HFNetChkPro Users Guide
HFNetChkPro4
Table Of Contents
Welcome to HFNetChkPro 4 1
About HFNetChkPro 4 3
HFNetChkPro 4 versions 3
System requirements 4
HFNetChkPro 4 vs. Other Software 4
HFNetChkPro 4 and Windows Update patch coverage comparison 4
What sets HFNetChkPro 4 apart from the others? 5
How it Works 6
Scanning engine overview 6
Enumerating machines 7
Determining patch status 8
File version and checksum analysis 8
Determining patch supersedence 9
Identifying explicitly installed patches 10
Identifying effectively installed patches 10
Installation 11
Obtaining the software 11
Installing the prerequisites 12
Performing a new installation 13
Running the Setup Wizard 17
Getting Started 21
Registering HFNetChkPro 4 21
The HFNetChkPro 4 Home Page 23
The HFNetChkPro 4 scanning interface 28
Performing Patch Scans 33
Scanning prerequisites 33
QuickScan vs FullScan 34
Drag and drop scanning 34
Run Scan dialog 35
Supplying credentials 37
Scan history 39
Scan Options Menu 40
Scanning Your Local Machine 42
Performing a QuickScan of the local machine 42
Running a FullScan of the local computer 43
Scanning Machines on the Network 44
Performing domain scans 44
Choosing computers to scan 45
Machine Groups 46
About machine groups 46
Creating machine groups 48
About the My Test Machines group 48
Configuring Machine Groups 49
Scan Templates 56
About scan templates 56
Creating a scan template 57
Working with a scan template 59
Specifying a default scan template 60
Patch Groups 60
About patch groups 60
Creating a patch group 61
Working with patch groups 63
Creating Favorites 64
Creating favorites 64
Interpreting Scan Results 65
Interpreting scan results: the scan summary 65
Interpreting scan results: the machine summary 66
Interpreting scan results: the patch summary 68
Interpreting scan results: detailed patch information 70
Missing patches 72
Hiding Patch Items 74
Downloading Patches 75
Downloading patches and service packs 75
Download centers 76
Deploying Patches 79
Patch deployment overview 79
Patch deployment prerequisites 79
Patch deployment security 80
How HFNetChkPro 4 tracks deployment licenses 80
Testing the deployment 81
Deployment configuration 83
Monitoring the deployment 84
Canceling a deployment 87
Deployment history 88
How to Deploy 89
Deploying one or more patches 89
Deploying sets of patches 90
Deploying patches to selected machines 90
Deploying service packs 91
Deploying by criticality 93
Deploying patches to all members of a domain 93
Deploying patches to all scanned machines 94
Deployment Templates 95
About deployment templates 95
Creating a deployment template 96
Working with a deployment template 98
Uninstalling Patches 101
Uninstalling patches 101
PatchPush(TM) Tracker 103
About the PatchPush™ Tracker 103
Disconnected Mode 105
Disconnected Mode 105
Shavlik data files 106
International Patch Support 109
About international patches 109
Create a new download center 109
Select a new download center 111
Downloading foreign language patches 111
Creating a foreign machine group 115
Using the Command Line 117
About the command line 117
Command line syntax 117
Proxy Support 121
Proxy support 121
Error Messages 123
HFNetChkPro 4 Scanner Error Messages 123
Reports 125
Reports in HFNetChkPro 3 125
Basic report filters 126
Advanced report criteria 127
Exporting reports 129
Report: Condensed patch listing 129
Report: Deployment Seat Status 131
Report: Condensed Patch Listing For CSV 132
Report: Machine/OS Listing 133
Report: Machines By Patch 134
Report: Machines Not Scanned 135
Report: Missing SP 135
Report: Patch Annotation Information 136
Report: Patch Criticality Information 137
Report: Patch Listing 138
Report: Patches By Machine 139
Report: Patches By Machine Detail 140
Report: Scan/Deployment History 141
Managing the Database 143
Compressing the Database 143
SQL Database Support 144
Obtaining support 145
End User License Agreement 147
Index 151
Print date: November 2003
Welcome to HFNetChkPro 4
[pic]
Welcome to HFNetChkPro 4.0 - the next generation in security patch management. This new version includes many enhanced features to save you time and secure your systems. HFNetChkPro 4.0's intuitive Drag-n-Drop interface facilitates fast scans and patch deployment along with easy template setup and a built-in test group. Need patch criticality information? It's one click away with HFNetChkPro 4.0's new third-party threat analysis information, severity ratings from Microsoft and links to Bugtraq and CVE information.
HFNetChkPro 4.0 performs security patch assessment and PatchPush™ for the following operating systems and applications:
• Windows NT 4.0, 2000, XP and Server 2003
• Exchange Server
• SQL Server
• Microsoft Office including Outlook and Office installation points
• Java Virtual Machine
• Internet Explorer
• Internet Information Services (IIS)
• Windows Media Player
• Microsoft Data Access Components (MDAC)
• ISA Server
• Commerce Server
• .NET Framework
About HFNetChkPro 4
HFNetChkPro 4 versions
There are three editions of HFNetChkPro 4.
• HFNetChkPro unregistered
The unregistered version of HFNetChkPro allows you to scan an unlimited number of machines for missing patches, but does not allow you to download or deploy patches or to view any of the included reports.
[pic]
• HFNetChkPro, Limited Edition
Registering HFNetChkPro allows you to scan an unlimited number of machines as well as to perform unlimited patch deployments to ten (10) machines and one (1) server. The registered version also includes access to one of the possible 13 reports that are available with HFNetChkPro.
[pic]
• HFNetChkPro
HFNetChkPro includes all of the functionality of the Limited Edition version as well as detailed reporting, technical support and the ability to scan and deploy patches to more than 10 machines. This version is also capable of supporting a Microsoft SQL back end database. For more information on this option, please contact your account representative.
[pic]
To determine which version of HFNetChkPro you are running, look at the title bar or the main page of the application. Alternatively, choosing Help > About will also provide version details.
System requirements
HFNetChkPro can be installed on Windows 2000 SP 3 or higher, Windows XP and Windows 2003 Server systems. The following additional applications and/or system components are required on the system:
• Internet Explorer 5.5 or later
• Microsoft Windows Installer version 2.0
• Microsoft Data Access Components (MDAC) 2.7 SP1 or higher
• Microsoft XML Parser 3.0 SP2 or later, or Microsoft XML 4.0
For best XML parsing performance, install both MSXML 3 and MSXML 4
• Microsoft Jet 4.0 SP8 or later
The installer will automatically attempt to download the English versions of the prerequisites. If you are missing a prerequisite and click install a second time, the installer will allow you to bypass the prerequisite requirements. If you do this, make sure you are indeed at the prerequisite level. Please note that installation of these components may require a system reboot.
HFNetChkPro 4 vs. Other Software
HFNetChkPro 4 and Windows Update patch coverage comparison
[pic]
Windows Update and the HFNetChkPro suite of solutions from Shavlik cover a different set of products and a different set of patches, but there is some overlap.
The main differences between HFNetChkPro solutions and Microsoft’s Windows Update include:
• Low, Moderate and Important security updates - Windows Update focuses only on Critical security updates and does not typically cover Low, Moderate, or Important security updates from Microsoft. HFNetChkPro solutions cover all security updates, regardless of criticality rating.
• More products – HFNetChkPro solutions cover SQL Server (and MSDE), Exchange, ISA, NT4, and Office detection. Windows Update does not.
• Non-security updates and drivers – Windows Update includes Microsoft non-security updates and drivers. Shavlik’s solutions cover security updates only.
• Agents – Shavlik’s HFNetChkPro solutions do not require that an agent be installed on target machines, but Windows Update does. Agentless patch management means simplified rollout and increased awareness of rogue machines on your network.
What sets HFNetChkPro 4 apart from the others?
Features
|Ease of Use |HFNetChkPro 4 can be installed and push patches within minutes. |
|Real-time patch validation |HFNetChkPro 4 utilizes XML data files that are updated the moment a security patch is |
| |released. |
|Agentless Operation |No need to install agent software on the machines being scanned. |
|Patch Supersedence |Only those patches that are necessary and applicable to the scanned platform are |
| |evaluated during the scan process. Unnecessary and superseded patches are not presented|
| |if they are not needed. |
|Technology endorsed by |HFNetChkPro 4 is built upon the same engine that powers the Microsoft Baseline Security |
|Microsoft |Analyzer and the SMS Feature Pack and is driven by the same database schema used by the |
| |Microsoft Security Bulletin website. |
Security and Integrity
|Detailed Patch Analysis and |File versions, checksums, and registry keys are evaluated to aid in determining patch |
|Validation |status. Solutions that rely solely on registry keys and/or minimum file versions are |
| |unable to differentiate between legitimate files and trojaned files, including patches |
| |that have been re-released by Microsoft. |
|Checksum recalculation |File checksums are re-calculated by the scanning machine, rather than being read from |
| |the headers of the files where they can be easily spoofed. |
|External validation data |File data used to perform patch validation tests are obtained from a signed source |
| |independent of the machine being scanned. Patch validation that is performed using file|
| |version data stored in the remote machine's registry cannot be relied upon to provide |
| |valid results. |
|Data file anti-spoofing |The MSSecure XML file is parsed only if obtained from a valid, specifically signed CAB |
|protection |file or SSL location. |
|Trojan protection |All files are digitally validated prior to patch deployment. |
How it Works
Scanning engine overview
The HFNetChkPro 4 application is built upon the industry leading HFNetChk.exe engine developed for Microsoft by Shavlik Technologies. The HFNetChkPro engine performs Microsoft security patch assessment against Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, as well as common system components and server applications such as Exchange Server and SQL Server.
The HFNetChkPro engine uses an Extensible Markup Language (XML) file that contains information about which Microsoft security hotfixes are available for each product. The XML file contains security bulletin name and title, and detailed data about product-specific security hotfixes, including:
• files in each hotfix package and their file versions and checksums,
• registry keys that were applied by the hotfix installation package,
• information about which patches supersede which other patches,
• related Microsoft Knowledge Base article numbers,
• third party analysis of the threat posed by a patch's vulnerability,
• links to additional information from Bugtraq (BugtraqID) and cross references to the Common Vulnerabilities and Exposures (CVE) database hosted by (CVEID) and much more.
The XML file, called MSSecure.xml was created and is hosted by Shavlik Technologies.
When you run HFNetChkPro 4 (without specifying advanced file input options), the program must download a copy of this XML file so that it can identify the hotfixes that are available for each product. The XML file -- a digitally signed .cab file -- is available on the Shavlik web site in compressed form. HFNetChkPro 4 downloads the CAB file, verifies its digital signature, and then decompresses the CAB file to your local computer. Note that a CAB file is a compressed file that is similar to a ZIP file. If the CAB file is not located or cannot be downloaded, HFNetChkPro 4 will attempt to download an uncompressed copy of this file from the Shavlik website via SSL (https).
After the CAB file is decompressed, HFNetChkPro 4 scans your computer (or the selected computers) to determine the operating system, service packs, and programs that you are running. HFNetChkPro 4 then parses the XML file and identifies security patches that are available for your combination of installed software. Patches that are available for your computer but are not currently installed on your computer are displayed as [pic]in the resulting output. In the default configuration, HFNetChkPro 4 output displays only those patches that are necessary to bring your computer up to date. HFNetChkPro 4 recognizes roll-up packages and does not display those patches that are superseded by later patches.
Enumerating machines
When scanning by domain name, HFNetChkPro does several things to enumerate the machines in the domain:
• If the scan is being run as an administrative user with appropriate permissions, HFNetChkPro attempts to contact the domain controller and enumerate its list of machine accounts.
• Machines are also enumerated from the network browse list which is the same list of machines seen on a per domain basis when viewing Network Neighborhood, or similar to 'net view /domain:domainname'. No special permissions are required to enumerate machine names this way as HFNetChkPro is using UDP port 137 (NetBIOS name service) to enumerate the browse list. If the scanning machine has just been connected to the network, it may take up to 15 minutes until the machine synchronizes with the browse master and for this list to become available to the scanning machine. The list of machines that are returned represent machines that are currently online or have been within the last 15 minutes. Machines that are 'hidden' via registry modifications won't appear as they don't propagate their machine names to the network browse list. If the scanning machine doesn't have access to the browse list, or the machines are behind filtering devices where the browse list isn't updated, etc. then no machines will appear.
Determining patch status
HFNetChkPro 4 performs a detailed analysis of each scanned machine to accurately determine its patch status. Unlike other patch management systems, the HFNetChkPro engine goes far beyond the traditional patch detection mechanisms that rely solely on the presence of registry keys.
For HFNetChkPro 4 to determine if a specific patch is or is not installed on a given computer, three items are typically evaluated:
• the registry key that is installed by the patch,
• the file versions for all files installed by the patch, and
• the checksums for each file installed by the patch.
In the default QuickScan configuration, HFNetChkPro compares file versions from the MSSecure XML file to the files versions on the computer that is being scanned. If any of the file versions on the scanned computer are less than those stored in the XML file, the associated security patch is identified as not installed ([pic]) and the results are displayed on the screen.
In the FullScan configuration (or when creating a custom scan template), file checksums are evaluated in addition to file versions.
Specific details about why a patch is considered not installed is displayed in the HFNetChkPro output as 'Reason for Item.'
[pic]
File version and checksum analysis
In order for a system to 'pass' a given patch analysis for a patch that is applicable to the system, the file versions (and checksums if using FullScan) for all patch-related files must match what is stored in the MSSecure XML file.
• If the file version for a patch-related file is below what is expected (on the target system), the patch is considered not found, and both the file version found on the system and the file version expected (from the XML file) are displayed in the output with a 'Patch Missing' message.
• If 'View Notes and Warnings' is selected via a custom scan template and the file version of any file on the system is greater than expected, both the existing and the expected file versions are displayed along with a Warning message that the file on the system is more recent than expected. This may indicate the presence of a more recent non-security bulletin related hotfix, or the presence of a trojaned file.
• If the file version on the system matches what is expected, and the checksums of the file on the system and the checksum stored in the XML file are different, the patch is noted as 'Patch Missing'. (Checksum analysis is automatically disabled when scanning a non-English language system, as the checksums for non-English language patches are different than those stored in the XML file. A future version of the XML file will contain checksums for all patches in all languages.)
• Checksum analysis is performed by mapping the contents of the remote file to the scanning system where the checksum is recalculated and compared to what is expected per the MSSecure XML file. As a results, checksum scans may take longer to complete than the default QuickScan.
Determining patch supersedence
One of the benefits of HFNetChkPro is that it only shows you patches that are necessary for your machine to be up to date, and it doesn't show you earlier patches that have been superseded by later patches.
Many recent Microsoft security patches have been released as 'Cumulative Rollup' patches. Rollup patches include all the previously released security patches for the given product as well as including fixes for the most recently announced issues. A cumulative patch that completely encompasses an earlier patch is said to supersede the earlier patch. (In order for a patch to be superseded, all the files in the earlier patch must be included in the later patch, all file versions must be revved higher than those in the earlier patch (or the file versions and checksums must be the same as the earlier patch), and associated functional registry keys must be included in the superseding patch.)
The most well known security rollup patches that have been released include the Windows NT 4.0 SP6a SRP announced in bulletin MS01-041 (Q299444) and the Windows 2000 post SP2 Security Rollup package (Q311401) announced in bulletin MS02-001. In addition to these rollups, many of the recently released patches for Internet Explorer, Internet Information Services, and SQL Server have been released as rollups.
The MSSecure.xml file contains information on each of the superseded patches. HFNetChkPro evaluates the patch supersedence codes to identify non-superseded patches that are applicable to each system being scanned. Particular attention is paid to superseded patches that span Service Pack applicability. As an example:
• Patch A is applicable to Windows 2000 Service Pack 1 (SP1)
• Patch B supersedes Patch A and is applicable to both Windows 2000 SP1 and SP2.
• Patch C supersedes Patch B and is applicable to Windows 2000 SP2.
HFNetChkPro correctly scans for the presence of Patch C on Windows 2000 SP2 machines, and for Patch B on Windows 2000 SP1 machines - even though Patch B is marked in the XML file as being superseded by Patch C.
Identifying explicitly installed patches
In order to identify that a patch has been explicitly installed, several criteria must be met.
• The patch must include a registry key that gets written to the machine on which it will be installed*, and this registry key must exist** in the MSSecure XML file.
• The registry key must exist on the system being scanned.
• All the files in the patch (as defined by the XML file) that were written to the remote system must be equal to or greater than the file versions recorded in the XML file. If any of the file versions on the remote system are below what is expected, the patch is considered not installed even if the registry key is present.
*Several types of patches do not write registry keys to the system on which they're being installed, most notably SQL Server patches. Since there is no explicit indication that the patch has been applied, it cannot be determined that the SQL patch (or similar) was specifically installed at any point in time. To ensure that these systems are up to date, run a scan against the system and ensure that there are no SQL patches that appear as 'Patch Missing'.
**If HFNetChkPro 4 deploys the patch, it will write its own registry key to the remote system under the HKLM\Software\Microsoft\Updates\Shavlik. This data is encrypted to prevent tampering. So, even if the patch doesn't normally write a registry key during deployment (SQL Patches, Office patches, etc), the HFNetChkPro 4 application will write a registry key that is then read by the scanner during the assessment phase. The application can read that all these patches are installed, what account was used to install the application, and when the patch was installed. This information is displayed on the patch details panel as well as a mouse over on 'Patch Found' text in the patch summary pane.
