity Storm Software) works well. Very fast scanning, no agents to install.

leonard- March 23, 2004

I wanted to post a message about PatchLink I didn't see in the article. It is a great solution, but you cannot use their agent system on multiple computers when those computers were imaged using Norton Ghost, PowerQuest DeployCenter, etc. All computers will hash to the same unique identifier in their system.

Brandon Pack- April 08, 2004

I missed the editor's choice. Assume you had to pick one product after your comparison, which product would it be? Come on – don't be so shy! Thanks for putting this article and details together. Overall this is a very helpful document.

Michael K- April 16, 2004

the computer business is finished and is for losers nowadays...i'm going to law school

anonynous- May 03, 2004

Just a quick response to Brandon Pack's comment....you can use Patchlink with Ghost....there are instructions on the Patchlink site.

Joe Crowe- May 11, 2004

1) SUS Blows!! All it does it give you your very own copy of http://v4.windowsupdate.microsoft.com/en/default.asp. If you're looking for something more than "Critical Updates" and "Recommended Updates" look somewhere else.

2) Most products either have a prohibitive price tag or a prohibitive feature set. If someone wanted to cash in, they'd have a product with a good feature set, some purchasable add ons (like a good help desk system) and sell it for cheap.

Jimi Thompson- May 26, 2004

This blows

Anonymous User- October 28, 2004

See More Comments  1   2 
 
 

ADS BY GOOGLE