Enterprise Level: Automatic assessment and patching tool - crossplatform

Hi all,

This question is related to a few queries I have had from large customers who are looking for the following:

 - a single appliance or application that can scan a network (pref. agentless) for unpatched systems on multiple platforms (especially MS & Solaris)
 - can then be told to apply patches to a beta subset of those systems
 - can then be told to distribute the patches to the entire network - pref with use of distributed repositories etc
 - will generate good reports during all phases

They are not looking for these guys:

 - SMS
 - Tivoli
 - Unicenter
 - etc etc etc

We are talking about something that can be implemented quickly and relatively *painlessly.*

I know there are a bunch of great tools for finding unpatched systems, like Nessus & Retina, however it is being able to fix-after-find that has become important to large organisations due to the manpower required to keep their systems up to date.

Can anybody help me with this - discussion on this topic is appreciated!

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Have you looked at windowsupdate.com?


ISS has some fairly copius output on resolution of found vulnerabilities and in using it (and nessus and microsoft's tools) found that few (if any) enterprises have the kind of homogenous instrastructure that could withstand automated updates.  The sort of decisions that have to made before deploying patches involve a sort of fuzzy logic that require regression testing and assesment of risk and sms, zen or marimba-like rollout tools integrated into the package which would allow rollback and crossplatform compatability.

A killer app to be sure, but I don't think it's out there.
The reason that SMS,Tivoli, etc. are so expensive is that they can push updates out after checking.  You have to have an infrastructure in place, which includes a client on the host to accept the updates.

Both Windows and Solaris have automated patch checking utilities, but they push all of the patches out, not just the ones you want.
"... not just the ones you want"
there's the rub - the effort in vulnerability management is examining the patches to make sure they're not going to break something
SolarWinds® IP Control Bundle (IPCB)

Combines SolarWinds IP Address Manager and User Device Tracker to help detect IP conflicts, quickly identify affected systems, and help your team take near instantaneous action. Help improve visibility and enhance reliability with SolarWinds IP Control Bundle.

You can do this yourself if you are skilled enough in scripting. Now I don't know about Solaris but MS has the QFECHECK utility that you can run both localy and remotely to find out what hot fixes have been applied to what pc's. If you have an administraive point on your network to house all of the possible hot fixes you want to make sure the pc's have you can then write scripts that will go out and find out what all of your pc's have on them. Your script of course will need to dump the info into a database which you can then use to script applying the hot fixes from your admin point to where ever needed.
ferg-oAuthor Commented:
I don't mean to be ungrateful but *all the above "answers" are crap and do not answer the question!*

Chicagoan - windowsupdate.com? That is a great cross-platform tool - and Microsoft has never released an update to fix a problematic update have they? Well done - get yourself a beer.

Durindil - missing my point - my clients are looking for a management system - not a bunch of scripts etc..

TooKoolKris - obviously nobody is as skilled in scripting as yourself. READ MY POST - this is something two of my clients have requested. One of them is a global investment bank and the other is a major shipping company. I am not an end-user.

Ideally a system like this will operate in a similar fashion to McAfee's ePO enterprise AV management system. New DAT files can be treated as beta, eg rolled out to the IT department, and when they are considered safe they become current - and then distributed to the entire network. The current dats become "previous" and it is a simple matter to roll back after that.

I am asking a question - not looking for a lecture! Can we get back to this question please - 250 points for an expert - not for an opinionated punter.

If you weren't looking for a lecture, you shouldn't have posted a flame.

When you said "discussion on this topic is appreciated!" I took it to heart.

As far as the windoze update comment goes, the punctuation characters following it denote an emoticom "wink". For those in the know it means the comment was tongue in cheek and was expressed to convey the sorry state of security today as is an example of an automated system that usually works but has failed miserably on occasion crippling many machines and is not blindly relied upon by knowledgable administrators.

I know you pay for your points, one way or another, and deserve serious treatment by knowledgable professionals. I've been involved in security since gopher was a big deal and you had to pay for Netscape. I have worked within an  enterprise for the last eight years in the education community that is straining the limits of a class B network and has every conceivable operating system hung on and have had the luxury of being courted by every security vendor with something to sell.

My contribution to the discussion was that in my experience a fully automated black-box cross platform vulnerability management tool does not exist. Too few enterprises have the sort of homogenous environment where such a system could begin to be deployed without wreaking havoc.

McAfee operated within a thin slice of the enterprise, it is not valid analogy.

