Product Reviews

Shavlik's NetChk Protect focuses on vulnerability management and brings together an interesting mix of patch management, spyware and malware scanning and remediation, and serves it all up under a single management console.

Patch management is its primary function and along with keeping up to speed with the never-ending stream of Microsoft patches, NetChk Protect now allows you to retrieve and apply updates to non-Microsoft and legacy apps using a custom patch file editor.

For testing, we loaded the main console on a Boston Supermicro dual 3GHz Xeon 5160 system running Windows Server 2008 Enterprise. It's a smooth process and we liked the fact that for the majority of functions NetChk Protect doesn't require an agent since it can scan remote systems, check their patch status and deploy updates without them.

Shavlik does include agents, however, as it recognises the need to support mobile users that aren't always connected to the network and remote sites with low bandwidth links. NetChk Protect also has the ability to remove or disable dodgy applications and spyware, and for this you'll need to deploy an agent.

This can be pushed from the main console where it runs as a single local service, but note that at the time of review Vista wasn't supported by the agent and nor can it be used to run the console.

From the cheerfully designed main console you can gather together your systems by creating machine groups using a range of methods such as domains, OUs, IP address ranges and so on, and fire off on-demand and scheduled patch and spyware scans at will. The results are posted in the console, where you can browse by individual system or view a range of charts and graphs that provide a detailed overview.

We'll look at the spyware scanning functions first since we had some issues with them. You have two options where the console can do this over the network without loading any software on each client, but this will incur higher bandwidth overheads. The alternative is Shavlik's dissolving service scan, which loads the scan engine on each client locally to reduce network overheads and improve performance.

During testing, we found the latter method can have an unhealthy appetite for CPU resources. You can use

ADVERTISEMENT

a slider bar in your spyware scan policy that goes from 10 to 100% CPU utilisation. At the maximum setting we saw a scan on the core server taking around 25% of CPU resources - not good for a dual Xeon 5160 server although it did only take three minutes to complete.

Changing our policy to the lowest utilisation caused the scan to run in regular short bursts and take around five times longer to complete. Less well-endowed systems suffered more with a venerable dual-socket, single-core Xeon server getting clobbered at up to 65% utilisation.

Nevertheless, the resulting reports are very detailed since you can see each system's vulnerabilities and view all identified spyware, the level of importance for each instance and the remediation status. To remove spyware you need to configure a distribution server, although we found this a simple enough task.

Real-time protection can also be activated, and this allows you to block or allow certain actions on client systems such as changing IE security levels and enforcing a specific homepage.

Patch management is where NetChk Protect really hits the mark. We scanned a range of Windows Server 2008 and 2003 systems and XP clients and were impressed with the results. An unpatched Server 2003 R1 system, for example, required more than patches including the SP2 update while some XP clients we'd assumed were fully updated came back with a range of patches plus extra ones for Microsoft Office.

Deploying patches is a cinch as you can select critical patches, choose you own, or pick them all and push them to selected systems immediately or at scheduled times. Templates control deployments and are used to force clients to reboot, run pre- and post-deployment tasks and send out notifications.

Supported applications naturally centre heavily round Microsoft but included third-party apps are thin on the ground, so you'll probably need to use the custom patch editor. Also, why include Skype and iTunes when most right thinking network administrators will have banned their use in the workplace?

Patch scans are much faster than spyware scans, with inspections of all our test systems requiring no more than one minute each. Reports are also very detailed and show the top ten missing patches and the most vulnerable systems, plus pie charts showing patch status. Move to the machine view and you can see details of each individual system and their patch status, and also if they can be rolled back.

If you're just interested in simple, automated patch management then Microsoft's freely available WSUS is probably enough. However, if you want more and are prepared to pay then NetChk Protect is a better candidate, as it delivers far superior patch management and deployment capabilities and combines them with a reasonable set of spyware scanning and remediation tools.