Identifying effectively installed patches
HFNetChkPro 4 can also scan for 'effectively installed patches'. An effectively installed patch is a situation in which you install a single patch that supercedes other patches. In these circumstances, the patches that are not installed but that have been superceded by the newer patch are considered effectively installed since you have at least the expected file version or greater for each of the files. For example, suppose you install a new Win2K SP2 machine, then install patch MS02-001. This patch supersedes 20 earlier hot fixes for SP2, so while you've only 'installed' 1 patch, you've effectively installed 20 other patches.
Installation
Obtaining the software
HFNetChkPro 4 is available for download from the Shavlik download center. The download center always has the most recent version of HFNetChkPro 4 that is available. This page also includes information about the revision history for each version of HFNetChkPro 4.
HFNetChkPro 4 makes it easy for you to stay up-to-date with the latest release with AutoUpdate. When you start HFNetChkPro 4, it automatically checks to see if a newer version is available and indicates so in the Status Messages window. You can also check for updates by choosing Help > Check for Updates.
You can modify the AutoUpdate options by choosing the Tools > Options > AutoUpdate Options menu.
[pic]
Updates will also be included in future downloads of HFNetChkPro 4 from the Shavlik web site.
Installing the prerequisites
Automatic installation (English users only)
The prerequisites can be automatically installed for English users during the HFNetChkPro 4 installation.
Manual or non-English installation
If you prefer to download and install the pre-requisites yourself, or if you are running a non-English language system, you may download and install each of the prerequisites from the URLs below.
Windows Installer 2.0 for Windows 2000 and NT (included with Windows XP and Windows 2003 Server)
• English
• Other languages - choose language in drop-down list from link above
MDAC 2.8
• English
• Other languages - choose language in drop-down list from link above
MSXML 4.0 SP2 (Microsoft XML Core Services)
• English
• Other languages - choose language in drop-down list from link above
Microsoft XML Parser (MSXML) 3.0 SP4
• English
• Other languages - choose language in drop-down list from link above
Jet 4.0 SP8
• English
For Windows 2000:
For Windows XP:
For Windows 2003 Server:
• Other languages - choose language in drop-down list from link above
.NET Framework (Not required, but recommended to enable auto-updates. Install .NET Framework, then install .NET Framework Service Pack, if required)
• English
.NET Framework 1.0:
Service Pack 2:
or
.NET Framework 1.1:
• Other languages - choose language in drop-down list from link above
Performing a new installation
After downloading and executing the hf4install.exe program or inserting the CD, you are greeted with an installation screen indicating the status of the HFNetChkPro 4 prerequisites.
The screen below indicates that all of the prerequisites except one are installed. Click the Install button to install the missing prerequisite.
[pic]
After the prerequisites have all been installed, the installation window reflects this fact. To continue with the HFNetChkPro 4 installation, click the Install button.
[pic]
Before continuing the installation, you must agree to the terms of the license agreement. Click Yes to indicate that you agree to the terms of the license. If you do not agree, click No.
[pic]
The next screen asks you for customer information. Enter your name and company name and click Next to continue with the installation.
[pic]
By default, HFNetChkPro 4 is installed in C:\Program Files\Shavlik Technologies\HFNetChkPro4\. To change this location, click the Browse button and choose a new one. When you are done, click Next.
[pic]
By default, HFNetChkPro 4 uses a folder name of 'Shavlik HFNetChkPro4'. If you would like to change this name, type a new one. When done, click Next.
[pic]
That is all that is needed to install HFNetChkPro 4. The installer provides a status.
[pic]
Congratulations! HFNetChkPro 4 is now successfully installed!
Running the Setup Wizard
When HFNetChkPro 4 is run for the first time, there are pieces of information that have to be gathered which will aid in quickly performing a successful scan. The Setup Wizard can also be run at any time by choosing Tools > Setup Wizard.
The first screen is simply an information screen.
[pic]
The Setup Wizard now checks the proxy settings in Internet Explorer and conducts an internet connectivity test to determine whether or not further proxy server settings are necessary. This next screen will only appear if HFNetChkPro is unable to access the internet with these settings. If you are required to enter a username and password each time you launch your browser and browse the internet, please enter those credentials here. The domain, proxy address and proxy port are not required. These settings can be later modified by going to Tools > Options > Proxy Options.
You may test your settings by clicking Test or continuing by clicking Next.
[pic]
The next screen prompts you for your currently logged on user credentials. HFNetChkPro will automatically enter your currently logged on username - all that is needed here is the associated password. These credentials are not used for the normal scan process - they are used during the rescan process (after deployment). The provided credentials in this window are supplied to the HFNetChkPro Service and are presented during a rescan operation for the purpose of patch validation - unless alternate credentials were provided using the Set Credentials function.
These credentials can later be modified in Tools > Options > Deployment Options in the Currently Logged On User Credentials (CLOUC) section.
[pic]
If the machine on which HFNetChkPro is installed has multiple network adapters or has multiple IP addresses, it is necessary to choose the IP address which corresponds to the network that will be scanned. Choose an appropriate IP address from the IP Address for PatchPush Tracker service drop-down menu. If it is necessary to change this information later, you can do so by choosing Tools > Options > Deployment Options and changing the IP address in the IP Address used by PatchPush Tracker field.
[pic]
This completes the initial configuration of HFNetChkPro 4.
Getting Started
Registering HFNetChkPro 4
When HFNetChkPro 4 is initially downloaded and installed, it is the unregistered version of the program. If you want to use HFNetChkPro to download and deploy patches on up to 10 machines and don't need complex reporting capabilities, you can continue to use this free version of the program by just registering it with and obtaining a registration key. If you need to manage more systems or have more complex reporting needs, you need to purchase a Pro registration key.
To activate either HFNetChkPro or HFNetChkPro Limited Edition, simply install HFNetChkPro 4 and enter your license key. If you've already downloaded and installed HFNetChkPro 4, you can enter the Pro License Key to turn your Limited Edition installation into a Pro installation. This works even if you have previously activated HFNetChkPro with a Limited Edition key.
In either case, you will have obtained a registration key for the product from via email. The registration key is a 25-character code that has to be entered to unlock the program. To register the program, click the Enter License Key option under License Information on the main screen or go to Help > Enter License Key from the menu.
[pic] [pic]
This will open up a registration wizard. The first screen provides information on contacting Shavlik while the second screen asks you to enter your 25-character key code in sets of 5 characters. You can type the key code in by hand, or you can paste the license key into the activation key window. To paste in the key, highlight the 25 digit key on the email you received from Shavlik and press CTRL-C to copy this key to your clipboard. The activation applet will recognize that a key is in the clipboard and will prompt you as to whether or not you would like to use it. Select 'Yes' to have the key pasted into the activation key window.
[pic]
Once you enter a valid key code, the Finish button will become available. Clicking Finish validates your key code with Shavlik's servers. After this process is complete, your copy of HFNetChkPro is registered and the License Information area on the main screen goes away. If you need to enter a new license key, go to Help > Enter License Key.
If you are running offline and aren't connected to the Internet, you won't be able to get a validation key automatically. Instead, it will prompt you to do a manual activation. The Activation applet will create a text file that you can email to license@. Shavlik will email back a file that you can install to register the activation.
The keys allow for a limited number of installations. When you put in the license key, it contacts a Shavlik web server to see if you have remaining installations left for the selected license key. If activations are remaining, then the Shavlik server generates a validation key that is sent back to the HFNetChkPro console. The validation key is stored in the registry and is specific to the hardware upon which it was installed. If you uninstall the software, the validation key is not removed - that way it can be used again later if you re-install the application and it not have it count against your installation limit.
If you are using HFNetChkPro, Limited Edition and run out of installations, you can visit the Shavlik website and complete the registration form and request a new key which is good for another three installations. If you are an HFNetChkPro customer and run out of installations, you can contact your salesperson to request more installations.
The number of installations you are allowed is written on the email that contains your Pro license key.
The HFNetChkPro 4 Home Page
The HFNetChkPro 4 user interface, or Home Page, was designed with ultimate control and with user simplicity in mind. View the screen shot below along with important navigation features highlighted to get a brief overview of the power of HFNetChkPro 4.
[pic]
|1 |The QuickLaunch area provides a one-click method for initiating a scan. |
| | |
| |[pic] |
| |Click Scan My Computer to immediately initiate a default scan of the local machine. The latest scan files |
| |are automatically downloaded and the scan is started with no user intervention required. |
| | |
| |To specify options or to schedule the local scan for a different time click the Advanced option. |
| | |
| |[pic] |
| |Click Scan My Domain to immediately initiate a default scan of the local domain. The latest scan files are |
| |automatically downloaded and the scan is started with no user intervention required. |
| | |
| |To specify options or to schedule the local scan for a different time click the Advanced option. |
| | |
| |[pic] |
| |To specify what computers, IP addresses, IP address ranges and domains will be scanned, click Choose |
| |Computers to Scan option. |
| | |
| |A new window will be provided in which to provide the necessary information for scanning a select set of |
| |systems. |
| | |
| | |
|2 |This area provides information related to HFNetChkPro 4 including ways to get help and links to news. |
|3 |Status messages appear in this area of the user interface. If there are updates available to HFNetChkPro, |
| |for example, a notification will appear here. |
|4 | |
|more information |Scans can be quickly initiated by choosing options from the Scan What box on the main screen. |
| | |
| |My Machine |
| |Click to bring up an interface which allows either a QuickScan or a FullScan of the local machine. |
| | |
| | |
| |My Domain |
| |Click to bring up an interface which allows either a QuickScan or a FullScan against the domain to which the |
| |local machine is joined. |
| | |
| | |
| |My Test Machines |
| |Performs a scan against a group of machines that represent a 'smaller' view of your actual network |
| |environment. |
| | |
| | |
| |Entire Network |
| |Performs a scan of all machine visible on the Microsoft Network. |
| | |
| | |
| |New Machine Group |
| |Create a custom group of machines. This new group will be added to the Scan What box to enable quick |
| |launching of scans. |
| | |
| | |
| | |
|5 |[pic] |
|more information |Scans can be quickly initiated by choosing options from the Scan How box on the main screen. |
| | |
| |QuickScan |
| |Scans for missing and installed patches; ignores checksums. The scan patch data is downloaded from |
| |xml.. |
| | |
| | |
| |FullScan |
| |Scans for missing and installed patches. Uses the patch data file from xml. and evaluates file |
| |checksums during the scan. Notes and warnings are displayed during the scan. |
| | |
| | |
| |To create a new scan template, click the New Scan Template option and follow the instructions. |
| | |
|6 |[pic] |
|more information |A patch group is a collection of patches that you wish to scan for and/or deploy. A patch group can |
| |represent required or mandatory patches that have been approved for your organization. To add a new group, |
| |click New Patch Group. |
| | |
|7 |[pic] |
|more information |A favorite is a collection of machines to scan and a choice of how to scan them. To create a new favorite, |
| |click on New Favorite. A favorite can include the local machine or any special group created in Scan What |
| |and the scan type can be either one of the two standard scans or a new custom scan template. |
| | |
|8 |[pic] |
|more information |A deployment template provides a way to save desired settings for patch deployment and have them quickly |
| |available for future deployments. To view the settings for the Standard template, click Standard. To create|
| |a new template, click New Deployment Template. |
| | |
|9 |[pic] |
| |Provides detailed information about patches for the various operating systems and applications scanned by |
| |HFNetChkPro. Click All Patches to get the entire list of patches listed in the MSSecure XML file. |
| | |
| |To view patch information for specific versions of software, click the + sign to the left of the product. |
| | Each version -- Gold, SP1, etc -- has different patches associated with it. While there is significant |
| |overlap, this information tree can help you to determine what patches are available for your particular |
| |system and allow you to view information on them. To get more information on the patches, click the software|
| |package and version that you would like to work with. The top right-hand window pane will provide a list of |
| |patches which you can click and use to view patches in detail. |
| | |
The HFNetChkPro 4 scanning interface
[pic]
|1 |This window provides a summary of the targets that we scanned during this session. Click Summary by Patch to|
| |view a list of all patches associated with the scanned machines -- both installed and missing. To get a |
| |machine summary, click on the name of a machine from the list in this window. |
|2 |This is another summary window. When you have Summary by Patch or a machine selected in Pane #1, this window|
| |provides a list of patches associated with the selected item. In this example, the system Win2K is selected.|
| | Therefore, this pane shows all patches related to this system. |
| | |
| |If you have the scan or a domain selected in pane #1, this window provides a machine summary list instead. |
| | |
| |You can view the list of scanned machines by machine name or IP address. To switch the view type, select |
| |'View > Machines By...' from the menu bar. |
|3 |This section of the interface changes depending on what is selected above. If a scan is selected, then this |
|more information |window reflects a scan summary. If a machine is selected, this window presents a machine summary. Finally, |
| |if a patch is selected, the patch details are shown in this window. |
|4 | |
|more information |Scans can be quickly initiated by choosing options from the Scan What box on the main screen. |
| | |
| |My Machine |
| |Click to bring up an interface which allows either a QuickScan or a FullScan of the local machine. |
| | |
| | |
| |My Domain |
| |Click to bring up an interface which allows either a QuickScan or a FullScan against the domain to which the |
| |local machine is joined. |
| | |
| | |
| |My Test Machines |
| |Performs a scan against a group of machines that represent a 'smaller' view of your actual network |
| |environment. |
| | |
| | |
| |Entire Network |
| |Performs a scan of all machine visible on the Microsoft Network. |
| | |
| | |
| |New Machine Group |
| |Create a custom group of machines. This new group will be added to the Scan What box to enable quick |
| |launching of scans. |
| | |
| | |
| | |
|5 |[pic] |
|more information |Scans can be quickly initiated by choosing options from the Scan How box on the main screen. |
| | |
| |QuickScan |
| |Scans for missing and installed patches; ignores checksums. The scan patch data is downloaded from |
| |xml.. |
| | |
| | |
| | |
| | |
| | |
| |FullScan |
| | |
| | |
| | |
| |Scans for missing and installed patches. Uses the patch data file from xml. and evaluates file |
| |checksums during the scan. Notes and warnings are displayed during the scan. |
| | |
| | |
| |To create a new scan template, click the New Scan Template option and follow the instructions. |
| | |
|6 |[pic] |
|more information |A patch group is a collection of patches that you wish to scan for and/or deploy A patch group can represent|
| |required or mandatory patches that have been approved for your organization. To add a new group, click New |
| |Patch Group. |
| | |
|7 |[pic] |
|more information |A favorite is a collection of machines to scan and a choice of how to scan them. To create a new favorite, |
| |click on New Favorite. A favorite can include the local machine or any special group created in Scan What |
| |and the scan type can be either one of the two standard scans or a new scan template. |
| | |
|8 |[pic] |
| |Any scans that you have performed today will be available in Today's Scans. To open up the results of a scan|
| |from earlier today, just click it and the scan summary window will be presented. Scans performed on prior |
| |days will be displayed in the Recent Items section (see 11 below). |
| | |
|9 |[pic] |
| |Any deployments that you have performed today will be available in Today's Deployments. To open up the |
| |results of a deployment from earlier today, just click it and the deployment summary window will be |
| |presented. Deployments performed on prior days will be displayed in the Recent Items section (see 11 below).|
| | |
| | |
|10 |[pic] |
|more information |A deployment template provides a way to save desired settings for patch deployment and have them quickly |
| |available for future deployments. To view the settings for the Standard template, click Standard. To create|
| |a new template, click New Deployment Template. |
| | |
|11 |[pic] |
| |Recent Items shows you a list of recent patch scans and deployments. Clicking on a selection will open the |
| |results of the selected item. After 15 days, items in this window are moved to an archive window (the number|
| |of days is configurable via Tools > Options > Application Options > Display.) |
| | |
|12 |[pic] |
| |Provides detailed information about patches for the various operating systems and applications scanned by |
| |HFNetChkPro. Click All Patches to get the entire list of patches listed in the MSSecure XML file. |
| | |
| |To view patch information for specific versions of software, click the + sign to the left of the product. |
| | Each version -- Gold, SP1, etc -- has different patches associated with it. While there is significant |
| |overlap, this information tree can help you to determine what patches are available for your particular |
| |system and allow you to view information on them. To get more information on the patches, click the software|
| |package and version that you would like to work with. The top right-hand window pane will provide a list of |
| |patches which you can click and use to view patches in detail. |
| | |
|13 |Status messages appear in this area of the user interface. If there are updates available to HFNetChkPro, |
| |for example, a notification will appear here. |
Performing Patch Scans
Scanning prerequisites
The following criteria must be met to ensure a successful scan:
When scanning your local machine
• You must be an administrator on your local machine
• The machine must be capable of obtaining the patch database XML file, either from a location on the Internet (via http or https) or from another specified location (either on the local machine or from a specified network location.)
• The local machine’s Workstation service must be started.
(NOTE: The Server service is not required to be started on the local machine.)
When scanning a remote machine you must meet all the requirements for the local scan above, plus
• You must have local administrative rights on the remote machine and be able to logon to this machine from the workstation performing the scan.
• File and Print Sharing must be enabled
• The NetBIOS (tcp139) or Direct Host (tcp445) ports must be accessible on the remote machine.
• The remote machine must be running the Server service.
(NOTE: the Workstation service is not required to be started on the remote machine.)
• The remote machine must be running the Remote Registry service.
