False positives—incorrectly reporting that a patch is missing—aren't as serious as false negatives, but installing extra hotfixes adds an unnecessary load on the network and might result in file-version conflicts. Nevertheless, I'd rather have a product recommend a fix I don't need than miss one I do need.
False positives can occur for three reasons:
- You've already installed the hotfix.
- A more recent hotfix or service pack superseded an earlier fix, and therefore the earlier fix need not be installed.
- The hotfix isn't relevant to your configuration.
If a product recommends installing a hotfix in any of these scenarios, it's a false positive. HFNetChkPro and SysUpdate reported the fewest false positives.
False negatives—not reporting a missing hotfix—can be serious. When I ran Windows Update on one of my test systems, it overlooked three hotfixes that I needed to install. False negatives are usually the result of not properly detecting installed products. Hotfixes for products such as MSXML, Windows Media Player (WMP), and MDAC threw off many of the patch managers because of the inconsistent ways that these products track product versions. Another reason for false negatives is that the patch manager simply doesn't check for a certain product. You must be familiar with your patch manager's product coverage to ensure that you don't miss important fixes. Because product coverage is constantly changing for all the patch managers, check with the vendor to get the most recent list of supported products. At the time of testing, Ecora Patch Manager, PatchLink Update, and HFNetChkPro had the most comprehensive product coverage.
Patch Deployment
After you determine which patches each system requires, you need an efficient means to deploy the patches. Every product we tested has some method of remote installation, with varying degrees of automation. For example, BigFix Patch Manager lets you automatically install approved patches for existing systems as well as for new systems that you add to the network. Most of the products also have flexible scheduling of patch downloading and installation as well as bandwidth control.
Many hotfixes require a reboot after installation. All the test products give you some form of control over remote rebooting, some more control than others. Ecora Patch Manager provides a snooze feature that lets end users delay reboots after patch installation. SysUpdate provides a similar feature, although you can disable this feature through Group Policy. BigFix Patch Manager has an interesting feature that lists not only systems that need rebooting but also those that require an administrator to log on locally to the system to finish an update operation.
PatchLink Update and BigFix Patch Manager provide the most sophisticated mechanisms for custom patch deployment, including the ability to build custom patches from scratch. This functionality lets you distribute updates for products not supported by the patch manager. UpdateEXPERT also provides some limited capabilities for custom patches.
Patch Information
Microsoft Security Bulletins often address more than just installing patches. Sometimes a Security Bulletin recommends specific best practices for security or recommends manual remediation steps. For example, Microsoft Security Bulletin MS02-064 (Windows 2000 Default Permissions Could Allow Trojan Horse Program) states that the vulnerability requires an administrative procedure rather than a patch; you need to tighten the default permissions on the root directory of the system drive. Win2K Service Pack 4 (SP4) doesn't include a fix, and if you search for Win2K SP4 on Microsoft's Security Bulletin search page (http://www.microsoft.com/technet/security/current.asp), the bulletin doesn't appear. Thus, you might not realize that the problem and fix apply to the SP4 version. Such situations require custom instructions from the patch-management solutions so that administrators can manually address them.
Although most of the products provide at least a summary of each patch and a link to the related Microsoft Security Bulletin, HFNetChkPro provides detailed patch information and detailed threat analysis from both TruSecure and Microsoft. HFNetChkPro also provides cross-references to Common Vulnerabilities and Exposures (CVE—a standardized list of names for known security vulnerabilities and exposures) and BugTraq identifiers.
Product Coverage
The patch-management solutions we evaluated had varying degrees of product coverage: Some cover a broad range of OSs; others concentrate on Microsoft products. Although broad support can be important in many environments, bear in mind that broader isn't always better. If you have a Microsoft-only shop, you might benefit more from a company that has more expertise in patching Microsoft products. PatchLink Update provides the broadest overall product coverage, yet still has respectable coverage of Microsoft products.
Another feature that might be important for your organization is the distribution of nonsecurity-related patches. UpdateEXPERT provides the most coverage of nonsecurity patches, and Service Pack Manager 2000 and PatchLink Update also provide some coverage of these patches. As mentioned earlier, BigFix Patch Manager lets you create custom patches, so you could conceivably use the product to distribute any software or software updates; simply research and add any updates yourself.
If you need support for international languages, be sure to check patch managers carefully before investing in a solution. Few of the products we tested support non-English patches. However, patch manager product coverage continually changes, so these products might add that support at some point.
Register
