Hi Mike, CSI, sad to say, is sorta worst in class with respect to its patching. Also, dealing with the European based sales force is a pain due to the time difference.
At least as of 6 months ago when I looked at them and had a demo, we dropped it like a hot potato when it became clear they just use Microsoft SMS under the covers.... which has all the problems that lead people to want to improve upon SMS. I don't even think they maintain or manage an active repository of patches, or do much in the way of testing that the patches work. LanDesk and BigFix were doing it right and adding value in their approaches. Shavlik looked okay for a Windows only play, but their technology is getting pretty long in the tooth. What I'll say in praise of Secunia's CSI/PSI though, is that they really have a patch/vuln identification mechanism that's like no other. They cover a dizzying array of client side vulnerabilities (thanks to their free PSI and the info they glean from all the user of it) and present the data in a very very nice way. But, if you're buying a tool simply for identifying problems, your money is probably better spent on a real vuln scanner that does both network based uncredentialed scanning as well as credentialed agentless scanning. Best Regards, -- Todd Haverkos http://www.linkedin.com/in/toddhaverkos mike p <[email protected]> writes: > Sorry to (attempt to) resuscitate this old thread, but do folks have any > updates from their experiences with Bigfix after their Tivoli integration, > or new info on Secunia CSI? > > Thanks, > Mike > > On Tue, Sep 8, 2009 at 7:59 PM, Jody & Jennifer McCluggage < > [email protected]> wrote: > >> Thanks Jack. The NetChkProtect software looks promising. I will download >> the trial and give it a try. Another issue that we run into with 3rd party >> software is that even if that particular software does allow for automatic >> updates (still not an ideal solution for an organization - no central >> control or validation)is that many times those updates will not install if >> the end-user is not running as a local administrator. >> >> Thanks >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Jack Daniel >> Sent: Saturday, September 05, 2009 7:36 AM >> To: PaulDotCom Security Weekly Mailing List >> Subject: Re: [Pauldotcom] 3rd party application patching tools for Windows >> >> I have two suggestions- >> >> I used Shavlik tools for many years, mostly NetChkProtect. This does >> agentless credentialed scans (although I think they also have agents >> if needed) for a wide variety of products (including Citrix, BES, >> VMWare, Mozilla, all the Adobe crap, and much more) from a central >> console, reports on what needs to be updated, and can push the patches >> (AND pull them back if they bork something). It can also be used to >> deploy supported software- like pushing Firefox out to desktops. >> Almost everything can be scheduled, and many things can be automated. >> It is easy to set up, especially for small environments, but can be >> plugged into bigger environments well, too. I have installed and run >> it from a laptop for remediation situations. Free trial available, >> does some anti-spyware and AV now, too. Shavlik did the original >> tools for MS, and MS still uses them. Even if you don't use Shavlik, >> their patch management newsletter may be of interest. (Yes, I'm an >> Eric Schulte/Shavlik fanboy) >> >> Also, I have not used it myself, but a lot of people like BigFix, and >> there are a ton of great people working there. It is (or can be) more >> of a full-blown systems management suite, but it is available in >> components. I think there is a bit of base infrastructure required, >> but BigFix can find missing patches and push them out among many other >> things. It doesn't seem to be in near as many small environments as >> Shavlik, but if I were headed back into a patching role they would be >> on my short list. >> >> As far as others, I don't know what has happened to Patchlink since >> they became Lumension, but if you are really exploring alternatives, >> they are probably worth a look. There are also a few scanners which >> report on what's missing, some like Secunia offer links and wizards, >> but it sounds like you want something that is a true upgrade from WSUS >> that will find the problem, report it, and fix it- for that, I really >> would look at Shavlik and BigFix. >> >> Jack >> >> >> -- >> ______________________________________ >> Jack Daniel, Reluctant CISSP >> http://twitter.com/jack_daniel >> http://www.linkedin.com/in/jackadaniel >> http://blog.uncommonsensesecurity.com >> >> >> >> >> >> On Fri, Sep 4, 2009 at 8:12 PM, Jody & Jennifer >> McCluggage<[email protected]> wrote: >> > Hello everyone, >> > >> > >> > >> > A few episodes ago Carlos made the excellent observation that many >> > organizations do not have a centrally controlled automated strategy for >> > patching 3rd party (non-Microsoft) applications on Windows. He correctly >> > pointed out that Microsoft/Windows Update and WSUS does not patch 3rd >> party >> > applications. As late as last year, the number one application attack >> > vector was Office. But according to one recent survey, this year the >> number >> > one application attack vector were made up of some ubiquitous Adobe >> products >> > (probably not a surprise to anyone here) so obviously patching only >> > Microsoft products is no longer a viable solution. >> > >> > Does anyone have any recommendations of any products (commercial or open >> > source) that are appropriate for small to mid-size organizations that can >> > centrally deliver approved 3rd party application patches to Windows >> > machines? >> > >> > >> > Thank you, >> > >> > >> > Jody >> > >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> > >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> No virus found in this incoming message. >> Checked by AVG - www.avg.com >> Version: 8.5.409 / Virus Database: 270.13.78/2347 - Release Date: 09/05/09 >> 05:51:00 >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com -- _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