• The %systemroot% share (usually C$ or similar) must be accessible on the remote machine
If you have disabled the Server Service or have unshared the %systemroot% share on the remote machine, please see Shavlik's technical white-paper that discusses scanning via IPSec port filters.
Special note regarding Windows XP and Simple File Sharing
When Simple File Sharing is enabled, remote administration and remote registry editing does not work as expected from a remote computer and connections to administrative shares (such as C$) do not work because all remote users authenticate as Guest. Guest accounts do not have administrative privileges.
If you are running Windows XP Professional, go to the following Microsoft Knowledge Base article to learn more about this feature and how to disable Simple File Sharing:
If you are running Windows XP Home Edition, Simple File Sharing cannot be disabled (Microsoft states that it is as designed) so remote scanning will not work on this operating system.
QuickScan vs FullScan
QuickScan and FullScan are the default scanning templates provided with HFNetChkPro 4. The primary differences between the two templates:
• A QuickScan will not evaluate file checksums whereas a FullScan will. As a result, a QuickScan can be faster.
• A FullScan will display notes and warnings during the scan.
Neither of these scanning templates can be modified and they both provide the following:
• Use patch data file from xml.
• Allow the scanner engine to scan 64 machines simultaneously
• Report on all installed and missing bulletins
If these default templates are not adequate for your needs, you can create a new scan template.
Drag and drop scanning
You can very quickly and easily initiate a scan by dragging and dropping items from the Scan What, Scan How, Patch Groups, or Deployment Templates to their appropriate companion item.
For example, if you wanted to scan My Machine and wished to use QuickScan to do so, you could drag the My Machine icon from the sidebar onto the QuickScan icon or vice-versa.
Another manner in which to use drag and drop scanning would be if you wished to perform a scan of a custom machine group using a pre-defined patch group, you could drag the desired machine group icon - or any Scan What item for that matter - from the sidebar onto the desired patch group icon or vice-versa.
Starting a scan this way brings up the scheduler window from which you can click Scan Now to begin the scanning process.
Run Scan dialog
When executing a patch scan, the user is presented with this dialog:
[pic]
There are three choices dictating when a scan will be run. The first one, Run now, runs the scan as soon as the Scan Now button is clicked. The second, Run once at, indicates that the scan will be run at the day and time selected. Finally, Run recurring at, allows an administrator to regularly run patch scans at a specific time and using a specified recurrence pattern. For example, using this option, a scan could be run every night at midnight, or every Saturday at 9 PM, every weekday at 11 PM, or at any other user selected time and interval.
Selecting Do not show this dialog again results in future scans running immediately and not asking you about scheduling the scan. If you select this option and later want to re-enable the prompt, you can do so from Tools > Options > Scan Options by enabling "Show 'Run Now' Dialog'.
Selecting Auto-deploy patches after scan will extend the Run Scan window to allow choices to be made on how and when the patch deployment will occur.
[pic]
The Deploy How drop down box includes deployment template entries which can be used in conjunction with this scan. A new deployment template can be created by clicking the New button.
Additionally, deployment can be scheduled to begin immediately after the scan by choosing Install Immediately or at a later day and time by choosing Schedule at.
If you wish to copy the selected patch(es) to the remote machine (along with a deployment batch file) but do not wish to install the patches, you may choose the Copy patch(es) to the selected machine(s) but do not install option. You may then execute the batch file yourself from the console of the remote machine(s).
PLEASE NOTE: You may not select the Auto-deploy patches after scan if either the Run once at: or Run recurring at: is selected. This behavior is by design.
When the desired options are selected, click the Scan Now button.
Scheduling a scan requires the administrator to create a Favorite which defines the template and machine group to scan. The information required to create the new Favorite will be asked for after the Scan Now or Make Favorite button is clicked. In addition, a scheduled task is created on the scanning machine which will launch the scan at the appointed day and time. To view scheduled tasks, browse to Start > Control Panel > Scheduled Tasks on the machine receiving the deployment, or view the task scheduler remotely.
[pic]
Supplying credentials
Credentials consist of a user name and password pair used to authenticate to machines scanned and to which patches are deployed. By default, HFNetChkPro 4 uses your currently logged on credentials to automatically log in and scan the target machine(s) and copy and perform patch deployments. If the current logged in user credentials do not have administrative rights on all of the target machines, you need to enter alternate credentials. HFNetChkPro 4 will use these alternate credentials to automatically login to the target machines. In all cases, credentials are stored with strong encryption techniques and are not available by anyone except the user who provided them.
• If you enter Domain\User, HFNetChkPro 4 will use the domain account rights.
• If you enter \User HFNetChkPro will use the target's local account rights.
• If you do not enter a machine or domain name, the scanner tries to use consolemachinename\user. If this is not successful, it will next attempt to use remotemachinename\user.
• '.\username' will cause the scanner to prepend the remote machine's name to the username.
Assigning Credentials to Machines
You may assign credentials to individual machines and/or to machines groups.
Machine groups
To apply credentials to all machines in a machine group, open up the properties for the group. Click the [pic] under Group Credentials to open up the Set Credentials dialog box. Enter the appropriate credentials for the group and click OK.
[pic] [pic]
For more information, see About Machine Groups.
Choose Computers to Scan
Credentials can also be supplied via the Choose Computers to Scan option on the home page of HFNetChkPro. Click the name of the system, domain, IP address or IP address range and choose Set/Change Credentials from the shortcut menu. The [pic] will change to [pic] when credentials have been applied.
[pic]
After the scan
The scanning interface
To apply different credentials to a specific machine, after a scan, right-click the machine name in the scan summary.
[pic]
In the Set Credentials window, supply credentials for an administrative user on the system.
Using the menu
Credentials can also be applied by using the main menu option Machines > Change Credentials with a machine selected in the machine summary.
Scan history
Even after a series of scans, all of the results of prior scans are just a click away. If scans were performed today, an additional window will be opened up in the left hand section of HFNetChkPro 4 labeled Today's Scans. If you hover your mouse pointer over an entry on this list, you will be provided with additional details on that scan as shown below.
[pic]
After the day is done, Today's Scans are moved to an archive called Recent Items which is in the left hand pane almost at the bottom. In addition to scan jobs, Recent Items also maintains a list of recent deployments.
Additionally, you can get a complete list of available prior scans by choosing Tools > Manage Items.
[pic]
All of these entries also appear in Recent Items. If you want to delete certain scan history, select the items you would like to remove and click Deleted Selected. If you would like to remove all scan history, choose Delete All.
Scan Options Menu
Additional scanning options can be set from the Tools > Options > Scan Options menu.
[pic]
|Default Favorite |The Favorite you wish to set as the default when performing patch scans. |
|Default Scan Template |The Scan Template you wish to set as the default when performing patch scans. |
|Close status dialog |Automatically closes the Scan Status dialog upon completion of a scan. |
|after scan | |
|Show 'Run Now' dialog |Displays the Run Scan window after clicking Advanced on either Scan My Computer or Scan My Domain icons from |
| |the HFNetChkPro 4 home page. |
| | |
| |Selecting 'Do not show this dialog again' will disable the Run Scan window from appearing. |
|Automatically Import |Whenever a scan is conducted, patch details will be imported from the patch data file. |
|Patch Details during | |
|Scan | |
|Warn if using cached |A message will be displayed if HFNetChkPro 4 attempts to conduct a patch scan using a cached copy of the patch|
|copy of patch data |data file. |
|file. | |
Scanning Your Local Machine
Performing a QuickScan of the local machine
To immediately launch a scan of the local machine with no user intervention, click the Scan My Computer button on the home page or click the Scan My Computer menu bar icon ([pic]). This will bring up the Scan Status window. During this process, the latest patch data files are automatically downloaded -- unless the administrator has modified the file download options -- and the machine is scanned after which a summary of the scan is provided.
[pic]
Running a FullScan of the local computer
To start a FullScan of the local computer, click My Machine in the Scan What box. When the Machine Group dialog box opens, change the scan type to FullScan and click the Begin Scan button ([pic]). If you need to apply credentials for a user with administrative rights, click the credentials icon ([pic]) and supply an appropriate user name and password. See Supplying Credentials for more information.
[pic]
After clicking the Begin Scan button, the schedule window comes up. This allows a scan to be Run Now, Run Once (at a specific time) or configured to Run Recurring.
To begin the FullScan, click the Scan Now button in the scheduling window.
Like a QuickScan, a FullScan first downloads the latest patch lists before running the scan.
TIP
You may drag and drop My Machine on top of FullScan to launch a FullScan of your local machine.
Scanning Machines on the Network
Performing domain scans
Scans can be automatically performed in a single step against all machines in the scanning machine local domain as long as the default credentials supplied are appropriate for all domain machines.
A domain scan will scan all of the machines in the same domain as the scanning machine and can be started in a number of ways.
• First, on the home page, you can click the Scan My Domain button. This will immediately launch the scan. To schedule the domain scan, click Advanced which will bring up the scheduling dialog box with My Domain as the scanning target and QuickScan as the scanning method.
• Second, you can click the Scan My Domain [pic]button on the menu bar.
• Third, you can select the My Domain machine group and click the Begin Scan icon.
During the domain scanning process, the latest patch data files are automatically downloaded -- unless the administrator has modified the file download options -- and the domain is scanned after which a summary of the scan is provided. Throughout the scan, HFNetChkPro provides a status window to keep you apprised of any problems.
[pic]
Choosing computers to scan
HFNetChkPro 4 provides a quick way to include machines in a default QuickScan. Click the Choose Computers to Scan button on the Home page to open options with a heading of 'What would you like to scan?' where you can add machines with a variety of criteria.
[pic]
|Add Computer |Type the name of a computer on the network that you would like to scan and click [pic]. |
|Add IP Address |Type the IP address of a machine on the network that you would like to scan and click [pic]. |
|Add IP Range |Type the starting and ending IP address of a range of IP addresses for machines that you would like to scan |
| |and click [pic]. |
|Add Domain |Entering the name of a domain will allow you to scan all of the machines that are members of that domain. |
| | Click [pic] after entering the domain name. |
After entering information about the machines that you would like to scan, the machine list in the center of this section might look like the sample below.
•
If you would like to remove an entry from this list, click on it and choose Remove Item from the menu.
• If you would like to set or change the credentials for a particular entry, click the entry and choose Set/Change Credentials and provide and appropriate user name and password. If credentials are set for an entry, the [pic] will appear as [pic] instead.
• To remove credentials from an entry, click on it and choose Remove Credentials. You are not prompted to verify your selection.
After making your selections, you can create a machine group from them by clicking the Advanced Selections option and providing a machine group name and description.
To begin the scan using the default scan template, click the Begin Scan button. If you would like to use a different scan template or would like to schedule this scan, click the Advanced Scan Options selection instead.
Machine Groups
About machine groups
HFNetChkPro 4 uses machine groups to keep track of the machines that are included in a particular scan. Even the local machine My Machine is considered a scan group. Among the default scan groups are:
|My Machine |This group includes only the local machine. |
|My Domain |Includes all of the machines that are a part of the domain to which the scanning computer is joined. |
|My Test Machines |A group of machines that represent a 'smaller' view of your actual network environment. A machine of |
| |each type that is typically scanned should be added to this group and used for testing purposes. |
|Entire Network |Includes all machines currently viewable in Network Neighborhood. |
|New Machine Group |Create a custom group of machines. |
To view the details of a machine group, click its title. For example, here are the details of the My Machine entry.
[pic]
The details for every machine group share a few common elements:
• Every machine group detail screen includes the Begin Scan button and a drop down list with all of the available scanning templates.
• Each machine group includes the ability to provide common credentials for every machine in the group. (Credentials assigned to individual items within the machine group will take precedence over the assigned Group Credentials.) To change these credentials, click the Credentials icon [pic]. When credentials are applied, the icon appears as [pic].
• Under the name of the group at the right hand side of the window will always appear at least the three options shown in the figure above.
|Copy |Copy this machine group to a new group. Clicking this button brings up the Create New Machine Group |
| |dialog box with a default name of "Copy of { name of group copied }" and the same description as the |
| |copied group. After providing this information, you will be prompted to add machines to the new group. |
|Show All |For groups with multiple visible machines, shows all of the machines in the group. Note that machines |
| |for the default machine groups My Machine and My Domain are never enumerated. |
|Hide All |Hides the machine names for this group. |
Creating machine groups
To create a new machine group, click New Machine Group from the Scan What box. Alternatively, you can choose File > New Machine Group from the main menu. This will bring up the Create New Machine Group dialog box as shown below.
[pic]
In this box, provide a descriptive name for the new machine group (ie - 'Win2K DCs') along with a comment (ie - 'Windows 2000 Domain Controller machines'). Click the Save button following by the Close button to create the new group or Cancel or Close to abort the operation.
TIP
You may select multiple machines from a scan result (press and hold CTRL key while selecting machines), right click and select Create Group to create a group of machines.
About the My Test Machines group
One hard lesson that many administrators have learned is the importance of testing patches and service packs before rolling them out to critical production systems. Shavlik has anticipated this need and created a default group for you to use for this purpose.
You can use this group just like any other. Simply add either lab machines or low priority production systems to it. You should take care to make sure that you have a representative mix of machines in the group in order to cover the production systems on your network.
For instructions on adding machines to this group, see the following topics:
• Adding machines to a machine group by name
• Adding domains to a group
• Adding organizational units to a group
• Adding machines by IP address
• Linking files to a machine group
Configuring Machine Groups
Configuring machine groups
Configuring machine groups consists of adding new machines and removing old machines. HFNetChkPro 4 provides significant flexibility in machine groups allowing you to add single machines, groups of machines, machines by IP address and even machines from file lists.
[pic]
At the top of the machine group configuration window is the title of the group with a number of options immediately underneath it.
|Copy |Make a copy of this machine group. Choosing this option brings up the Create New Machine Group dialog box. |
| | The name is predefined as "Copy of { machine group name }" and the description is copied, although both of |
| |these fields can be changed. |
|Delete |Deletes the selected machine group. A window is presented asking you to verify the deletion. |
|Rename |Opens a window allowing you to specify a new name and description for the group. |
|Remove All |Removes all machines that are assigned to the group. A window is presented asking you to verify this selection|
|Entities |when chosen. |
|Show All |Shows all of the members in the machine group. |
|Hide All |Hides all of the members of the machine group. This results in just the headings for each subheading being |
| |presented. |
Adding machines to a machine group by name
One of the ways that a machine can be added to a machine group is by machine name. Like most other tasks in HFNetChkPro 4, there are a multitude of different ways that you can provide the machine name information to be used.
[pic]
The first and quickest way to add a machine to a machine group is to type the name of the machine and click [pic]
|Browse Network |This opens up a separate window listing all of the contents of the Microsoft network with selection boxes |
| |next to each domain, workgroup and machine name. Using the + and - signs at the left of each group, expand |
| |them to find machines you would like to add to the custom group and place a checkmark in the selection box. |
| | |
| |[pic] |
|Import From File |You can import a list of machine names from a specified text file. Machine names can also be dynamically |
| |linked to a text file rather than imported. |
|Remove All |Select this option to remove all of the machines from a group. |
|Machines | |
When machines have been added by name, individual machines have been chosen from the network browser or names have been added from a file, the new entries will show up in this section.
[pic]
Clicking the [pic] will immediately delete the entry while clicking the [pic] icon allows you to change the credentials for the selected machine. When credentials have been applied to a particular machine, the icon shows as [pic].
Adding domains to a machine group
Another way that machines can be added to a machine group is by domain. Adding a domain to a machine group will result in all of the machines in the domain automatically being a part of the group by virtue of their domain membership.
[pic]
The first and quickest way to add a domain to a machine group is to type the name of the domain and click [pic]
|Browse network |This opens up a separate window listing all of the contents of the Microsoft network with selection boxes |
| |next to each domain, workgroup and machine name. Using the + and - signs at the left of each group, expand |
| |them to find domains you would like to add to the custom group and place a checkmark in the selection box. |
| | |
| |[pic] |
|Import From File |You can import a list of domain names from a specified text file. Domain names can also be dynamically |
| |linked to a text file rather than imported. |
|Remove All |Select this option to remove all of the domains from a group. |
|Machines | |
When domains have been added by name, individual domains have been chosen from the network browser or names have been added from a file, the new entries will show up in this section.
[pic]
Clicking the [pic] will immediately delete the entry while clicking the [pic] icon allows you to change the credentials for the selected machine. When credentials have been applied to a particular machine, the icon shows as [pic].
Adding organization units to a machine group
Especially in larger networks, companies often split up Active Directory entities by creating multiple Organizational Units. A machine group in HFNetChkPro 4 can be configured that includes specific organization units from Active Directory. For example, you can create a machine group that includes all machines from the 'Sales' organizational unit if desired.
[pic]
The first and quickest way to add an organizational unit to a machine group is to type its name and click [pic]. An OU is added in full LDAP format. For example, to add the Sales OU from the domain , the format is 'example/ou=sales,dc=example,dc=com'.
If you select a parent OU, all children OUs will be included in the scan.
|Browse Active Directory |This opens up a separate window listing all of the contents of the Microsoft network with selection |
| |boxes next to each domain and workgroup. Using the + and - signs at the left of each group, expand |
| |them to find organization units and/or individual machines you would like to add to the custom group |
| |and place a checkmark in the selection box. |
| | |
| |To set credentials to use for browsing an Active Directory hierarchy on a remote domain, select the |
| |domain, click the Set Credentials button and enter a username and password with permissions to the |
| |remote domain. |
| | |
| |[pic] |
|Remove All Organizational|Select this option to remove all of the organization units from a group. |
|Units | |
When entries have been added to the organizational units section, they appear underneath the other information.
