Shavlik Protect

Summary

The Patch Plus approach leverages Shavlik’s easy to use and manage Protect Console to address organizations’ top priorities. Patch Plus bundles Shavlik’s best-in-class patch management with asset inventory, power management, and antivirus protection in an easy-to-use, centralized console to simplify and automate the top IT management challenges faced by today’s IT environments. By bundling additional features along with Shavlik’s industry leading agentless asset discovery and broad, trusted application (Microsoft and 3rd party apps) update capabilities in a single console, organizations increase their operational efficiency without increasing management overhead or costs, and puts time back in the day of the IT Administrator.

A Closer Look

Any Patch, Anywhere Technology

And Shavlik doesn’t just find missing patches, we deploy them too. Shavlik Protect scans Microsoft and third party applications running on the machines in your network. It assesses the current patch status of those machines and enables you to deploy any missing patches. In addition, Shavlik Protect also provides a custom patch editor that enables you to create and maintain custom patches on your machines. This enables you to patch virtually any program on your network.

Shavlik- Only Vendor Patching Offline Virtual Machines

Shavlik has developed a way to patch all virtual machines, even those that are offline. This ensures that offline virtual images can be in a constant state of readiness to be deployed.

IT staff can quickly verify and report that 100% of the organization’s vulnerable machines – physical, virtual, and offline – have received a specific critical patch and are protected.

Agentless and Agent-Based Solution

Shavlik offers the industry’s only solution that blends Agentless and Agent-based operations providing a configurable architecture that meets the needs of diverse enterprise environments. In places where Agents are a necessity, we offer an extremely flexible and powerful Agent while our Agentless implementation provides complete coverage and reduces the management overhead related to deploying agents.

Antivirus + Antispyware

Powered by the Sunbelt VIPRE Enterprise Antivirus + Antispyware engine, Shavlik Protect delivers superior patch plus AV in a single agent for about the cost of your AV only solution.

Find and Track Your Physical and Virtual Assets

Shavlik’s unique agent-based and agentless architecture provides the industry’s most comprehensive asset and dynamic asset discovery. In minutes you’ll find physical and virtual machines you didn’t know you had and software you didn’t know was installed. The flexibility provided by this hybrid approach enables you to address every machine in your enterprise -- from stationary machines to frequently disconnected devices to machines located in the DMZ to machines in locations with bandwidth constraints.

Minimize Energy Costs, Maximize Patch Coverage

In the US alone, more than $2.8 billion of PC power is wasted every year by not shutting down or reducing the power state of computers when not in use. But care must be taken to ensure sleeping computers receive software updates (patches). With Protect Plus Power Management, administrators have centralized control to power machines off in the evenings and on weekends AND wake machines up to deploy critical security patches. Your company gets the best of both worlds – they get Greener IT and maximize patch coverage.

Product Features

The Protect approach bundles best-in-class patch management for Microsoft and 3rd party applications, with other key IT operational capabilities to simplify and automate the systems management challenges most relevant to current IT environments. Patch Plus delivers enterprise features without the enterprise cost or complexity.

• Ease of Use: You start managing your physical and virtual assets, software, patches, AV, and energy costs.

• Flexible & Robust Scanning Options: Shavlik Protect provides a number of ways to perform a scan. The home page provides simple one-click methods for beginning a scan. Or, you can begin scans from within a machine group or with a favorite group. Scans can also be performed by domain, organizational unit, machine name, IP address or IP range.
  
  Protect allows you to schedule when a patch will be executed on each remote system. The deployment can be set for a specific date/time, immediately, at next reboot, or they can be copied to the machine but not installed. Reboots can occur immediately after the installation of patches, scheduled at the next occurrence of a specific time, or a specific date/time.
• Automated Patch Deployment: By enabling the Auto Deploy option, you can automatically enforce patch policies by correcting any discrepancies found on the scanned machines. Any missing patches are automatically deployed immediately after the scan.
• ESXi Hypervisor Patching: Shavlik Protect can manage and track the vCenter Servers and the ESXi Hypervisors (ESXi hosts) that are used in your organization. You can:
  • Add vCenter Servers and ESXi hypervisors to Shavlik Protect
  • View basic configuration information about the vCenter Servers and the ESXi hypervisors
  • Perform a scan of the managed and unmanaged ESXi hypervisors
  • View the security bulletins that have already been installed on the managed and unmanaged ESXi hypervisors
  • View the security bulletins that are missing on the managed and unmanaged ESXi hypervisors
  • Deploy any missing security bulletins to the ESXi hypervisors
  • Power on and off the virtual machines that reside on your managed and unmanaged ESXi hypervisors
  
