Launched this month, version 6 of Shavlik’s NetChk Protect security suite aims to keep Windows desktop systems and servers clear of malware. The updated package features a new patching system called Any Patch Anywhere and an enhanced management console.

Any Patch Anywhere uses a wizard-driven custom patch editor and Shavlik’s Dynamic Product Detection scan engine technology, allowing users to create and maintain custom patches. The new network-based console is designed to make it easy for administrators to check security status, manage system policies and schedule reboots so as to minimise disruption to users.

Extended support

Shavlik has also extended the range of systems that the suite can protect to include BlackBerry Server, Microsoft Exchange 2007 SP1, Microsoft ISA 2004 Enterprise Edition, Skype, Sun Java applications and VMware.

We tested NetChk Protect 6 using a standard Intel system with two 3.2GHz Intel Xeon dual-core processors and 2GB of system memory, running Windows Server 2003 R2. For storing patch data, spyware signatures and scan data, we installed SQL Server 2005 Enterprise Edition.

Although easy to install, the system takes time to set up. This is because the process requires users to make several key decisions about patch and spyware remediation and when to reboot systems.

After the patch updates were fed into the database and the signature files for the spyware scan downloaded, we could define which systems to check for patching, and which for spyware.

Protect 6 can run three types of built-in scans: a security patch scan, a scan for picking up security and non-security patches, and a spyware scan. Users can also define their own custom scans by using the Agent Policy Manager to check the status of specific applications that they have rolled out to their desktop systems, for example.

We patched the server on which NetChk was running with Windows Update, but left all the other applications that were installed and running unpatched. A security-only scan picked up all 23 of the security updates and also correctly found our SQL Server database was missing service pack 1. It also informed us of four missing patches that should be installed to secure the system. The graphical user interface does a good job of clearly relaying a wide range of information. Protect 6 also enables users to uninstall problem patches and roll back spyware signatures.

Admins can define the scope of a scan using “system collections” that come under a range of headings, such as My Domain or My Test Machines. The latter is designed to allow admins to check that a scan performs correctly on a subset of systems before it is applied more widely across the network. Admins can also group systems according to the departments that operate them. For our Test Machines grouping, we chose systems that were on different subnets to check that Protect 6 could correctly scan them, but users could pick systems from defined groups, such as HR.

For firms with large numbers of systems to be scanned, Shavlik recommends that administrators set up a so-called distribution server to reduce the network overhead. This acts as a store for the various patch files, XML data files and the latest scan engines. A distribution server is an essential requirement if some of the systems to be scanned have no internet access. We found setting up a distribution server on a subnet to be pretty straightforward. To make things easy we used a UNC path, but on production systems administrators will probably need to set up authenticated HTTP paths to the server for better security.

Custom scanning

It was easy to set up a distribution server and we could also define the policies the agents use when performing a security or spyware scan of the system they are installed on.

Agents can be installed manually off a CD-ROM or Flash drive, or by using a console command. Creating a custom scan involves telling an agent what it can and cannot do by using the suite’s Agent Policy Manager. We could also set up agents to block specific user actions, such as the downloading of unsigned ActiveX executables.

Users can easily schedule scans to suit their requirements, and can specify when and where email reports are sent. For instance, the system can be set up to ensure administrators with responsibility for specific branch offices or specific groups of users get summary reports immediately after a scan has been completed.

The final process we set up was the remediation template, which specifies what Protect 6 can do if it detects missing patches or spyware signatures.

To test this, one of our servers was set up with a missing service pack to a SQL Server 2005 install. Protect 6 logged the missing patch, downloaded it and popped up a message showing that it would reboot and install the patch. After the system rebooted it was re-scanned and another service pack was found to be missing. This time we immediately deployed the missing service pack in real time and a rescan found the server patched.

In another test using desktop systems on a 192.168.1.x subnet, we set up patch scan, spyware and remediation templates so that only systems missing critical patches or infected with high-threat malware were rebooted after being patched.

Protect 6.0 discovered nothing but low-risk items such as cookies, but upgraded the desktops in question with the current crop of Microsoft patches.

In conclusion, we found Shavlik’s NetChk Protect 6.0 had a comprehensive feature set. Although the system was easy to deploy, intital configuration can be complex. We experienced no crashes when using the package.