1 Reply Latest reply on Jun 6, 2011 1:43 PM by historicalshavlikemployee

    Detailed Informations about the Scan and Patch progress for a Presentation

      Is there a chance to get an datailed explanation about how the Scan and Patch progress for Netchk Protect work? Which ports are used (Server and Clients) and why? I need this Information for a presentation of this Product and for the configuration of the Firewall Settings. For example i opened Port 3121,5120,80 ,445 , 139 on the Console Firewall. I guess i dont need all of them just for simple Scanning and Patching.

        • 1. Re: Detailed Informations about the Scan and Patch progress for a Presentation
           The required ports can be found here:

          We make a NetBIOS connection to the remote machine to view the files and registry keys on the remote machine to verify the patch is installed.

          Identifying Explicitly Installed Patches

          In order to identify that a patch has been explicitly installed, several criteria must be met.


            The patch must include a registry key that gets written to the machine on which it will be installed*, and this registry key must exist** in the XML patch data file.


            The registry key must exist on the system being scanned.


            All the files in the patch (as defined by the XML file) that were written to the remote system must be equal to or greater than the file versions recorded in the XML file.  If any of the file versions on the remote system are below what is expected, the patch is considered not installed even if the registry key is present.


          *Several types of patches do not write registry keys to the system on which they're being installed, most notably SQL Server patches.  Since there is no explicit indication that the patch has been applied, it cannot be determined that the SQL patch (or similar) was specifically installed at any point in time.  To ensure that these systems are up to date, run a scan against the system and ensure that there are no SQL patches that appear as 'Patch Missing'.

          **If NetChk Protect deploys the patch, it will write its own registry key to the remote system under HKEY_LOCAL_MACHINESoftwareMicrosoftUpdatesShavlik.  This data is encrypted to prevent tampering.  So, even if the patch doesn't normally write a registry key during deployment (SQL Patches, Office patches, etc), NetChk Protect will write a registry key that is then read by the scanner during the assessment phase.  The application can read that all these patches are installed, what account was used to install the application, and when the patch was installed.  This information is displayed on the patch details panel as well as a mouse over on 'Patch Found' text in the patch summary pane.

          Scanning Engine Overview

          NetChk Protect is built upon the industry leading HFNetChk scan engine developed for Microsoft by Shavlik Technologies. The NetChk Protect engine performs Microsoft security patch assessment against a variety of Windows operating systems and products. The engine also scans for updates of many products from other vendors.

          The NetChk Protect engine uses an Extensible Markup Language (XML) file that contains information about which security hotfixes are available for each product. The XML file contains security bulletin name and title, and detailed data about product-specific security hotfixes, including:


            Files in each hotfix package and their file versions


            Registry changes that were applied by the hotfix installation package


            Information about which patches supersede which other patches


            Related Microsoft Knowledge Base article numbers


            Links to additional information from Bugtraq (BugtraqID) and cross references to the Common Vulnerabilities and Exposures (CVE) database hosted by Mitre.org (CVEID)


          The XML patch data file, called hf7b.xml, was created and is hosted by Shavlik Technologies.

          When you run NetChk Protect (without specifying advanced file input options), the program must download a copy of this XML file so that it can identify the hotfixes that are available for each product. The XML file -- a digitally signed .CAB file -- is available on the Shavlik Technologies Web site in compressed form.  NetChk Protect downloads the CAB file, verifies its digital signature, and then decompresses the CAB file to your local computer. Note that a CAB file is a compressed file that is similar to a ZIP file. If the CAB file is not located or cannot be downloaded, NetChk Protect will attempt to download an uncompressed copy of this file from the Shavlik Technologies Web site via SSL (https).

          After the CAB file is decompressed, NetChk Protect scans your machine (or the selected machines) to determine the operating system, service packs, and programs that you are running. NetChk Protect then parses the XML file and identifies security patches that are available for your combination of installed software. Patches that are available for your machine but are not currently installed are displayed as Type_-_Missing_patch.gifin the resulting output. In the default configuration, NetChk Protect output displays only those patches that are necessary to bring your machine up-to-date. NetChk Protect recognizes roll-up packages and does not display those patches that are superseded by later patches.

          File Version Analysis

          In order for a system to 'pass' a given patch analysis for a patch that is applicable to the system, the file versions for all patch-related files must match what is stored in the XML patch data file.


            If the file version for a patch-related file is below what is expected (on the target system), the patch is considered not found, and both the file version found on the system and the file version expected (from the XML file) are displayed in the output with a 'Patch Missing' message.


            If 'View Notes and Warnings' is selected via a custom scan template and the file version of any file on the system is greater than expected, both the existing and the expected file versions are displayed along with a Warning message that the file on the system is more recent than expected. This may indicate the presence of a more recent non-security bulletin related hotfix, or the presence of a trojaned file.