[pic]
Clicking the [pic] will immediately delete the entry while clicking the left-hand [pic] icon allows you to change the credentials for the selected organizational unit. Clicking the right-hand [pic] allows you to specify credentials for browsing Active Directory. When credentials have been applied, the icon shows as [pic].
Adding machines by IP address to a machine group
A third way that machines can be added to a machine group is by IP address. There are two ways to add machines to a group in this manner. The first is to add a single IP address and the second is to add a range of IP addresses.
[pic]
The first and quickest way to add a machine by IP to a machine group is to type the IP address of the machine and click [pic]. Likewise, if you want to add a range of IP addresses to the machine group, in the Add IP Range selection, enter the starting and the ending IP address in the desired range and click [pic].
|Import From File |You can import a list of IP addresses or IP ranges from a specified text file. IP information can also be|
| |dynamically linked to a text file rather than imported. |
| | |
| |IP ranges should include a dash between the beginning and ending IP address: |
| |172.16.1.1-172.16.1.255 |
|Remove All IP |Select this option to remove all of the IP addresses or IP ranges from the group. |
|Addresses/ | |
|Remove All IP Ranges| |
When machines have been added by IP address/IP range or added from a file of IP addresses, the new entries will show up in this section.
[pic]
Clicking the [pic] will immediately delete the entry while clicking the [pic] icon allows you to change the credentials for the selected IP address or IP address range. If you apply credentials to an IP address range, they will be used for all machines in that range. When credentials have been applied, the icon shows as [pic].
Linking files to a machine group
HFNetChkPro 4 also provides a dynamic mechanism for keeping a machine group current which is especially useful if your machine list changes from time to time and you want an easy way to update it. Linking a file to a machine group is different than importing its contents. Importing contents is a one-time operation after which the information from the file becomes a part of the machine group.
When you link files to a machine group, any changes that you make to the files are reflected upon the next scan. In other words, if you add machines to and delete machines from a linked file between scans, any new machines added to the file will be scanned while any machines removed will not.
[pic]
|Link Machine File|Provide the name of a file containing machine names. One machine name per line with a carriage return at the |
| |end. |
| | |
| |Sample: |
| |machine1[pic] |
| |machine2[pic] |
| |dc[pic] |
| |mail[pic] |
| |dbserver |
|Link Domain File |Provide the name of a file containing domain names. One domain name per line with a carriage return at the |
| |end. |
| | |
| |Sample: |
| |example[pic] |
| |shavlik[pic] |
| |corp[pic] |
| |redmond[pic] |
| |dmz |
|Link IP Address |Provide the name of a file containing IP addresses. One IP address per line with a carriage return at the |
|File |end. |
| | |
| |Sample: |
| |192.168.29.132[pic] |
| |10.1.1.10[pic] |
| |172.16.1.5 |
|Link IP Range |Provide the name of a file containing IP ranges. IP ranges in the format of x.x.x.x-y.y.y.y are acceptable. |
|File | One per line with a carriage return at the end. |
| | |
| |Sample: |
| |192.168.29.1-192.168.29.5[pic] |
| |172.16.2.20-172.16.2.99 |
|Remove All Linked|Removes all linked files associated with this group. |
|Files | |
Once files have been added, the appear in this section similar to the screen below.
[pic]
Clicking the [pic] will immediately delete the entry while clicking the [pic] icon allows you to change the credentials for the selected file. If you apply credentials to a file, they will be used for all machines or IP addresses in that file. When credentials have been applied, the icon shows as [pic].
Scan Templates
About scan templates
HFNetChkPro 4 comes with two standard templates: QuickScan and FullScan. While good for most scanning activities, some administrators desire a higher level of flexibility when scanning machines. To this end, HFNetChkPro includes the ability to create any number of custom scan templates granting the administrator the means to completely customize the way that machines are scanned.
Scan templates include information on:
• The location of the XML data file;
• Whether or not checksums will be evaluated;
• The ability to enable or disable warnings and notes;
• An option to scan a smaller or larger number of machines simultaneously;
• The option to create log files;
• The ability to customize what is actually scanned for or ignored;
• Patch filters;
• The ability to associate a deployment template with the scan template for automatic deployment.
Creating a scan template
To create a new scan template, click the New Scan Template option on the Scan How menu. This will open up a window containing most of the available scan template options.
[pic]
|Name |The name that you wish to assign to this scan template. |
|Comment |A description of the template. |
|Scanner settings |Where does the XML data file reside? You can choose to use the default MSSecure XML data file downloaded|
| |from Shavlik during the scanning process or you can point the scanning engine to a local copy of this |
| |file residing on your local machine or a mapped network drive, a UNC location, or an HTTP path. To |
| |select a location, click the selection box to the right of the entry field. |
|Use checksums |Instructs the scanning engine to evaluate checksums of files on the scanned systems to checksums listed |
| |in the patch database file (mssecure.xml). Checksums are not evaluated when scanning non-English |
| |language systems. |
|View warnings |View any warnings that are generated during the scanning process |
|View notes and warnings |View both any notes and any warnings that are generated during the scanning process |
|Create scanner log files|Create a log file for the scanning process. This is especially useful if you are running into a problem |
| |and need to contact Shavlik for support. |
|Simultaneous machines |HFNetChkPro 4 can scan up to 64 machines at a time. The more machines that are scanned, the more network|
|scanned |resources that are required. Reduce this number if scanning over a slow link. |
|Scan for |During the scanning process, you can choose to scan for just missing patches or for both missing and |
| |installed patches. When scanning for both missing and installed patches, you can include effectively |
| |installed patches in the results. |
|Filter Patches |When you select the Filter Patches option, the Scan Template dialog box is extended with a number of |
| |options allowing you to filter patches based on a number of criteria. |
| | |
| |[pic] |
| | |
| |Scan specified |
| |Indicates that the scanner should include just the following criteria. |
| | |
| | |
| |Skip specified |
| |Indicates that the scanner should not include the following criteria. |
| | |
| | |
| |Criticality |
| |What user assigned criticality level -- Ignore, Low, Medium, High, Critical -- should the scanner either |
| |skip or include. |
| | |
| | |
| |File |
| |Scan for or ignore the patches specified by a carriage return delimited list of Qnumbers. |
| | |
| | |
| |Patch groups |
| |Either scan for or skip the patches listed in the specified patch groups. |
| | |
| | |
| |Product types |
| |Scan for or skip patches for the selected products. |
| | |
| | |
| | |
|Automatically deploy |Allows you to select a deployment template to use to automatically deploy the patches associated with |
|with |this scan template. PLEASE NOTE: If a scan template is configured to use an automatic deployment and |
| |that scan template is used in a scheduled scan, then the automatic deployment not occur. This is |
| |expected behavior. |
Once you have made your selections for this scan template, click the Save and Close buttons to save it. Click just the Cancel or Close buttons to close the window without making any changes.
Working with a scan template
Custom scan templates show up under the New Scan Template selection in the Scan How box as shown in the picture to the right. When a template is selected from the Scan How box, the details for it are shown in the right hand pane of the window.
For example, if there is a scan template named 'Sample scan template', it might look something like the following in the right hand pane:
[pic]
There are a few operations that can be performed from this screen:
|Make this my default|Selecting this option will use the currently selected template as the default. |
|template | |
|Edit |Choosing Edit opens up the scan template dialog box and allows you to make changes to it. |
|Copy |Copies the selected template. This will open up the scan template dialog box with a name of 'Copy of { |
| |selected template name }' and with the same description and settings as the current template. |
|Delete |Deletes the current template. |
If you have created a Favorite and assigned this scan template to it, you will also be shown which Favorite or Favorites are using it.
Specifying a default scan template
To specify which scan template HFNetChkPro 4 should use as the default, you can do one of the following.
On the details for the scan template, click the option 'Make this my default scan template'. Alternatively, you can right-click the template icon and choose the 'Make Default' option from the shortcut menu. Finally, you can choose Tools > Options > Scan Options > General and specify the default scan template.
When you have identified a default template, the icon identifying the scan template changes slightly to include a green check mark [pic]. Additionally, this template will be used for all one-click scanning operations.
Patch Groups
About patch groups
HFNetChkPro 4 provides the capability to just scan for the patches that you are interested in. For example, suppose Company A has a patch approval process under which they've certified four patches as being mandatory for their organization. They want to scan just for those four, receive compliance reports, and then be able to patch for those specific items. By creating a patch group, they can then scan for only those selected patches.
Suppose patch 03-013 is a critical patch for your organization. You can create a patch group with just this patch. When you create the group, you can browse patches from the list and select a product and service pack and then a patch. HFNetChkPro 4 will scan for all instances of that QNumber, not just for the product and SP that you select. You can drag and drop the patch group on top of a machine group, and a scan will be done just for the selected patch (03-013). Note: When HFNetChkPro 4 scans for selected patches, HFNetChkPro 4 always scans for all service packs and reports on status of all service even though you selected to only scan for a selected patch.
Creating a patch group
There are a couple of ways to create patch groups. The first and most obvious way is to click the New Patch Group selection under Patch Groups at the left side of the console. This will present the patch group configuration dialog box. This dialog box asks for a name for the new patch group, requests a list of the patches to assign to the group and for a comment.
[pic]
|Name |The name that you would like to assign to this patch group |
|Selected Patches |To add patches to this group, click the Browse button. As shown to the left, this will bring up a window |
| |listing all of the patches that are currently available. To assign patches to the group, browse through the |
| |list and place a check in the box next to each patch you would like to include. |
| | |
| |This list can be sorted by either Bulletin ID or QNumber. |
| | |
| |When done, click the OK button. |
|Comment |A comment related to this patch group |
When you are done, click Save and Close.
Alternate patch group creation method
After you've done a regular scan and you are viewing a list of missing or installed patches, you can select multiple patches from the results by holding SHIFT/CTRL and selecting a few patches. Right click and choose Make Patch Group. You can then scan for the patches in the patch group and then generate compliance reports from the report function.
Working with patch groups
Once a patch group has been created, you can see what is inside it by choosing it from the Patch Groups box at the left side of the console.
[pic]
To add or remove patches from a patch group, double-click the patch group name. This will launch the patch group configuration window.
To use a patch group in a desired scan template, select Filter Patches, pick either Scan Specified or Skip Specified and then select the patch group you made.
Finally, patch groups can be used in drag and drop scanning.
Creating Favorites
Creating favorites
A favorite is a collection of machines to scan and a choice of how to scan them. To create a new favorite, click on New Favorite. A favorite can include the local machine or any special group created in Scan What and the scan type can be either one of the two standard scans or a new scan template.
When new favorites have been created, they appear in the Favorite window under the New Favorite option. A favorite consists of three required pieces of information:
• A Name which is defined when the New Favorite option is chosen.
• A Scan What entry. This can consist of any combination of My Machine, My Domain, Entire Network or any group of machines that has been created using Scan What.
• A Scan How entry. This can consist of one of QuickScan, FullScan, or a choice from the custom scan templates created using Scan How.
[pic]
Follow these steps to create a new favorite:
1. Give the favorite a unique name such as "Domain Controllers".
2. If desired, provide comments. For example "This favorite consists of a machine group made up of only domain controllers using a FullScan".
3. If you would like to use this as the default favorite, put a check mark in the box next to Make this my default favorite.
4. In the Scan What box, select which machines you would like to include in this favorite. If the desired group of machines is not on the list, click the New button to create a new machine group. Multiple machine groups can be selected.
5. In the Scan How box, choose the type of scan that should be performed.
6. Click the Save button to save the new favorite.
A new entry will appear in the Favorites box on the home page underneath the New Favorite selection.
Interpreting Scan Results
Interpreting scan results: the scan summary
The scan summary provides information such as the date of the scan, the version and date of the XML file containing the patch data, the scanning machine and the template that was used to perform it.
The bottom section of the summary provides some information on what was found during the scan.
|Scan Date |The date and time the scan was performed. |
|XML version used |The version of mssecure.xml that was used to perform the scan. |
|XML date |The date of the aforementioned file. |
|Scanned by |The name of the user that performed the scan. |
|Template used |The template that was used to perform the scan. |
|Machines scanned |The number of machines scanned. When performing a local scan, this |
| |will always be 1. |
|Machines not scanned |The number of machines that were not scanned. Machines may be |
| |skipped if they are turned off or there is something preventing the |
| |scan from being run. |
|Missing Service Packs |The total number of service packs missing among the scanned machines.|
|Missing Patches |The total number of patches missing among the scanned machines. |
|Patches Found |The total number of patches found among the scanned machines. |
Interpreting scan results: the machine summary
HFNetChkPro 4 also provides a large amount of information in a variety of different ways. At the top of the screen is a window with a list of computers from the selected scan with at-a-glance results of that scan.
Click on a column heading to sort the table by that information.
[pic]
This window shows the overview of what the scan found for each machine in the scan. The overview shown above indicates that the computer named XP2 has 16 patches installed and is missing 1 service pack and 1 patch. The machine named Win2K is missing 26 patches and 3 services packs while the machine named WINNT is missing 19 patches.
|[pic] |Shows how many patches from the patch list have been installed on the scanned system |
|[pic] |Shows how many non-superseded patches are missing from the scanned system |
|[pic] |Shows how many Service Packs are missing from the scanned system |
|[pic] |Shows the number of patches of Critical importance |
|[pic] |Shows the number of patches of High importance |
|[pic] |Shows the number of patches of Medium importance |
|[pic] |Shows the number of patches of Low importance |
|[pic] |Shows the number of patches that are being Ignored |
When a machine name is double-clicked in the machine list, a machine summary becomes available in the notification area.
[pic]
This summary provides detailed information on exactly which products are installed on the machine as well as the patch status for each of the products.
|Patches found |The number of patches that the scanning engine found already installed on the scanned system |
|Missing patches|The number of non-superseded patches deemed missing by the scanning engine |
|Missing Service|The number of service packs deemed missing by the scanning engine |
|Packs | |
Interpreting scan results: the patch summary
To view patch details for a particular machine, double-click the machine name from the scan summary. The Machine Summary window will change and show the patch summary from the scan.
[pic]
Click on a column heading to sort the patch summary by that information.
|Type |Identifies the type of notice |
| | |
| |[pic] |
| | |
| |Displays additional information about the scanned operating system or application. Information about patches |
| |that cannot be scanned is displayed as an Informational Item. |
| | |
| | |
| |[pic] |
| | |
| |Denotes patches that are applicable to the scanned system but are not current on the system. See the Reason for|
| |Item description in the patch details window to understand why the patch was considered not found. |
| | |
| | |
| |[pic] |
| | |
| |The patch listed on this line has been identified as a Missing Service Pack for the product listed in the |
| |Product column. See the Reason for Item description in the patch details window to understand why the service |
| |pack was considered not found. |
| | |
| | |
| |[pic] |
| | |
| |While there is a patch available for this item, the scanning engine has determined that it has already been |
| |installed. Note that this does not necessarily mean that the patch was installed by HFNetChkPro. It may have |
| |been manually installed by an administrator or installed as a result of a visit to Windows Update. |
| | |
| | |
| |[pic] |
| |In order for Effectively Installed patches to be shown in the scan results, you must be using a custom scan |
| |template that includes the option to scan for both missing and installed patches. An effectively installed |
| |status indicates that -- while the patch was not explicitly installed -- the information found on the scanned |
| |computer indicates that the vulnerability addressed by the patch has been corrected. This can be due to another|
| |patch updating the same files, such as a superseding or rollup patch. |
| | |
| | |
|Item |Refers to the Microsoft Security Bulletin article that explains the patch |
|QNumber |Refers to the Microsoft Knowledge Base article that contains information about the patch |
|[pic] |Microsoft assigns one of four severity levels based on its perceived threat of the vulnerability related to the |
|Microsoft severity |patch. |
|level | |
| |[pic] |
| |Microsoft has deemed the problem associated with this patch to be Critical in nature. |
| | |
| |[pic] |
| |Microsoft considers the problem related to this patch Important to correct. |
| | |
| |[pic] |
| |The related vulnerability is of Moderate severity. |
| | |
| |[pic] |
| |While it poses a security risk, Microsoft deems that risk to be Low. |
| | |
|[pic] |Shavlik has teamed with TruSecure to provide third party assessment of the risk associated with a particular |
|TruSecure threat |vulnerability as well as a determination if the threat is potentially exploited locally, over the network or if |
|level |is a combined threat that can be exploited either way. |
| | |
| |Note that the threat level determined by TruSecure does not always exactly match the severity level assigned by |
| |Microsoft. First, whereas Microsoft has four levels of severity, TruSecure only uses three. Second, at times, |
| |Microsoft may feel that a vulnerability is not as high a risk as TruSecure or vice-versa. |
| | |
| |[pic] |
| |TruSecure has deemed this to be a High level threat. |
| | |
| |[pic] |
| |TruSecure has deemed this to be a Medium level threat. |
| | |
| |[pic] |
| |TruSecure has deemed this to be a Low level threat. |
| | |
| | |
| |TruSecure also notifies the administrator of the locality of the threat. This information can be found by |
| |holding the mouse button over one of the TruSecure threat level icons in the patch list. |
| | |
| |[pic] |
| | |
| |Combined Threat |
| |The vulnerability can be exploited either by tasks performed at the server or against services on the server via|
| |the network. |
| | |
| | |
| |Local Threat |
| |The vulnerability can be exploited only if specific steps are taken at the server. |
| | |
| | |
| |Net Threat |
| |The vulnerability can be exploited on against services on the server via the network. |
| | |
| | |
|[pic] |Criticality is the user supplied threat and severity level associated with a particular vulnerability. While |
| Criticality |Microsoft and TruSecure can reasonably evaluate the general severity and threat posed by an unpatched |
| |vulnerability, even the most critical patches will not always warrant a sense of urgency in organizations in |
| |which the vulnerability poses little or no threat. Therefore, HFNetChkPro provides a mechanism to allow the |
| |administrator to assign a custom level of criticality for each patch. Criticality can be set manually by |
| |viewing patch details. |
| | |
| | |
| | |
| | |
| | |
| |[pic] |
| |Critical |
| | |
| |[pic] |
| |High |
| | |
| |[pic] |
| |Medium |
| | |
| |[pic] |
| |Low |
| | |
| |[pic] |
| |Ignore |
| | |
| |[pic] |
| |Criticality not set |
| | |
| [pic] |When an icon appears in this column, it means that there are notes related to this patch. These notes can |
|Notes |either be viewed in the patch details or by holding the mouse over the icon. These comments are provided by the|
| |security team at Shavlik Technologies. |
| | |
| |[pic] |
|[pic] |If this icon is grayed out the patch has not yet been downloaded. If it is green, the patch has already been |
|Downloaded |downloaded and verified. |
|Deployment |If a patch deployment was made from this scan, then it's deployment status is listed here. This information |
| |will generally mirror what can be found in the PatchPush™ Tracker. |
|Product |Lists the product affected by the patch. |
|Description |Provides a brief description of the flaw. |
|Comment |HFNetChkPro provides the ability for an administrator to make comments about a patch. If any have been made, |
| |they will show up in this column. |
Interpreting scan results: detailed patch information
HFNetChkPro 4 provides a large amount of information about every patch in order to allow administrators to make informed decisions about the applicability and severity of the patch. To see the details of a patch, select the patch in the top window and view the results in the bottom window.