  
• Precise Reboot Options: Protect provides pinpoint control over when systems are rebooted- during planned downtime. This is a critical difference, particularly on servers. Shavlik enables administrators to specify detailed, granular reboot instructions that allow for system restarting during scheduled windows. Remediation and reboots can be scheduled separately.
• Support for Custom Patches: Shavlk Protect provides the ability to patch virtually any Windows application on your network, including custom applications and legacy applications. You can also scan for and deploy private patches from Microsoft Corporation. All of this is managed with the implementation of the Custom Patch File Editor. The editor’s wizard-like interface expertly guides you through the process of creating your own custom patch XML files. The program combines your custom XML files with the primary XML patch data file and uses that modified file when performing scans and deployments.
• Antivirus + Antispyware: For a fraction of the money you spend for antivirus protection today, you can have complete protection against the top security threats – operating system patching, application-level patching, virtual machine patching, and AV. Protect has integrated the ThreatTrack Security VIPRE Antivirus + Antispyware engine into the Shavlik Agent. You’ll save time by managing AV from the same familiar Protect Console and eliminate headaches by reducing the number of agents on your desktops and laptops.
• Asset Inventory and Tracking: IT can’t manage what it can’t see so an accurate asset inventory is an absolute necessity. Shavlik’s asset management gives you a dynamic, up-to-date method to track your software, hardware and virtual assets. You will discover physical and virtual machines you didn’t know you had and uncover software applications you didn’t know were installed. By eliminating these blind spots, you can quickly close the gaps in your security and policy compliance.
• Virtual Machine Management: Shavlik Protect enables you to scan and patch offline virtual machines. Offline virtual machines are those that aren’t powered on when a patch scan is performed. These virtual machines may be part of a roster kept to satisfy demand for more virtual machines quickly. It’s important to ensure that these systems are patched so that when they are brought online they don’t place your network at risk.
• Power Management: In the US alone, more than $2.8 billion of PC power is wasted every year by not shutting down or reducing the power state of these machines when not in use. But care must be taken to ensure sleeping computers receive software updates (patches). Protect Plus Power Management centralizes control from the familiar Protect Console to power machines off in the evenings and on weekends AND wake machines up to deploy critical security patches
• Active Protection with On-access File Scanning: Active Protection is an integrated component of the Antivirus + Antispyware engine. It provides real-time file scanning functions for each file as they are being accessed. This includes on-access scanning for all threats – including spyware, adware, malware, and viruses.
  
• Scheduled Data File Downloads: Automatically check for new patch and/or antivirus/spyware signatures on a recurring basis. The scheduled check and download function can occur hourly at intervals ranging from 1 to 24 hours – even when the Protect console is closed.
• Automated Synchronization of Distribution Servers: Define the interval when you’d like to sync your distribution servers with the Protect console or choose to manually sync your distribution servers. Specify that Shavlik Engines and Definitions be synchronized or Patches (or both).
• Comprehensive Reporting: More than 20 built-in reports ranging from Executive Dashboard to Patch Status Detail. Reports detail everything from Seat License Count to Patch Status to Threat summary and detail information. Advanced filtering allows you to obtain a very granular view all the way down to specific machines or specific patches. Reports can be exported in 9 different formats. Automatically email reports or notifications by defining the email recipients in scan template, deployment template, or machine group.
• Automated E-Mailer: Shavlik Protect provides the ability to automatically e-mail scan results and reports to machine owners, network administrators, or executives.
• Support for Multiple Console Configurations: For large organizations there are many advantages to maintaining multiple consoles:
• The consoles can reside at physically distinct locations and be close to the machines they are managing
• You can distribute the workload across multiple consoles
• The scans, deployments, and remediations are performed much quicker
• You won't tie up your network trying to scan hundreds of geographically distinct machines from one location
• It cuts down on a lot of network traffic, especially over WANs
• The results from each console can be rolled up to and viewed from one central location

• Shavlik Agent: Shavlik Agent is an agent service. The agents configured by Shavlik Agent are distributed agents, meaning they are installed on physically distinct machines and have the ability to independently initiate specific actions. They are configured via the Shavlik Protect interface and then installed on the desired machines either by executing a menu command from the Shavlik Protect console or by manually installing them off a CD or flash drive. With Shavlik Agent you can create as many different agent policies as necessary to manage your network. This provides a great deal of flexibility, enabling you to assign different agent configurations to different machines in your organization.
  
  Depending on how they are configured, when installed on a machine a Shavlik agent can:
  • Scan for and deploy missing patches
  • Scan for and remediate viruses, worms, Trojans and rootkits
  • Report the results to the local console
  
  
• Cloud Agents: Shavlik Protect agents can be installed from the cloud and can function without ever connecting directly to the Shavlik Protect console. Agent policies are uploaded from the console to the cloud where they are available to be downloaded by the agents. Agent results are uploaded to the cloud and then downloaded to the Shavlik Protect console.
• Machine Groups: Shavlik Protect uses machine groups to keep track of the machines that are included in a particular scan. The machine groups within Shavlik's product are flexible enough to allow you to organize and group machines based on OU, Domain or IP Ranges which will automatically identify new machines that are added to the network.
• Machine View: This extremely powerful and flexible tool enables you to display current information about every machine in your network that has been previously scanned and whose information resides in the database. It enables you to align management of your security posture with how you manage your network assets. The advantages of the Machine View include:
• You are not restricted to viewing just those machines involved in a particular scan. You can view all the machines that have ever been scanned.
• You can quickly assess the status of all machines in your organization.
• You can filter the information and drill down into the table for a more detailed analysis.
• You can view both patch and threat information at the same time. With the Scan view you can only view one or the other.
• Role-based Administration: You can assign different roles to different users of Shavlik Protect. This enables you to make the program available to a wide variety of people within your organization while maintaining control over its use. The role assigned to a user determines what that particular user can do.

