Howdy Folks,
We are looking at 3rd party patching, and I am aware of the following products,
but I would like to read over a review with pros and cons of each, Gartner has
information for client management tools, but nothing with a focus on 3rd party
application patching with SCCM.
Attached is an email I saved from Todd Miller, this is the kind of information
I was hoping to find.
Has anyone come across a recent link that does a good job of comparing them?
>From the emails on this list, it sounds like Secunia and PatchMyPC are the
>most popular, is anyone using SolarWinds?
PatchMyPC
Shavlik
SolarWinds
Secunia
I did find this one link below, but it is kind of old.
http://myitforum.com/myitforumwp/2013/01/22/3rd-party-patch-management-part-1-2/
Thanks.
Art
--- Begin Message ---
I find the scanning portion of the tool to work very well. You can scan
using a client on the system, or it can be made to scan against software
inventory data in SCCM. I choose to scan against SCCM software inventory
data, but that does mean you have to turn on SCCM software inventory which
plently of people hate. I find I need it for other things anyway - so two
birds one stone.
It helps to figure out what patches you are missing in your environment and
also to prioritise which patches you should focus on based on number of
hosts affected and severity of the vulnerability.
Those are the PROS of the software.
Here are the CONS.
They only provide patches due to security issues, so if patches are provided
by software for feature or bugfix reasons, they do no support the patch.
For instance, they are behind on Shockwave patches currently because the
current version is a bug fix to a previous version and is not a security
risk. To me, I want to rely on this product to patch Shockwave - not just
when the missing patch is a security risk.
The other major drawback of the product is the quality of the patches are
really not up to snuff. It is uncommon for me to take a patch from secunia
and have it work reliably. I end up recoding all the patches and by the
time I finish with that, I wonder if I am really gaining all that much over
SCUP. On the one hand the detection part of the patch is all fixed up for
me, but I have to write my own code to actually apply the patch and the
secunia framework just calls the executable I write to apply the patches.
Here are examples of what I mean.
We installed Flash using the MSI provided from the Adobe redistribution
license. Secunia was great at detecting that flash was out of date and
provided a patch to update flash to the current version. Unfortunately, the
patch from Secunia assumes you used the EXE version of the Flash installer
from Adobe. The end result from using Secunia's provided patch is that the
systems were left with two versions of Flash installed. One older from the
MSI version and one current from the EXE/patched version. Same story for
Shockwave.
I have a custom build of Firefox, so I always have to build the new version
of Firefox MSI and then replace the Secunia patch installer with my own
custom MSI. It is not that much work.
Apple Quicktime, I modified to not check for updates and not put the
quicktime icon on the desktop. After applying the Secunia supplied
Quicktime patch, all those settings (no check for update - no desktop icon)
revert to the default. So I had to build my own self-extracting exe that
updated Quicktime silently.
So, it is no panacea. If you think you can just check in a bunch of patches
for third party programs and deploy them out to your clients seamlessly,
forget about it. It is still a full time job one week a month to
prepare/test/deploy patches. But, Secunia is great at figuring out what
patches you should be working on, and is a big help at developing the
targeting rules in the patch and publishing to SCCM.
From: [email protected] [mailto:[email protected]]
On Behalf Of Sherry Kissinger
Sent: Wednesday, July 09, 2014 2:30 PM
To: [email protected]
Subject: Re: [mssms] Secunia
I've used it in a lab environment--and it's quite nice. We haven't bought
it (yet--internal politics, who is going to pay for it, that kind of thing;
but I have high hopes).
I can't think of anything bad about their product at all. It's all good.
Contact them for a demo is the easiest.
To be fair, don't forget about looking at Shavlik, PatchMyPC.net, and
um...I think there's a couple more. Eminentware? did I forget a few more?
If you've already implement SCUP / deployed a trusted certificate, any one
of them will allow you to deploy 3rd party patches. You'd just have to
determine which vendor best fits your needs.
Sherry Kissinger
On Wednesday, July 9, 2014 1:57 PM, "Mitchell, Steven R"
<[email protected]> wrote:
Hey all,
Does anyone have any good/bad information on Secunia? There is a move here
to look into this for addressing vulnerabilities. Just curious if you have
had dealings with it as a solution.
Thanks,
Steven
CONFIDENTIALITY NOTICE: This e-mail and any files transmitted with it are
intended solely for the use of the individual or entity to whom they are
addressed and may contain confidential and privileged information protected
by law. If you received this e-mail in error, any review, use,
dissemination, distribution, or copying of the e-mail is strictly
prohibited. Please notify the sender immediately by return e-mail and delete
all copies from your system.
_____
Notice: This UI Health Care e-mail (including attachments) is covered by the
Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential
and may be legally privileged. If you are not the intended recipient, you
are hereby notified that any retention, dissemination, distribution, or
copying of this communication is strictly prohibited. Please reply to the
sender that you have received the message in error, then delete it. Thank
you.
_____
--- End Message ---