The Patch Info screen includes details about the patch installation status, including who installed the patch and when (if this information is available), a summary of the issue, Criticality and Severity information, and most importantly, a list of all the file that ship in the patch including the filename, file version, file date, file location, and checksum. This is the information that is used to help determine the status of the patch on the remote machine.
[pic]
HFNetChkPro provides an abundance of information about patches.
|Status |Identifies the status of the patch on the selected machine. |
| | |
| |[pic] |
| | |
| |Displays additional information about the scanned operating system or application. Information about |
| |patches that cannot be scanned is displayed as Informational Items. |
| | |
| | |
| |[pic] |
| | |
| |Denotes patches that are applicable to the scanned system but are not current on the system. See the |
| |Reason for Item description in the patch details window to understand why the patch was considered not |
| |found. |
| | |
| | |
| |[pic] |
| | |
| |The patch listed has been identified as a Missing Service Pack for the product listed in the Product |
| |column. See the Reason for Item description in the patch details window to understand why the service |
| |pack was considered not found. |
| | |
| | |
| |[pic] |
| | |
| |While there is a patch available for this item, the scanning engine has determined that it has already |
| |been installed. Note that this does not necessarily mean that the patch was installed by HFNetChkPro. It|
| |may have been manually installed by an administrator or installed as a result of a visit to Windows |
| |Update. |
| | |
| |If no machine is selected, this section will read 'Install Patch'. |
|Microsoft severity |Microsoft assigns one of four severity levels based on its perceived threat of the vulnerability related |
| |to the patch. |
| | |
| |[pic] |
| |Microsoft has deemed the problem associated with this patch to be Critical in nature. |
| | |
| |[pic] |
| |Microsoft considers the problem related to this patch Important to correct. |
| | |
| |[pic] |
| |The related vulnerability is of Moderate severity. |
| | |
| |[pic] |
| |While it poses a security risk, Microsoft deems that risk to be Low. |
| | |
|Criticality |Criticality is the user supplied threat and severity level associated with a particular vulnerability. |
| | While Microsoft and TruSecure can reasonably evaluate the general threat posed by a patch, even the most |
| |critical patches will not always warrant a sense of urgency in organizations in which the vulnerability |
| |poses little or no threat. Therefore, HFNetChkPro provides a mechanism to allow the administrator to |
| |assign a custom level of Criticality for each patch. Criticality can be assigned by clicking Add and |
| |choosing one of the options from the shortcut menu that comes up. If you assign a custom criticality to a|
| |patch, the flag color will change and the 'Add' text will now read 'Change'. |
| | |
| |[pic] |
| |Critical |
| | |
| |[pic] |
| |High |
| | |
| |[pic] |
| |Medium |
| | |
| |[pic] |
| |Low |
| | |
| |[pic] |
| |Ignore |
| | |
| |[pic] |
| |Criticality not set |
| | |
|CVEID |This is a link to the Common Vulnerabilities and Exposures web site with information on the associated |
| |patch. Clicking the link will open up the CVE web site in your browser. |
|BugTraq ID |This is a link to the SecurityFocus web site with information on the associated patch. Clicking the link |
| |will open up the SecurityFocus web site in your browser. |
|Patch download status|Before a patch has been downloaded, this reads 'Not Downloaded' as the status and provides a link that can|
| |be used to download the patch. Clicking the link results in a dialog box indicating how much disk space |
| |is required by the patch along with the total available space on the scanning system and a question as to |
| |whether or not you wish to download the patch. If you click Yes, the patch is downloaded and the text in |
| |this area changes to reflect the name of the patch with the day and time that it was downloaded and an |
| |option to delete the patch. |
|Comments |Provides an area for you to make comments about the patch. To add or edit a comment, click Add/Edit |
| |Comment. |
|Description area |The patch description area provides the short name and a summary of the problem corrected by the patch. |
| | This is particularly useful as it provides a single place to view patch information. This area also |
| |provides a link to the Microsoft Security Bulletin article detailing the threat as well as the Knowledge |
| |Base article with more information about the flaw. |
| | |
| |When the TruSecure tab is selected at the bottom of the patch summary window, the summary is replaced by |
| |an analysis of the vulnerability by TruSecure. |
| | |
| |[pic] |
|Registry details |This displays the Registry key that may be written to the system when the patch is installed. |
|File details |This provides information about files that are modified by the patch. |
At the bottom of the patch details window are four tabs. The first two -- Patch Info and TruSecure -- are detailed above. The Missing tab lists the machines in the selected scan that do not have the patch installed and that are vulnerable while the Installed tab enumerates the machines that do have the patch installed.
Missing patches
Patches are found missing due to an affected file having a version that is less than expected or for having an invalid checksum. Specific details about why a patch is considered not installed are displayed in the patch details of the scan results as 'Reason for Item.'
[pic]
However, if you have reason to believe that this item should not be displayed as Missing (i.e this patch was previously deployed using HFNetChkPro), then you need to investigate the issue further.
Hiding Patch Items
The Hide Patch Item feature is available from the patch summary results. This feature allows a user to hide a patch from the scan results for reporting purposes.
To enable, right-click the patch you wish to hide and select Hide Patch Item. This will immediately hide the patch from the patch summary results.
This can also be accomplished by choosing Patches > Hide Patch Item from the menu bar.
To view hidden patch items, open the Tools > Options > Display Options > General menu and place a checkmark next to "Hidden Patch Items".
To return a hidden patch to normal display status, right-click the patch marked as hidden and un-check Hide Patch Item.
Downloading Patches
Downloading patches and service packs
HFNetChkPro automatically downloads necessary patches as part of the deployment process, removing the need to manually download them in advance. However, HFNetChkPro provides the ability to download patches prior to deployment. There are multiple ways to do this.
For the English language patches:
To download a single patch
• From the Patch Details screen, click the Download option.
• From the Patch Summary, right-click a patch and choose Download Patches > Selected.
• With a patch selected, from the main menu choose Patches > Download Patches > Selected.
To download multiple patches
• From the Patch Summary, select the desired patches and right-click a patch and choose Download Patches > Selected.
• With the desired patches selected, from the main menu choose Patches > Download Patches > Selected.
To download all patches
• From the Patch Summary, right-click a patch and choose Download Patches > All.
• From the main menu choose Patches > Download Patches > All.
To download service packs
• From the Patch Summary, right-click a patch and choose Download Patches > All Service Packs.
• From the main menu choose Patches > Download Patches > All Service Packs.
If you have trouble downloading a patch, try clearing your Internet Explorer cache files before attempting another download.
For international patches, please see About International Patches.
Download centers
HFNetChkPro supports multiple download centers where you can store patches. Separate download centers are critical for international patch support. However, there may be times when you want to use separate download centers for other reasons.
For example, if you use multiple servers to store patches, you can create download centers pointing to the patch location on each one.
To work with download centers, choose Tools > Options > Download Options.
[pic]
To create a new download center, click New and provide a name for the new center and the path to which its files will be located. This path can be a UNC path or a drive letter path.
[pic]
Deploying Patches
Patch deployment overview
HFNetChkPro 4 allows local and remote patch deployment via a few simple mouse clicks. The current solution for many network administrators is to use the HFNetChkPro command line version or a similar tool, diagnose the security state of each machine and then go to every machine, download the patches, and apply them individually. This can be a tremendous time burden on an individual. Remote deployment features greatly simplify this task and allows the network administrator to manage a vast majority of the tasks of network security directly from one management console.
Patch deployment prerequisites
In addition to the scanning prerequisites, the Windows Task Scheduler must be enabled on the machines being patched to ensure a successful deployment.
From Windows, click Start > Settings > Control Panel > Administrative Tools > Services and then right-click "Task Scheduler".
[pic]
Patch deployment security
Shavlik takes the security of patch deployment very seriously in HFNetChkPro. To that end, a patch undergoes no less than three signature validation checks and is stored in a location on the remote machine with tight security permissions. If any of the three signature checks fail, the patch will not be deployed.
When a patch is downloaded from Microsoft, it only appears with the green download icon if it is digitally signed by Microsoft. If the download does not complete, or the file is not signed, then it is not shown as downloaded. An error message might appear in status window that a file was downloaded but wasn't signed.
During deployment, when a patch is copied to a remote system, the copy is not initiated unless the patch is signed. This is to prevent someone from tampering with the copy of the patch stored in the download center. Before a patch is pushed out, it is always checked for a valid signature to ensure you are getting a legitimate patch.
Once the patch is copied to the deployment target it might sit for a period of time for a scheduled deployment. To prevent against someone from tampering with the patch, the signature is checked again before deploying on that machine. Additionally, the patch directory that HFNetChkPro creates on the remote machine has permissions set to LOCALSYSTEM and Local Administrators only so other users will not be able to modify, add or remove files from the deployment directory.
How HFNetChkPro 4 tracks deployment licenses
When a deployment is performed, HFNetChkPro 4 records the machine name in the database if it does not already exist. From there, the number of remaining seats available for deployment is reduced by one for each deployment target.
You can easily find out how many licenses have been used by choosing Help > About. The screen below indicates that this is a 50 machine license of which 2 licenses have been used.
[pic]
Testing the deployment
HFNetChkPro 4 includes the ability to perform a test deployment for any patches that are to be deployed. This is especially useful for patch deployment that has been scheduled for a later time. Testing the deployment allows the administrator to correct any potential problems in a deployment and make it less likely that a deployment will fail.
To test deployment for a patch, a group of patches or patches to a number of machines, make the appropriate selections. Then, rather than choosing Deploy, choose Test Deploy. This can be accomplished by right-clicking a patch and choosing Deploy > Test Deploy or by choosing Patches > Deploy > Test Deploy from the main menu.
If you are test deploying to all scanned machines or to all scanned members of a domain, the menu choices made should take that into consideration. For example, if you are choosing to test deploy to all scanned machines, the menu option would read Patches > Deploy Patches to 'Scan Machines'... > Test deploy.
A test deploy returns either a pass or a fail depending on what it finds. For example, if the Workstation or Scheduling services are not started in a particular machine, HFNetChkPro cannot deploy patches to it and a test deploy will return a failing result.
The sample results below show a passing grade for this particular test deployment.
Test Deployment
Good: Localhost is running the Workstation Service
Good: Localhost is running NetBios or Direct Host services enabled
********** Test 192.168.1.105 **********
Test 1) 192.168.1.105- Good: You are an administrator on this computer using specified credentials.
Test 2) 192.168.1.105- Good: remote computer is running Remote Registry Service
Test 3) 192.168.1.105- Good: remote computer is running Server Service
Test 4) 192.168.1.105- Good: remote computer is running Workstation Service
Test 5) 192.168.1.105- Good: remote computer is running NetBios or Direct Host services.
Test 6) 192.168.1.105- Good: You can access the remote registry on this computer
Test 7) 192.168.1.105- Good: You can access the remote computer's Workstation Information
Test 8) 192.168.1.105- Note: User(s) logged in on the remote computer:
>EXAMPLE\Administrator
Test 9) 192.168.1.105- Good: the Scheduler is running on the remote computer.
Test 10) 192.168.1.105- Good: created remote directory for copying test updates
Test 11) 192.168.1.105- Good: copied test update files
Test 12) 192.168.1.105- Good: remote task was succesfully scheduled.
Test 13) 192.168.1.105- Good: Scheduled test was succesfully executed
*****
192.168.1.105- Overall grade of Pass. Patch installation is possible.
*****
Deployment configuration
[pic]
This dialog box indicates that the patches will be deployed to the selected machine using the standard deployment template. If a different deployment template is desired, it can be chosen from the drop down list or a new deployment template can be created by clicking the New button.
The example above indicates that the patches will be deployed immediately, although you have the other options of just copying the patches to the selected machine or scheduling the deployment for a later date and time.
To schedule the deployment for a later time, select the Schedule at option and choose the date and time at which the patches should be installed. The files will be copied immediately but the installation of the patches will not begin until the scheduled deployment time. It is not necessary for the machine performing the scan to be available at the scheduled deployment time.
The Details button, which has been clicked in the example above, shows the details on exactly what is included in this deployment including a machine-by-machine list of which patches will be deployed.
To begin the deployment with the selected options, click the Deploy button. To cancel it, click Cancel.
Monitoring the deployment
Throughout the deployment process, HFNetChkPro 4 provides status information to keep the administrator informed as to what is happening. The first piece of status information presents itself immediately after the Deploy button is pressed from the Deployment Configuration window.
[pic]
This status window provides the administrator with an at-a-glance status concerning the patch download process. Each patch has to be downloaded before it can be deployed.
Once all of the selected patches have been downloaded, the actual machine deployment begins.
[pic]
After the files are copied to the target machine(s), the PatchPush Tracker is launched.
[pic]
This second status window that is presented during deployment provides information about the actual deployment.
[pic]
The window above provides the administrator with a quick glance chart of the process for this particular deployment. All of these options are customizable by creating and using different deployment templates. In the example above, the deployment template used is the standard HFNetChkPro template and indicates that the remote machine should be rebooted after patch deployment with a maximum of 10 attempts with 60 seconds between attempts.
After the patches have been copied to the remote machine and the patch deployment has begun on that machine, you can click on the machine name on the deployment window to get more information about the status of the deployment.
[pic]
In the window above is the status of the deployment. This sample indicates that two patches were successfully copied and schedule on the machine named WINNT and that this current status is 'Executed - Pending Reboot'. To get more current data on the status of the process, select Click to query remote log information. This will query the remote log of the machine and provide more detailed information on patch status.
Event Log Messages
ID 8201 (Copy File) 3 Information Sun May 11 14:58:14 2003 Copy File \\192.168.1.107\C$\WINNT\ShavlikProPatches\Shavlik-4008\Q314147_NTE_SP6A_x86_ENU.exe.
ID 8201 (Copy File) 3 Information Sun May 11 14:58:14 2003 Copy File \\192.168.1.107\C$\WINNT\ShavlikProPatches\Shavlik-4008\Q313829_NTE_SP6A_NAD_x86_ENU.exe.
ID 8201 (Copy File) 3 Information Sun May 11 14:58:14 2003 Copy File \\192.168.1.107\C$\WINNT\ShavlikProPatches\Shavlik-4008\qchain.exe.
ID 8201 (Copy File) 3 Information Sun May 11 14:58:14 2003 Copy File \\192.168.1.107\C$\WINNT\ShavlikProPatches\Shavlik-4008\Commandline4.exe.
ID 8201 (Copy File) 3 Information Sun May 11 14:58:14 2003 Copy File \\192.168.1.107\C$\WINNT\ShavlikProPatches\Shavlik-4008\silent.exe.
ID 8201 (Copy File) 3 Information Sun May 11 14:58:14 2003 Copy File \\192.168.1.107\C$\WINNT\ShavlikProPatches\Shavlik-4008\Shav.Deploy.2003.05.11.02.58.PM.81D226B75C644585B9331CAE00FBCC32.bat.
ID 8197 (General) 3 Information Sun May 11 15:01:14 2003 Set PATHTOFIXES=C:\WINNT\ShavlikProPatches\Shavlik-4008".
ID 8197 (General) 3 Information Sun May 11 15:01:21 2003 Execute (C:\WINNT\ShavlikProPatches\Shavlik-4008\qchain.exe).
ID 8197 (General) 3 Information Sun May 11 15:01:21 2003 Rebooting machine.