"A bunch of scripts" IS a system, and would incorporate a particluar environment's peculiarities as well as a skilled operator using SMS, Tivoli or any other management tool. The thing your missing is the effort involved in assessing the effect vulnerability mitigation will have on system where hundreds or thousands of applications are deployed.

If when Code Red was discovered your uber-vulnerability-mitigation system had simply sent out a patch to IE preventing .exe's from being parsed, you would have broken about half of the accounting systems in use at the time, NNM and countless other web based applications. So when those of us who had to deal with it went to work we had to analyze each machine and decide how to protect them. So we had to approach those systems differently by restricting access, renaming system files and working around the problem to keep the applications working, it's an organic process sometimes.

So there's labor involved, skilled professionals have to assess threats and the potential costs of actions and make business decisions on how to expend resources. Tools can help, but the landscape is constantly changing and no tool is going to do it all. For any given enterprise if you could get the cooperation of business decision makers, develpors and systems people you could build a system with whatever tools you had expertise in. It wouldn't be pretty, you couldn't order it from Egghead. There is no panacea, it's painfull, just try to take it like a man.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Get bent buddy! The only sentence in your post that was phrased in the form of a question was:

"Can anybody help me with this" Followed directly by "discussion on this topic is appreciated!"

You got what you asked for now deal with it.
ferg-oAuthor Commented:

Agreed on many points Chicagoan. If the clients listened when I told them that they need to be vigilant with patching and that they should allocate resources accordingly then we wouldn't be having this discussion.

Kinda similar to when we speak to them about having an organic information security policy ratified by the board of directors. Chances are?

My apologies if I came off as an ass with my last post. That's what you get when you hop on your computer after 12 hours of drinking, rugby and Keith Richards defying old age.

To get back to the McAfee analogy - their product has an agent which is installed with local admin rights and can deploy or update software whenever it is told. Which is why it is the market leading enterprise anti-virus management system. Would be a good way to achieve the goal.

As far as thin end of the enterprise wedge there is no technology that permeates an enterprise more fully than anti-virus. Not particularly glamourous but vendors have no problem getting people to fork out cash for it. And to be honest with you at the moment I don't care about anything that clients aren't willing to fork out cash for!

All this being said I have two clients who are looking for a patch management system. This means that they will pay for one. This being the case then either there is a product on the market that will do the job or there should be. One of these organisations is all Windows. They are not interested in scripting, they don't even know what Kix is. They want an appliance or a piece of software that checks their network for unpatched machines and patches them.

But it doesn't look like there is one. Oh well.

And if it wasn't Monday morning "TooKoolKris" I would be well and truly bent...

Been there - done that - got the t-shirt

If I had a beer for every time I smashed my head against a keyboard after coming out of an IT Steering Committee meeting where the topic was "do we re-allocate the security line item in the budget to flat screen monitors or a live band for the Christmas partry?" I'd be playing on the Betty Ford croquet team.

Not a problem man, I know how it is sometimes believe me. Just ask any of the admins on this site. I give them hell all the time :)

My suggestion for scripting came from the frustration I had when trying to find network tools to do specific tasks. Some programmer informed me about scripting my own tools. Ever since then that's what I've done, when I need an automated windows management tool I simply write one myself. Within the boundaries that scripting allows anyways. It starts out as a slow process because obviously there is a learning curve involved, however after you write a couple of things it becomes more like second nature.

See if this may help,


Anti-Virus software is not enough. Find out why HFNetChkPro is the real lifesaver.
HFNetChkPro is an automated patch management tool that makes it easy to stay one step ahead of the latest Blaster worms on the horizon. It's the easiest way to keep an eye out for important patches such as MS03-039 and others that will be released to protect your network.

In minutes, HFNetChkPro scans and pushes patches across your network so you can concentrate on other tasks, and breathe a little easier. No time-consuming agents to bog you down either.

Here is a link with a few more that you can check out as well,


Good Luck
Does Citadel security, Landesk and/or patchlink provide many of the patches and paths to remediation, I just do not know which one is the best, since one could spend more money than they care to. Pacifica Technologies is an automated assessment systems that can plug in patch management solutions and several of the scans from Nessus, Retina and ISS and Sanctum's application scan.
Citadel is vulnerability remediation, which, I guess, is the large umbrella over patch management - that was the spin I was told about them.

ferg-oAuthor Commented:

Yeah - interestingly enough Citadel's Asian disti had a stand next to ours at the HK InfoSec summit on Monday and Tuesday and their product Hercules *looks like* it is exactly what I was after. I will start testing next week...

Not cheap though!
ferg-oAuthor Commented:
turns out it is crap - based on .net and therefore buggy as hell...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.