Explanation of How Patch Scanning Detection Works with Shavlik Protect

Version 8

    Purpose


    The purpose of this article is to explain how patch scanning detection works in Shavlik Protect.

     

    Resolution

     

    To understand the basics of how the scan engine works, please see the following information from the Shavlik Protect Help file "Scanning Engine Overview":

     

    The Shavlik Protect scan engine performs security patch assessment against a variety of Windows-based operating systems and products from Microsoft and other product vendors.

     

    The Shavlik Protect engine uses an Extensible Markup Language (XML) file that contains information about which security hotfixes are available for each product. The XML file contains security bulletin name and title, and detailed data about product-specific security hotfixes, including:

     

    • Files in each hotfix package and their file versions
    • Registry changes that were applied by the hotfix installation package
    • Information about which patches supersede which other patches
    • Related Microsoft Knowledge Base article numbers
    • Links to additional information from Bugtraq (BugtraqID) and cross references to the Common Vulnerabilities and Exposures (CVE) database hosted by Mitre.org (CVEID)

     

    The XML patch data file, called hf7b.xml, was created and is hosted by Shavlik.

     

    When you run Shavlik Protect (without specifying advanced file input options), the program must download a copy of this XML file so that it can identify the hotfixes that are available for each product. The XML file is a digitally signed CAB file and is available on the Shavlik website. Shavlik Protect downloads the CAB file, verifies its digital signature, and then extracts the XML file to your local computer. Note that a CAB file is a compressed archive that is similar to a ZIP file.

     

    After the XML file is extracted, Shavlik Protect scans your machine (or the selected machines) to determine the operating system, service packs, and programs that you are running. Shavlik Protect then identifies security patches that are available for your combination of installed software. Patches that are applicable to your machine but are not currently installed are displayed as "Missing Patch" in the resulting output. In the default configuration, Shavlik Protect output displays only those patches that are necessary to bring your machine up-to-date. Shavlik Protect recognizes roll-up packages and does not display those patches that are replaced by later patches.

     

    Read more about supersedence detection (replacement patches) here: http://community.shavlik.com/docs/DOC-2156

     

     

    During the scanning process the detection goes through a few main steps, simplified in order here:

     

    1. DPD (Dynamic Product Detection) - The scan engine will first use DPD to identify the:

        A. Operating System

        B. Any products installed on the target system

        C. The service pack level of any installed products (if applicable).

     

    2. Patch detection - Once the DPD determines all applicable products on the target system the scan then goes into individual patch detection for any patches that apply to the OS or products on the target system. For each individual patch the scan goes through registry and/or file checks for any registry keys or files that are affected by the patch. This is also where any filtering comes into play. (i.e. product, patch type, criticality, or any other patch filter settings)

     

    Additional Information

     

    Additional information about the Shavlik Protect scanning processes can be found in the following product documentation:

    Within Protect or in the online help (http://www.shavlik.com/support/Protect801HTMLHelp/HFN.htmhttp://www.shavlik.com/support/Protect90HTMLHelp/HFN.htm) under:

    Help > Contents > Agentless Patch Management Tasks > Patch Management Overview

     

    Affected Product(s)

     

    Shavlik Protect 9.x