ID 8195 (Forced Reboot) 3 Information Sun May 11 15:01:21 2003 Forced Reboot for installation of patches.
ID 8197 (General) 3 Information Sun May 11 15:01:22 2003 Finished with 'C:\WINNT\ShavlikProPatches\Shavlik-4008\Shav.Deploy.2003.05.11.02.58.PM.81D226B75C644585B9331CAE00FBCC32.bat'. Rename
Canceling a deployment
A patch deployment can be canceled by right-clicking the machine name in the deployment machine list and choosing Cancel Deployment from the shortcut menu. The same can be reached from File > Cancel Deployment on the menu bar.
[pic]
You can also cancel a deployment via the PatchPush™ Tracker
[pic]
Deployment history
Even after a series of scans, all of the results of prior deployments are just a click away. If deployments were performed today, an additional window will be opened up in the left hand section of HFNetChkPro 4 labeled Today's Deployments. If you hover your mouse pointer over an entry on this list, you will be provided with additional details on that deployment as shown below.
[pic]
After the day is done, Today's Deployments are moved to an archive called Recent Items which is in the left hand pane almost at the bottom. In addition to deployments, Recent Items also maintains a list of recent scans.
Additionally, you can get a complete list of available prior scans by choosing Tools > Manage Items.
[pic]
All of these entries also appear in Recent Items. If you want to delete certain deployment history, select the items you would like to remove and click Deleted Selected. If you would like to remove all deployment history, choose Delete All.
How to Deploy
Deploying one or more patches
From the patch summary window after a scan, select the patches that you would like to deploy to the selected machine. Multiple patches can be selected by holding down the CTRL key while selecting patches. A contiguous group of patches can be selected by holding down the SHIFT key while selecting the starting and ending patch in the list.
Right-click one of the patches that is to be deployed and choose Deploy > Selected Patches from the shortcut menu
[pic]
OR
Choose Patches > Deploy > Selected Patches from the main menu.
This will launch the Deployment Configuration window if the "Show 'Run Now' dialog" option is selected in the deployment. Otherwise the deployment will begin immediately using the Default Deployment template.
Deploying sets of patches
You can easily deploy sets of patches to machines. To deploy all of the patches that are missing from a machine, either right-click a patch and choose Deploy > All Missing Patches. Any patches that do not show as "Patch Found" will be deployed to the selected machine.
[pic]
OR
Choose Patches > Deploy > All Missing Patches from the main menu.
This will launch the Deployment Configuration window if the "Show 'Run Now' dialog" option is selected in the deployment. Otherwise the deployment will begin immediately using the Default Deployment template.
Deploying patches to selected machines
To deploy a patch to a select group of machines, first choose the desired patch. You can do so from the 'Machine Summary' or from the 'Summary by Patch'. Once selected, you can then open the 'Missing' tab from the Patch Info window and view a list of all machines from that scan missing the selected patch. CTRL or SHIFT click the machines you wish to deploy this patch to, right-click and select Deploy by Machine > Selected Machines... You can also perform teh asme operation by choosing Machines > Deploy by Machines > Selected Machines... from the menu bar.
[pic]
Deploying service packs
Service pack deployments are handled differently than patch deployments. Since Microsoft recommends that a service pack be applied before all patches, HFNetChkPro will not allow you to deploy service packs and patches in the same deployment. It is because of this behavior that when you select Deploy All Missing Patches, it literally means to deploy all missing patches; no service packs will be included with this operation.
Deploying to a single machine
To deploy the latest service pack to a single machine, select a machine from the scan results, right-click it and choose Deploy Patches to { machine name }... > Latest Service Pack....
[pic]
You can perform the same operation by choosing Machines > Deploy Patches to { machine name }... > Latest Service Pack... from the menu bar.
Deploying to a group of machines
To deploy a service pack to a group of machines, first select the desired service pack from either the 'Machine Summary' or the 'Summary by Patch', followed by clicking on the 'Missing' tab at the bottom of the Patch Info window. CTRL or SHIFT select the machines you wish to deploy the selected service pack to, right-click and choose Deploy by Machine > Selected Machines.
[pic]
You can perform the same operation by choosing Machines > Deploy by Machine > Selected Machines... from the menu bar.
Deploying by criticality
Patches can also be deployed based on the need for the patch. For example, a low impact patch might be applied over a weekend while a patch that addresses a critical security vulnerability might be deployed immediately. To this end, HFNetChkPro 4 allows the administrator to deploy patches based on the user defined criticality. Criticality for a patch can be set on the patch details screen.
To deploy patches based on Criticality:
Right-click a patch and choose Deploy > Based on Criticality > { level of criticality for which to deploy }
[pic]
OR
Choose Patches > Based on Criticality > { level of criticality for which to deploy }
If deploying to all scanned machines or to all scanned members of a domain, the menu option would read Patches > Deploy Patches to 'Scan Machines'... > Based on Criticality > { level of criticality for which to deploy }
This will launch the Deployment Configuration window if the "Show 'Run Now' dialog" option is selected in the deployment. Otherwise the deployment will begin immediately using the Default Deployment template.
Deploying patches to all members of a domain
Patches can be deployed to all members of a single domain. Each domain is listed in the scan summary. To initiate a deployment of all missing patches to all scanned members of a domain, right-click the name of the domain and choose Deploy Patches to '{Domain name} machines } > All Missing Patches.
[pic]
Alternatively, you can select the domain to which you would like to deploy patches and choose Patches > Deploy Patches to '{Domain name} machines } > All Missing Patches from the main menu.
This will launch the Deployment Configuration window if the "Show 'Run Now' dialog" option is selected in the deployment. Otherwise the deployment will begin immediately using the Default Deployment template.
Deploying patches to all scanned machines
HFNetChkPro is not limited to deploying patches or sets of patches to a single machine at a time. In fact, the program can be configured to immediately deploy all missing patches to machines immediately after a scan is performed. When performing domain scans, this can be especially useful as it provides a one-step update. Selecting this option is done when scheduling a domain scan. Note that using the "Scan My Domain" button on the Home page does not provide the scheduling window. However, clicking the Advanced button underneath it does.
Another way to patch all of the machines that were scanned with missing patches is to right-click the scan and choose Deploy Patches to 'Scan Machines'... > All Missing Patches. Alternatively, you can select from the main menu Patches > Deploy Patches to 'Scan Machines'... > All Missing Patches.
[pic]
This will launch the Deployment Configuration window if the "Show 'Run Now' dialog" option is selected in the deployment. Otherwise the deployment will begin immediately using the Default Deployment template.
Deployment Templates
About deployment templates
When deploying patches to a machine, HFNetChkPro 4 provides you with a number of different options such as whether the deployment target should be restarted after deployment, how fast the patches should be copied to the remote machine and much more.
Deployment templates include the following information:
• The speed to be used to copy the patches to the remote machine;
• The choice of whether to show a dialog box on the remote machine during deployment;
• How Microsoft Office patches should be deployed;
• What should take place before, during and after deployment;
• Options for rebooting deployment targets.
The Standard deployment template contains the deployment options recommended by Shavlik and includes the following parameters:
• Wait 10 seconds before patch copy retry.
• Do not show any dialog window on target machine during deployment execution.
• Office Install: Push patches to each machine
• Push full-file patches when possible
• Before Patch Execution....
• Do not shutdown SQL Server
• Do not shutdown IIS Server
• During Patch Execution....
• Backup files for uninstall
• Execute patches in 'Quiet Mode'
• After Deployment Execution....
• Do not remove temp deployment files
• Reboot target machines
• Reboot immediately after execution
• Do not warn connected machines before reboot
• Make 10 attempts to restart
• Wait 60 seconds between restart attempts
Creating a deployment template
To create a new deployment template, click the New Deployment Template option on the Deployment Templates menu. This will open up a window containing the available deployment template options.
[pic]
|Name |The name you wish to assign to this deployment template |
|Description |The description of this deployment template |
|Copy speed |How quickly would you like patches copied to the remote machine. 1 is the slowest speed and 5 is the |
| |fastest. The faster the copy speed, the more network bandwidth you use. |
|Retry period |If a patch copy fails, you can specify a pause between retries from 0 to 100 seconds. |
|Remote dialog |Creates a dialog box to be presented to the user logged into the deployment target while the deployment |
| |is active. You can specify both the dialog box title and it's caption here. |
|Office Deployment |Office patches are handled differently from other patches. Office patches require the original CD media.|
| | This is because the patches are not complete files. Instead, the patch represents only the differences |
| |required to modify the original file with the patched code. |
| | |
| |Administrative Installation Point |
| |Administrators can create an Office Administrative Install Point (AIP), and then install Office on client|
| |machines from this location. Hotfixes can then be installed to the AIP, and the remote client machines |
| |can then be told to 'update' their installations from the AIP. The update process really means |
| |re-installing all of Office on each machine - everything on the AIP will then get copied down to the |
| |remote machine. The install point is technically nothing more than a network share of the requisite |
| |files, with special setup commands. |
| | |
| |In the Administrative Installation Point field, enter the full UNC path to the Office AIP MSI file. For |
| |example, "\\officeserver\office\proplus.msi”. Press the Set Credentials button to provide credentials |
| |for the remote machine to access the UNC location. |
| | |
| |If you specify an AIP for Office patches, then when you choose to install any Office patches using this |
| |deployment template the machine being patched will synchronize with the specified Office AIP. |
| | |
| |Push patches to each machine |
| |Alternatively, you can choose to directly deploy patches to the remote Office clients. When possible, |
| |you should elect to push full-file patches to the remote machines and specify a static location for |
| |Office media. Otherwise, not all Office patches will be successfully deployed. |
| | |
| |Path to original installation media |
| |Specify a UNC path to the original installation media used to install a specific version of Office. For |
| |example “\\corpserver\office”. Press the Set Credentials button to provide credentials for the remote |
| |machine to access the UNC location. Office installations may fail unless the remote machine has access |
| |to the original installation media. |
|Patch Deployment |There are a number of options that can be selected to take place before, during and after patch |
| |deployment. |
| | |
| |Before |
| |You can choose to shut down SQL Server and IIS with an option to warn machines connected to a SQL server |
| |that the services will be stopped. These services will automatically be shutdown when a SQL or IIS patch|
| |(respectively) is applied to a remote machine regardless of this setting. Use this setting to shutdown |
| |these services when installing OS or similar hotfixes, particularly if you are planning to reboot the |
| |machine after installation. |
| | |
| |During |
| |During the deployment, you can require HFNetChkPro to backup any files that are modified in order to |
| |perform an uninstall if something goes wrong. You can also choose to enable or disable 'Quiet Mode'. |
| | Quiet Mode does not present any evidence to the user that the deployment is taking place. |
| | |
| |After |
| |After the scan is complete, you can choose to remove any temporary files that were created during the |
| |deployment process. |
|Reboot Options |After successfully deploying all patches, you have the option of what to do to the remote system. You |
| |can either let it continue running or you can choose to reboot it. If you choose to reboot the |
| |deployment target, you can specify the number of reboot attempts (from 1 to 100) as well as the number of|
| |seconds to wait between attempts (1-100). Finally, if any clients are connected to the machine, you can |
| |indicate that they should be warned before the system is rebooted. |
Once you have made your selections for this deployment template, click the Save and Close buttons to save it. Click just the Cancel or Close buttons to close the window without making any changes.
Working with a deployment template
Custom deployment templates show up under the New Deployment Template selection in the Deployment Templates box as shown in the picture to the right. When a template is selected from the Deployment Templates box, the details for it are shown in the right hand pane of the window.
For example, if there is a deployment template named 'Sample template', it might look something like the following in the right hand pane:
[pic]
There are a few operations that can be performed from this screen:
|Make this my default |Selecting this option will use the currently selected template as the default. |
|template | |
|Edit |Choosing Edit opens up the deployment template dialog box and allows you to make changes to it. |
|Copy |Copies the selected template. This will open up the deployment template dialog box with a name of 'Copy |
| |of { selected template name }' and with the same description and settings as the current template. |
|Delete |Deletes the current template. |
If you have created a scan template and assigned this deployment template to it, you will also be shown which scan template(s) use it.
Uninstalling Patches
Uninstalling patches
HFNetChkPro 4 has the capability to uninstall selected patches. This only works for items listed as Patch Found, not Effectively Installed patches, when viewing scan results. Not all patches can be uninstalled.
To determine whether or not a patch can be uninstalled using HFNetChkPro, open a scan and view the Patch Summary. Select a patch and right-click it. If Uninstall Selected is active, then that patch can be uninstalled. The same result can be achieved by selecting a patch and viewing the Patches > Uninstall Selected menu.
[pic]
Please Note
The above method is the only way to determine the availability of the Uninstall Selected option.
PatchPush(TM) Tracker
About the PatchPush™ Tracker
HFNetChkPro 4 includes a feature called the PatchPush™ Tracker. This feature is designed to give you a single console from which to monitor the status of deployments. PatchPush™ Tracker utilizes the Shavlik HFNetChkPro Service that receives status messages from the machines that are being patched. This service is installed and started during the HFNetChkPro installation. If this service is stopped, then PatchPush™ Tracker will not update patch deployment state information.
You can start, stop and configure the HFNetChkPro Service from Tools > Options > Deployment Options.
[pic]
For the HFNetChkPro Service to work properly, it must be assigned an IP address and port to listen on. By default, the HFNetChkPro Service listens on TCP port 4750. If you are on a multi-homed machine, it is necessary to choose the IP address which corresponds to the network that will be scanned that the HFNetChkPro Service will use. If this service is stopped, then PatchPush™ Tracker will not update patch deployment state information.
To start the PatchPush™ Tracker, choose Tools > Launch PatchPush Tracker or click the PatchPush™ Tracker icon [pic] from the toolbar.
[pic]
The PatchPush™ Tracker window provides at-a-glance information pertaining to patch deployment status. Each line in the tracker indicates a single patch and includes state information, the machine the patch is being deployed to, a description of the patch, when the patch is scheduled to be deployed and the time that the last status information was collected.
The state information can help you to begin troubleshooting possible deployment problems.
• Green: The patch was successfully deployed
• Yellow: The rescan failed due to bad credentials.*
• Red: A deployment didn't fully take and more research is necessary.**
• Blue: The patch has not completed installation. If the status remains blue, it could be an indication that the remote machine cannot communicate back to the PatchPush™ Tracker.
* The rescan operation is actually initiated by the Shavlik HFNetChkPro Service. By default, this service runs as the Local System account. Since Local System does not have the proper credentials to perform a remote patch scan, credentials can be assigned to the service by entering them in Tools > Options > Deployment Options > CLOUC. Alternately, credentials set via the Set Credentials dialog in the Machine Group before you perform the initial scan are assigned to the service for the purpose of the rescan.
** One of the more common reasons for seeing a "Fail" item in PatchPush™ Tracker is because a patch that requires a reboot to complete was deployed but 'Do Not Reboot' was specified in the deployment template. If you receive a "Fail" status in PatchPush™ Tracker, check the Patch Details for the patch in question to see if a reboot is required to complete the installation of this patch.
Canceling a PatchPush
You can cancel an incomplete PatchPush by selecting the line in the PatchPush™ tracker with the deployment you would like to cancel and then click Cancel Push. Alternatively, you can right-click a line and choose Delete PatchPush.
Disconnected Mode
Disconnected Mode
Disconnected Mode is useful when you are scanning from an HFNetChkPro console that is not connected to the Internet. Disconnected Mode can also be useful if you would like to perform scans and deployments and not download data files from the Shavlik website.
To enable Disconnected Mode, select Tools > Run Disconnected from the HFNetChkPro menu bar. The PatchDetails4.xml and TruSecure.xml files from the \ShavlikDataFiles directory and MSSecure.xml from the 4.0.XX.X directory will be used during the offline scan, unless alternate locations for these files have been specified.
To specify alternate locations for the PatchDetails4.xml and TruSecure.xml files, open Tools > Options > Offline Options. If Run application in disconnected mode has been checked, you may enter locations for the two data files. These locations may be entered as network drive letters, UNC paths or HTTP\S locations.
[pic]
To specify an alternate location for MSSecure.xml, create a scan template that references the location of the MSSecure.xml file. This location may be a network drive letter, UNC path or HTTP\S location.
[pic]
Shavlik data files
When running in Disconnected Mode from a console that is not connected to the internet, it is necessary to manually manage the Shavlik data files, CommandLine4.exe, MSSecure.xml, PatchDetails4.xml and TruSecure.xml. You may download these files from the Shavlik website, using an internet connected machine, and then transfer them via floppy disk, FTP or similar action to the HFNetChkPro console.
You may download secure, CAB versions of these data files from the below locations:
CommandLine4.cab
MSSecure.cab
PatchDetails4.cab
TruSecure.cab
Alternatively, you may download the uncompressed (non-CAB) files via SSL from the below locations (this may be useful if your firewall does not allow the download of CAB files):
CommandLine4.exe
MSSecure.xml
PatchDetails4.xml
TruSecure.xml
File Locations
You will then need to copy the following files to the ..\HFNetChkPro4\ShavlikDataFiles folder:
• commandline4.cab
• patchdetails4.cab
• trusecure.cab
The following file goes into the ..\HFNetChkPro4\%version% folder (..\HFNetChkPro\4.0.77.1):
• mssecure.cab
International Patch Support
About international patches
By default, HFNetChkPro assumes all machines are running the English versions of Microsoft operating systems and other supported applications. Under default settings, when patches are downloaded, it is the English language version of the patch which is downloaded and stored in the Shavlik Download Center which is a directory on the hard drive of the console machine or alternatively located on a network share.
In order to support the download and application of foreign language patches, some new features have been added to HFNetChkPro. This section is an overview of these features. This section also assumes that the user will want to maintain the normal English language download center for use with some English language machines.
Create a new download center
From the main menu choose Tools > Options > Download Options which will present the following dialog box.
[pic]
On the top right side you will see the Download Center. By default there is only one download center which is English. Press the New button to create a new Download Center which will contain the foreign language patches.
[pic]
The download center is comprised of 3 elements.
1. Path to the Download Center directory
2. Name of the Download Center
3. International Mode
Step 1
First you need to select the download directory which can be any location of your choosing. You can either enter the path directly here or click the "..." button to browse to the desired location.
Steps 2 & 3
After selecting the path you need to name your Download Center and select International Mode. International mode should be selected for any non-English Download Center.
[pic]
Click OK to create the new download center and ready it to receive patches.
Select a new download center
On the menu bar of HFNetChkPro is a drop down menu to choose a Download Center which is defaulted to English. When working with patches for foreign language machines, you need to select the correct Download Center. In this example, German has been selected.
[pic]
Downloading foreign language patches
Now we are going to download a patch into the download center. In working with HFNetChkPro this task can be done at different times, including after a scan. In this case, we will download a patch selected from the available patch listing.
On left navigator pane, we scroll down to Patch Information and select the patches for Windows 2000 Professional.
[pic]
A listing of patches appears, and we select one, MS02-071. In the lower pane under Patch Download Status you will note the hyperlink entitled Download As.. When used with the English Download Center, this would normally state Download. However, with foreign language patches we need to give the program a little more assistance in downloading the correct patch.
Click on the Download As.. URL.
[pic]
When you click on the Download As.. link you will be taken to the following Microsoft web page describing the patch. Navigate to the correct language download (in this case German) as shown below.
[pic]
Initiate the download by clicking on the Download link on this page.
[pic]
Select Save.
[pic]
Press CTRL-V to automatically paste the correct download path to the download center and correct target file name into the dialog box as below. If you are unable to paste the download center location, browse to the path that holds the patches for this download center.
[pic]
The patch will now be saved into the correct Download Center with the correct name for HFNetChkPro to manage the patch files. If we go back to our patch information screen, we will now see that the patch has been downloaded and is available for deployment.
[pic]
Creating a foreign machine group
In addition to the support for multiple Download Centers, HFNetChkPro has an additional feature that is very useful when it comes to managing machines of different language types. The machine group feature allows you to create a custom selection of machines for scanning and patching.
To create a group, click on New Machine Group in the upper portion of the left navigator window.
[pic]
Now add some machines to the group. You can do this in a number of ways. You can enter machine names and IP addresses directly, or you can select them from the Network Neighborhood by choosing the Browse Network option.
[pic]
You can now scan this group for missing patches, download any missing patches as shown above and deploy them as normal.
Using the Command Line
About the command line
For those that prefer the command line or for those that want to automate certain tasks in batch files, HFNetChkPro 4 includes a command line shell named hfnetchk4pro.exe.
The command line can be useful in a number of scenarios:
• It can be used standalone without writing to the database or the GUI.
• It can be run and configured to return the results of the operation to the screen, or output results in XML, CSV, HTML, etc.
• It can be used to write results to a specified database where you can view results via GUI
• It is also useful when you have a lot of bastion hosts, or machines that you can't scan remotely - this makes it behave like an assessment agent. You can put the command line utility on each machine, schedule it to run at a certain time and output XML results to a specified network share, or have it output back to the database. In this manner, you don't need to have remote access to NetBIOS ports 139\445 or remote registry as it's all running locally
Command line syntax
HFNetChkPro [-h hostname] [-i ipaddress] [-d domainname] [-n] [-r range]
[-fh hostfile] [-fip ipfile] [-fq ignorefile] [-fs scanforfile]
[-history] [-brief] [-v] [-nosum] [-sum] [-ver]
[-o outputformat] [-x datasource] [-ms] [-t threads]
[-s suppression] [-u username] [-p] [-about] [-trace]
[-f outfile] [-fts]
[-pxp] [-pxu] [-pxd] [-pxs]
Description:
The HFNetChkPro tool assesses a machine or group of machines for security hotfixes that have either been installed and/or need to be installed. For more information on this tool, please refer to:
Parameter List:
-about About HFNetChkPro.
-h hostname Specifies the NetBIOS machine name to scan.
Default is the localhost.
-i ipaddress Specifies the IP address of a machine to scan.
-r range Specifies the IP address range to be scanned,
starting with ipaddress1 and ending with
ipaddress2 inclusive.
-d domain_name Specifies the domain_name to scan. All
machines in the domain will be scanned.
-n network All systems on the local network will be
scanned. (i.e., all hosts in Network
Neighborhood)
-fip ipfile Specifies the name of a file containing
addresses to scan. One IP address per
line, 256 max per file.
-fh hostfile Specifies the name of a file containing
NetBIOS machine names to scan. One machine
name per line, 256 max per file.
-fipr iprangefile Specifies the name of a file containing
IP address ranges to scan.
One IP address range per line.
-fd domainfile Specifies the name of a file containing
domain names to scan.
One domain name per line.
-fq ignorefile Specifies the name of a file containing
Q numbers to ignore. One Q number per line.
-fs scanforfile Specifies the name of a file containing
Specific set of Q numbers to scan for.
One Q number per line.
-fipi ipfile Specifies the name of a file containing
addresses to ignore. One IP address per
line.
-fhi hostfile Specifies the name of a file containing
NetBIOS machine names to ignore. One machine
name per line.
-fipri iprangefile Specifies the name of a file containing IP
address ranges to ignore. One IP address range
per line.
-history Displays hotfixes that are explicitly
installed and non-superseded hotfixes that
are missing. This switch is not necessary for
normal operation. Do not use this switch unless you've read -history usage at
.
-t threads Number of threads used for executing scan.
Possible values are from 1 to 64. Default is 64.
-o output Specifies the desired output format.
(db) outputs to an installed database.
(xml) outputs in simple xml format.
(xml2) outputs in detailed xml format.
(tab) outputs in tab delimited format.
(comma) outputs in comma delimited format.
(wrap) outputs in a word wrapped format.
(html) outputs in html format.
Default is wrap.
-x datasource Specifies the xml datasource containing the
hotfix information. Location may be an xml
filename, compressed xml cab file, or URL.
Default is mssecure.cab from the Shavlik
website.
-ms Download the mssecure.cab from Microsoft.
The default uses the version hosted by Shavlik.
-s suppress Suppresses NOTE and WARNING messages
1 = Suppress NOTE messages only
2 = Suppress both NOTE and WARNING messages
Default is to show all messages.
-nosum checksum Do not evaluate file checksum.
The checksum test calculates the checksum of
files. This can use up large amounts of
bandwidth. Using this option will speed up a
scan and use less bandwidth. File version
checks will be still done.
-sum Perform file checksum tests.
Force checksum tests to be run on non-English
language systems. Use only if you have a custom
XML file with language-specific checksums.
-brief Displays minimal patch status information:
Status, Q Number and Bulletin ID. The default
output is the same as brief but also includes the reason for a missing patch, warning, note or informational status.
-v very verbose Displays detailed information including
bulletin summary, bulletin title and bulletin
URL. Enabled by default in XML output.
NOTE: -brief and -v only apply to the following
formats: wrap and comma or tab delimited.
HTML, XML and db output are always in -v mode.
-f outfile Specifies name of the file to save the results.
Default is to display to screen.
-fts Specifies that the output be directed to a file
with the current date/time stamp in the form of
ddmmyyhhmm.txt.
-u username Specifies optional user name for login
to remote computer.
-p password Specifies password to be used with user name.
-pxd domain Domain of the user for the proxy.
-pxu user Username to use for proxy server.
-pxp password Password to use for proxy server.
-pxs Save the credentials used for the proxy.
-pxc Clear the saved credentials used for the proxy.
-ver Perform a version test of HFNetChk.
-trace Enable debug logging.
This must be the 1st parameter on the command
line. The log file is written to hf.log.
This command is not necessary for normal
operation and should only be used when
troubleshooting an issue with Shavlik
Support.
-? help Displays this menu.
Examples:
HFNetChkPro
HFNetChkPro -v -b
HFNetChkPro -h hostname
HFNetChkPro -h hostname -f out.txt
HFNetChkPro -d domainname -u domainname\username -p password
HFNetChkPro -d domainname -u username -p password
HFNetChkPro -h h1,h2,h3
HFNetChkPro -i 192.168.1.1 -s 2 -t 10 -v
HFNetChkPro -i 192.168.1.1,192.168.1.8 -h hostname -x mssecure.xml
HFNetChkPro -d domain_name -s 1 -o tab -x c:\temp\mssecure.xml
HFNetChkPro -r 192.168.1.1-192.168.1.254 -history -t 20
HFNetChkPro -x
HFNetChkPro -x "c:\Space In Path\mssecure.xml"
HFNetChkPro -fh d:\MyHostFile.txt
HFNetChkPro -fip d:\MyIPFile.txt
HFNetChkPro -o xml2
HFNetChkPro -history
HFNetChkPro -ver
HFNetChkPro -pxu user -pxp password -pxd domain -pxs
HFNetChkPro -trace -v -b
HFNetChkPro -about
Proxy Support
Proxy support
HFNetChkPro checks the proxy settings in Internet Explorer and conducts an internet connectivity test to determine whether or not proxy server settings are necessary. If HFNetChkPro is unable to access the internet using these settings, or if you are required to enter a username and password each time you launch your browser and browse the internet, you will need to configure the Proxy Options if you haven't already done so via the Setup Wizard.
Choose Tools > Options > Proxy Options
Click the Do I need Proxy Info? button to run a test to determine if HFNetChkPro can access the information it needs to operate. If the test is successful...
[pic]
...then nothing further is required. However, if HFNetChkPro is unable to connect to the internet...
[pic]
...then you must enter proxy settings here.
[pic]
As stated above, HFNetChkPro uses the Internet Explorer proxy settings if no authorization is required by your proxy server. If you utilize authorization, fill out the Username, Password and Verify Password fields. After completing the required fields, conduct another connectivity test by clicking Test. Once verified, check both Save proxy credentials and Use proxy server and then click OK to save the settings.
Error Messages
HFNetChkPro 4 Scanner Error Messages
Error: 200 - System not found. Scan not performed
This indicates that the specified computer was not located and could not be scanned. Check to see that this machine is on the network and that the hostname or IP address is correct.
Error: 201 - System not found.
A network problem is preventing the specified machine from being scanned. Check to see that your computer (the scanning machine) is properly connected to the network and that you can remotely logon to the specified machine.
Error: 202 - System not found. Scan not performed.
A network or system error occurred while the scan was in process. Check to see that your scanning machine is properly connected to the network and the machine being scanned is still connected to the network. Also ensure that the remote machine is running the Server service.
Error: 230 - Scan not performed.
A general network error has occurred. Please refer to the system documentation for more information.
Error: 235 - System not found, or NetBIOS ports may be firewalled. Scan not performed.
Most likely, there is no machine with the specified IP address. If a machine does exist at this address, a personal firewall or port filtering device may be dropping packets destined for tcp ports 139 and 445.
Error: 261 - System found but it is not listening on NetBIOS ports. Scan not performed.
A machine exists at this IP address but it is either not listening on, or is blocking access to, tcp ports 139 and 445.
Error: 301 - SystemRoot share access required to scan.
Unable to connect to the remote machine’s system share. This may occur if the administrator has unshared the systemroot (typically C$ or similar) or has disabled the AutoShareServer(Wks) via the registry.
Error: 451 - Admin rights are required to scan. Scan not performed.
The current or specified user account performing the scan does not have administrative rights to the machine being scanned. Check to see that the specified account is a member of the local administrators group on the machine being scanned (or a member of a group having local administrative rights).
Error: 452 - HFNetChk is unable to scan this machine. Please check to see that you have administrative rights to this machine and are able to login to this machine from your workstation. Scan not performed.
Check to see that the Server service is enabled on the remote machine and that you can remotely logon to this machine. Ensure that the Workstation service is running on the machine performing the scan.
Error: 501 - Remote registry access denied. Scan not performed.
Check to see that the Remote Registry service is enabled on the machine being scanned.
Error: 502 - Scan not performed. Error reading Registry
A general registry error has occurred. Please refer to the system documentation for more information.
Error: 503 - Scan not performed. Error reading Registry.
A general registry error has occurred. No additional information is available.
Error: 553 - Unable to read registry. Please ensure that the remote registry service is running. Scan not performed.
Check to see that the Remote Registry service is enabled on the machine being scanned.
Error: 621 - Machine is not one of Windows (NT 4, 2000, XP or .NET). Scan not performed.
The machine being scanned does not appear to be a product supported by this tool. The specified may be a non-Microsoft platform running SMB services or otherwise emulating a Microsoft product.
Error: 622 - Machine OS is not Recognized. Please run with tracing on and send to technical support. Scan not performed.
Unable to determine the Operating System of the specified machine. This may occur when scanning beta or unreleased versions of Microsoft Operating Systems.
Error: 623 - Machine Service pack is not Recognized. Please run with tracing on and send to technical support. Scan not performed.
Unable to determine the Service Pack of the specified machine. This may occur when scanning beta or unreleased versions of Microsoft Service Packs.
Error: 701 - File was NOT downloaded.
The signed, compressed CAB file containing the security patch information could not be obtained from the specified location. This may occur if the scanning machine is not connected to a network, or is otherwise unable to access the specified file or location. If the CAB file is not obtained, an attempt is made to access the uncompressed XML file via https.
Error: 702 - File was NOT downloaded. Attempting to find local copy of mssecure.cab.
The uncompressed XML file containing the security patch information could not be obtained from the specified location via https. This may occur if the scanning machine is not connected to a network, or is otherwise unable to access the specified file or location. If the XML file is not obtained from the network, an attempt is made to locate an existing version of this file on the local machine.
Reports
Reports in HFNetChkPro 3
The following reports are available in HFNetChkPro 4. Only the first report -- Condensed Patch Listing -- is available in HFNetChkPro, Limited Edition.
To choose a report, click on the Report Gallery icon -- [pic] -- on the menu bar and select a report from the drop down list at the top of the screen.
Condensed Patch Listing
A concise, six-column report displaying the machine name and patch status for each scanned host. Patch items are displayed as bulletin numbers (MS00-000).
Condensed Patch Listing For CSV
This report is designed to output data in optimal format for a CSV export. The output is a simple text listing where each patch is on a single line. Instead of showing icons stating the status of the patch, the initials M, F, I, and W are used, meaning: Missing, Found, Information, and Warning respectively.
Deployment Seat Status
This report lists deployment seat information: Licensed seats, seats used, and seats available. Note: There is no filtering capability for this option.
Machine/OS Listing
This report lists the Operating Systems for each machine scanned. Note: There is no filtering capability for this option.
Machines By Patch
Displays patch status for each machine sorted by Bulletin ID and QNumber.
Machines Not Scanned
This report lists all machines not scanned and the reason they were not scanned. Note: There is no filtering capability for this option.
Missing SP
This report is a quick overview of all machines that are missing service packs for supported products. This report skips the simple criteria filter and displays the advanced criteria filter immediately.
Patch Annotation Information
This report lists all patch annotations.
Patch Criticality Information
This report lists all patches grouped by criticality. It allows a network administrator to quickly view the patches they have categorized as 'Critical' or 'High'.
Patch Listing
A concise listing (one line per patch processed) of all patches for all scanned machines sorted by 'Missing', 'Found', 'Informational' and 'Warning', then sorted by user preference.
Patches By Machine
Displays patch status for each machine sorted by Machine Name.
Patches By Machine Detail
A detailed listing of every patch found sorted by Machine Name. For each patch, the entire summary and reason is listed in the report. Note that this report can take very long if executed against 1000's of computers.
Scan/Deployment History
This report lists all scans and deployments in the entire system and displayed who performed each scan and deployment.
Basic report filters
The HFNetChkPro reporting interface was designed to provide the user with any filtering possibility desired. Opening the report gallery brings up a single window in which you make all of your selections.
[pic]
Choosing the report
The top of the window is where you choose which report you want to run. When you select a report from the list, the description of that report comes up and a sample of the report appears at the bottom of the window.
Filtering the report
HFNetChkPro 4's reporting utility includes powerful filtering options. Depending on the report you choose, you have choices between basic and/or advanced filtering options.
The basic filtering options allow your to choose which scan(s), which patch group(s), what level of criticality(ies) and what product(s) would you like to report on. If you need even more granularity or different sorting options, click the Advanced Filter Options choice.
Viewing the report
Once you have made your selections, click Generate Report to see the results.
Advanced report criteria
Using the Advanced Report Criteria tool you can effectively drill deeper into your scan results and extract more meaningful information.
[pic]
Fields
Any relevant fields that the user can filter on will be displayed here. Based on the field type, the Operators combo box will appropriately morph itself to only contain corresponding operators. If the field is defined as a 'Selection' field, the Value combo box will populate allowing the user to only select matching values (e.g. Machine name).
Operators
(=) Means that the field must exactly match the text in 'Value'.
() Means that the field must NOT equal the text in 'Value'.
(IN) Means that the user will provide a ',' delimited list of values and the field must exactly match one of the text elements in 'Value'.
(NOT IN) Means that the user will provide a ',' delimited list of values and the field must NOT equal one of the text elements in 'Value'.
(NULL) Means that the field must be NULL in the database.
(NOT NULL) Means that the field must not be NULL in the database.
(>), (> button too add it to the criteria window. This in turn activates the And>>, Or>>, Switch, Group, Ungroup and Clear All commands to be used in the criteria window. You can use these to further manipulate report criteria by changing their order, creating groups, etc.
Example
You want to view all machines in your domain that are missing Patch Q813489. Select the Patch Listing report and add report criteria to create the following advanced filter:
[pic]
Exporting reports
Any report can be exported to a different format from the report viewer.
[pic]
RTF, PDF, HTML, XLS, TIF, TXT and HFR export formats are supported for exporting from the report viewer.
To export a file, click the Export button on the toolbar after running the report. From the Report Export box, choose your preferred format, any options and the export filename and click OK.
Report: Condensed patch listing
A concise, six-column report displaying the machine name and patch status for each scanned host. Patch items are displayed as bulletin numbers (MS00-000).
This report shows the patch status for each machine and scan using the same nomenclature as the patch and machine summaries.
Sample
[pic]
Report: Deployment Seat Status
This report lists deployment seat information: Licensed seats, seats used, and seats available.
[pic]
Report: Condensed Patch Listing For CSV
This report is designed to output data in optimal format for a CSV export which can then be imported into Excel. The output is a simple text listing where each patch is on a single line. Instead of showing icons stating the status of the patch, the initials M, F, I, and W are used, meaning: Missing, Found, Information, and Warning respectively.
Sample
[pic]
Report: Machine/OS Listing
This report lists the Operating Systems for each machine scanned. Note: There is no filtering capability for this report.
Sample
[pic]
Report: Machines By Patch
Displays patch status for each machine sorted by BulletinID and QNumber.
Sample
[pic]
Report: Machines Not Scanned
This report lists all machines not scanned and the reason they were not scanned. Note: There is no filtering capability for this option.
Sample
[pic]
Report: Missing SP
This report is a quick overview of all machines that are missing service packs for supported products. This report skips the simple criteria filter and displays the advanced criteria filter immediately.
Sample
[pic]
Report: Patch Annotation Information
This report lists all patch annotations.
Sample
[pic]
Report: Patch Criticality Information
This report lists all patches grouped by criticality. It allows a network administrator to quickly view the patches they have categorized as 'Critical' or 'High'.
Sample
[pic]
Report: Patch Listing
A concise listing (one line per patch processed) of all patches for all scanned machines sorted by 'Missing', 'Found', 'Informational' and 'Warning', then sorted by user preference.
Sample
[pic]
Report: Patches By Machine
Displays patch status for each machine sorted by Machine Name.
Sample
[pic]
Report: Patches By Machine Detail
A detailed listing of every patch found sorted by Machine Name. For each patch, the entire summary and reason is listed in the report. Note that this report can take very long if executed against 1000's of computers.
Sample
[pic]
Report: Scan/Deployment History
This report lists all scans and deployments in the entire system and displayed who performed each scan and deployment.
Sample
[pic]
Managing the Database
Compressing the Database
HFNetChkLT and HFNetChkPro 4.0 store scan and deployment results in a JET database called ShavlikScans.mdb. This file resides in a location such as C:\Program Files\Shavlik Technologies\HFNetChkPro4.
The MDB file grows with each scan and deployment that is performed. To save disk space and enhance performance, you may wish to compress this file as needed. To do so, go to Tools > Compact/Repair Database from the menu bar.
[pic]
To manually compress the MDB file via command line, follow these steps:
1) Close HFNetChkPro
2) Open a command prompt
3) Navigate to the C:\Program Files\Shavlik Technologies\HFNetChkPro4\4.0.XX.X directory (where stScanBrowser.exe is located)
4) At the command prompt, type
stScanBrowser.exe /repair
SQL Database Support
If you have a SQL enabled license key for HFNetChkPro 4.0, you may download the SQL Tool and documentation here:
Download SQL Tool (724 KB)
Download SQL Tool Documentation (PDF)
How can I tell if I have a SQL enabled license key?
The SQL Server database function is only available to HFNetChkPro customers. (It is not available for HFNetChkLT installations.) To see if your HFNetChkPro installation is licensed for SQL Server, please go to Help > About in the HFNetChkPro 4.0 application and look for 'SQL Server enabled', as shown below:
[pic]
Obtaining support
For technical assistance with HFNetChkPro 4, please refer to one of the following support options:
• Online support via
• Consult the HFNetChkPro web site at:
• Email us at support@
End User License Agreement
Shavlik Network Security Hotfix Checker Professional (HFNetChkPro) (TM) LICENSE AGREEMENT
IMPORTANT-READ CAREFULLY
1. Contract Formation.
(a) Nature of Document. This document is a legal agreement (the "EULA") between you purchaser (the "Licensee") and Shavlik Technologies, LLC ("Shavlik"), for the Shavlik product identified above, which includes computer software and may included associated media, printed materials and electronic documentation (the "Product").
(b) Non-Negotiability of Terms. IMPORTANT: SHAVLIK IS WILLING TO LICENSE THE PRODUCT TO YOU ONLY UPON THE CONDITIONS THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS AGREEMENT.
YOU AGREE TO BE BOUND BY THE TERMS OF THIS EULA BY INSTALLING, COPYING OR OTHERWISE USING THE PRODUCT. IF YOU DO NOT AGREE, YOU ARE NOT AUTHORIZED TO INSTALL OR USE THE PRODUCT.
(c) Acceptance or Rejection of Agreement. IF YOU DO NOT AGREE TO THESE TERMS, THEN SHAVLIK IS NOT WILLING TO LICENSE THE PRODUCT TO YOU. IN SUCH AN EVENT, YOU MAY PROMPTLY RETURN THE UNINSTALLED PRODUCT TO SHAVLIK OR THE DEALER FROM WHICH YOU MADE THE PURCHASE FOR A FULL REFUND OF THE PRICE PAID.
2. License Grant.
Shavlik grants to you the right to used one copy of the Product together with any updates provided by Shavlik in the manner described in this Agreement.
3. Use Limitations.
(a) This Product may not be incorporated in, or used in conjunction with, any other product for any use without the express written consent of Shavlik Technologies, LLC. Specifically, the Product cannot be used as a "child process" of another program, or batch file without the express written permission of Shavlik Technologies, LLC.
(b) The Product may not be sold or redistributed in any manner without the express written permission of Shavlik Technologies, LLC
(c) Networks. The Product may not be used on a computer network or remote access arrangement (by two different people in two different places at the same time) without acquiring an additional license or licenses. For any multiple user or remote access arrangement you must acquire and dedicate a license for each computer on which the Product is used or to which it is distributed.
(d) Permitted Copies. You may make one copy of the Product solely for backup or archival purposes. You may not copy any written materials accompanying the Product.
(e) Single Permanent Transfer Permitted.
(i) You may not rent or lease the Product. But you may transfer the Product on a permanent basis provided you retain no copies and the recipient agrees to accept the terms and conditions of this Agreement. If you transfer the Product, you must at the same time either transfer all copies to the recipient or destroy any copies not transferred, including modifications and portions of the program contained or merged into other Product programs. If the Product has been updated, any transfer must include the most recent update and all prior versions.
(ii) You may not sublicense, assign or transfer the license or the Product except as expressly provided by this Agreement. Any attempt otherwise to sublicense, assign, or transfer any of the rights, duties, or responsibilities hereunder is void.
(f) Reverse Engineering Prohibited. You may not reverse engineer, decompile, or disassemble the Product.
(g) Shavlik is not obligated to provide support services in conjunction with the Product unless you and Shavlik have entered into a separate Maintenance Plan.
(h) This EULA applies to updates or supplements to the original Product provided by Shavlik, unless we provide other terms along with the update or supplement.
4. Copyright Limitations.
(a) Ownership. Shavlik owns the Product; and all copyright and other intellectual rights in the Product; and under the terms of this Agreement you receive only a limited right to use the Product. The Product is protected both by Unites States laws and international treaty provisions.
(b) No Copies. Except as expressly permitted under the "Use Limitations" above, you may not copy the Product program or accompanying written materials.
(c) Copyright Notices. You must reproduce and include the copyright notice and any other intellectual property rights notices on any copy permitted by this Agreement.
5. Term.
(a) License Duration. The license is effective until terminated.
(b) Termination.
(i) You may terminate the license at any time by notifying Shavlik in writing.
(ii) The license will automatically terminate upon your failure to comply with the terms and conditions of this Agreement.
(c) Disposition of Product. You agree that upon termination to destroy the Product, together with all copies, partial copies, modifications and merged portions in any form and together with the accompanying written materials.
6. Limited Warranties.
(a) Licensee Responsible for Installation and Use. You assume responsibility for the selection of the Product to achieve your intended results, and for the installation, use, and results obtained from the Product.
(b) No Performance Warranty.
(i) THE PRODUCT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PRODUCT IS WITH YOU.
(ii) SHAVLIK DOES NOT WARRANT THAT THE FUNCTIONS CONTAINED IN THE PRODUCT WILL MEET YOUR REQUIREMENTS OR THAT THE OPERATION OF THE PRODUCT WILL BE UNINTERRUPTED OR ERROR FREE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PRODUCT IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE YOU (AND NOT SHAVLIK OR ITS AUTHORIZED DEALERS) ASSUME THE ENTIRE COST OF ALL NECESSARY SERVING, REPAIR, OR CORRECTION.
(iii) SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS AND YOU MAY ALSO HAVE OTHER RIGHTS WHICH VARY FROM STATE TO STATE.
(iv) Shavlik does not warrant that the functions contained in the Product will meet your requirements or that the operation of the Product will be uninterrupted or error free.
(c) No Other Warranty. SHAVLIK AND ITS DEALERS DISCLAIM ALL OTHER WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT LIMITED TO, IMPLIED WARRANTIES OR MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH REGARD TO THE PRODUCT AND THE MEDIUM CONTAINING THE SAME.
7. Limited Remedies.
(a) Limitation of Liability and Remedies. NOTWITHSTANDING ANY DAMAGES THAT YOU MIGHT INCUR FOR ANY REASON WHATSOEVER (INCLUDING, WITHOUT LIMITATION, ALL DAMAGES REFERENCED BELOW AND ALL DIRECT OR GENERAL DAMAGES), THE ENTIRE LIABILITY OF SHAVLIK UNDER THE PROVISIONS OF THIS EULA AND YOUR EXCLUSIVE REMEDY FOR ALL OF THE FOREGOING SHALL BE LIMITED TO ACTUAL DAMAGES INCURRED BY YOU BASED ON REASONABLE RELIANCE UP TO THE AMOUNT PAID BY YOU FOR THE PRODUCT. THE FOREGOING LIMITATIONS, EXCLUSIONS AND DISCLAIMERS SHALL APPLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, EVEN IF ANY REMEDY FAILS ITS ESSENTIAL PURPOSE.
(b) Disclaimer of Consequential Damages. IN NO EVENT WILL SHAVLIK BE LIABLE TO YOU FOR ANY DAMAGES, INCLUDING ANY LOST PROFITS, LOST SAVINGS, OR OTHER INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PRODUCT EVEN IF SHAVLIK HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR FOR ANY CLAIM BY ANY OTHER PARTY.
(c) SOME STATES DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU.
8. General Provisions.
(a) Governing Law. This Agreement shall be governed and construed by the laws of the State of Minnesota.
(b) Severability. If any provision of this Agreement is found void or unenforceable, it will not affect the validity of the balance of this Agreement, which shall remain valid and enforceable according to its terms. If any remedy provided is determined to have failed its essential purpose, all limitations of liability and exclusions of damages set forth herein shall remain in full force and effect.
(c) Acknowledgment and Exclusivity. YOU ACKNOWLEDGE THAT YOU HAVE READ THIS AGREEMENT, UNDERSTAND IT, AND AGREE TO BE BOUND BY ITS TERMS AND CONDITIONS. YOU FURTHER AGREE THAT IT IS THE COMPLETE AND EXCLUSIVE STATEMENT OF THE AGREEMENT BETWEEN US WHICH SUPERCEDES ANY PROPOSAL OR PRIOR AGREEMENT, ORAL OR WRITTEN, AND ANY OTHER COMMUNICATIONS BETWEEN US RELATING TO THE SUBJECT MATTER OF THIS AGREEMENT.
(d) Purchaser Questions. Should you have any questions concerning this Agreement, or if you desire to contact Shavlik for any reason, please write, fax, or e-mail Shavlik Technologies, LLC 2665 Long Lake Road, Suite 400, Roseville, MN 55113, Telephone: 800.690.6911; fax: 651.426.3345; e-mail: info@.
(e) U.S. Government Restricted Rights. The Product and documentation are provided with RESTRICTIVE RIGHTS. Use, duplication, or disclosure by the Government is subject to restrictions: if supplied to the Department of Defense (DoD), the Product is "Commercial Computer Product" and the Government acquires the Product with " restricted rights," as defined in Clause 252.227-701(c)(1) of the DFARS; if the Product is supplied to any other Government unit or agency, the Government's rights in the Product are defined in Clause 52.227-19(c)(2) of the FAR; but if the Product is supplied to NASA, the Government's rights are defined in Clause 18-52.227-86(d) of the NASA supplement to FAR. The manufacturer is Shavlik Technologies, LLC 4750 White Bear Parkway, St. Paul, MN 55110.
Index
A
About 1, 46, 48, 56, 60, 95, 103, 109, 117
Advanced report filters 127
B
Basic report filters 126
Bugtraq 6
C
CAB file 5, 6, 117, 123
Cancel deployment 87
Checksum analysis 8
CLOUC 17, 103
Combined Threat 68
Command line 117
CommandLine4.exe 106
Creating 48, 57, 61, 64, 109, 115
Credentials 37
Criticality 68, 93, 137
Currently Logged On User Credentials 17, 103
CVEID 6
D
Data files 106
Database 143, 144
Deploy patches 89, 90, 93, 94
Deploy service packs 91
Deployment 81, 83, 84, 87, 88, 95, 96, 98
Deployment seats 80
Detailed patch information 70
Domains 44, 51
Download 75, 76, 109, 111
Download centers 76, 109, 111, 115
Drag and drop 34
E
Effectively installed 10
End User License Agreement 147
Entire network 23
Enumerating 7
Error messages 123
Explicitly installed patches 10
Exporting Reports 129
F
Favorites 59, 64
Filter Patches 57
Foreign language patches 109, 111, 115
FullScan 23, 28, 34, 43
G
GUI 23, 28
H
hfnetchk4pro.exe 117
HFNetChkPro 3, 5, 21
HFNetChkPro service 17, 103
Hiding patch items 74
I
Import from file 49, 51, 53
Informational items 68
Installation 11, 12, 13
Interface 23, 28
International mode 109
International patches 109
Internet 17, 121
Internet Explorer 75, 121
Interpreting 65, 68
IP address 45, 53
L
License information 21
Limited Edition 3, 21
Linking 55
M
Machine group 46, 48, 49, 51, 55
Machine summary results 66
Machines 7, 49, 53, 94
Manage items 39
Microsoft Download Center 6
Microsoft Knowledge Base 6, 68
Microsoft Security Bulletin 68
Microsoft SQL 3
Missing Patches 73
6
Monitoring 84
MSSecure.xml 6, 8, 57
My Domain 23, 28, 44, 46
My Machine 23, 28, 43, 46
My Test Machines 46, 48
O
Office Administrative Install Point 96
Office deployment 96
Options 11, 40, 76, 103, 105, 121
Organizational Unit 52
P
Patch deployment 79, 80, 89, 90, 93, 94, 96
Patch group 60, 61, 63
Patch status 8, 9, 73
PatchDetails4.xml 105, 106
Patches 8, 9, 10, 60, 61, 63, 70, 73, 75, 101, 109
PatchPush Tracker 84, 103
Prerequisites 12
Proxy server 17, 121
Q
QuickScan 23, 28, 34, 42, 44
QuickScan vs FullScan 34
Quiet mode 96
R
Reboot options 96
Recent items 28, 39
Registering 3, 21
Reports 125, 129, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141
Rescan 17, 103
S
Scan 6, 33, 34, 35, 40, 42, 43, 44, 45, 56, 57, 60
Scan results 65, 66, 68
Scan template 56, 57, 59, 60
Scan/Deployment history 141
Scanning prerequisites 33
Scheduling 35, 81, 83
SecurityFocus 70
Service pack 91
Set/Change credentials 37, 45
Setup Wizard 17
Shavlik 1, 145, 147
Software 11
SQL Server 96, 144
Supersedence 9
Support 145
System requirements 4
T
Testing deployment 81
Today's deployments 28, 88
Today's scans 28, 39
TruSecure 68, 70
TruSecure.xml 105, 106
U
UNC 76, 105
Uninstall 101
User interface 23, 28
V
Versions 3, 8
W
Windows Update 4, 68, 70
X
XML file 6, 9, 105, 106, 123
xml. 23, 34
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- users live online math
- va fms users guide
- fpu online users sign in
- linux check users logged in
- all users folder win 10
- microsoft flight simulator 2020 users manual
- users and passwords windows 10
- how to change users account name
- change folder name under users windows 10
- i cannot rename my users folder
- rename users folder windows 10
- list windows users cmd