Shavlik Protect 9.0

Console

Restrictions:

• An NTFS file system is required on the console machine
• If you install the console on a domain controller that uses LDAP certificate authentication, you may need to configure the server to avoid conflict issues between the SSL certificate and the Shavlik Protect program certificate. There is no easy way to configure this on a Windows Server 2003-based domain controller and this combination is not recommended for use as a console.
• If you install the console on two or more machines that share a database, all of the console machines must have unique security identifiers (SIDs) in order to prevent user credential problems. Machines are likely to have the same SIDs if you make a copy of a virtual machine or if you ghost a machine.

Processor:

• Minimum: 2 processor cores 2 GHz or faster
• Recommended: 4 processor cores 2 GHz or faster (for 250 - 1000 seat license)
• High performance: 8 processor cores 2 GHz or faster (for 1000+ seat license)

Memory:

• Minimum: 2 GB of RAM
• Recommended: 4 GB of RAM (for 250 - 1000 seat license)
• High performance: 8 GB of RAM (for 1000+ seat license)

Video:

• 1024 x 768 screen resolution or higher (1280 x 1024 recommended)

Disk Space:

• 100 MB for application
• 2 GB or more for patch repository

Operating System (one of the following):

Minimum:

• Windows XP Professional, SP3 or later (SP2 or later if using 64-bit version)
• Windows Vista, SP2 or later, Business, Enterprise, or Ultimate Edition
• Windows Server 2003 Family, SP2 or later

Recommended:

• Windows Server 2012 Family, excluding Server Core
• Windows Server 2008 Family SP2 or later, excluding Server Core
• Windows Server 2008 Family R2 SP1 or later, excluding Server Core
• Windows 8 or later, excluding Windows RT
• Windows 7 SP1 or later, Professional, Enterprise, or Ultimate Edition

Database:

• Use of a Microsoft SQL Server database [SQL Server 2005 (Full or Express Edition) or later]

  
  If you do not have a SQL Server database, the option to install either SQL Server 2012 Express Edition SP1 or SQL Server 2008 R2 Express Edition SP2 will be provided during the prerequisite software installation process. SQL Server 2008 R2 Express Edition SP2 is offered only if you are using an older operating system (Windows XP or Windows Server 2003) that does not support SQL Server 2012 Express Edition.

• Size: 1.5 GB

Prerequisite Software:(Installed automatically)

• Windows Installer 4.5 or later (only required if installing SQL Server 2012 Express SP1 or SQL Server 2008 R2 Express SP2 during Shavlik Protect installation)
• Use of Microsoft SQL Server 2005 (Full or Express Edition) or later
• Microsoft .NET Framework 4.0 or later
• Microsoft .NET Framework 2.0 SP2 (required for the ITScripts feature)
• Windows PowerShell 3.0, or Windows PowerShell 2.0 if your OS does not support v3.0 (required for the ITScripts feature)
• Windows Imaging Component
• Remote Desktop Connection (required for the RDP feature)
• Shavlik Protect 32-bit or 64-bit MSI file. The installation program will detect which version is supported by the console's operating system and will automatically download the correct file. This prerequisite does not apply if you are using the full download executable file as both versions of the MSI file are contained in the executable file.

Windows Account Requirements

• In order to access the full capabilities of Shavlik Protect, you must run under an account with administrator privileges

Configuration Requirements:

• When performing an asset scan of the console machine, Windows Management Instrumentation (WMI) service must be enabled and the protocol allowed to the machine. In Windows Firewall, on Windows XP/Windows 2003 machines the service is called Remote Administration, and on more recent Windows machines the service is called Windows Management Instrumentation (WMI)/Remote Administration.

Clients (agentless)

Operating Systems (any of the following):

• Windows 2000 Professional
• Windows 2000 Server
• Windows 2000 Advanced Server
• Windows 2000 Datacenter Server
• Windows 2000 Small Business Server
• Windows XP Professional
• Windows XP Tablet PC Edition
• Windows XP Embedded
• Windows Server 2003, Enterprise Edition
• Windows Server 2003, Standard Edition
• Windows Server 2003, Web Edition
• Windows Server 2003 for Small Business Server
• Windows Server 2003, Datacenter Edition
• Windows Vista, Home Basic Edition
• Windows Vista, Home Premium Edition
• Windows Vista, Business Edition
• Windows Vista, Enterprise Edition
• Windows Vista, Ultimate Edition
• Windows 7, Home Premium Edition
• Windows 7, Professional Edition
• Windows 7, Enterprise Edition
• Windows 7, Ultimate Edition
• Windows Server 2008, Standard
• Windows Server 2008, Enterprise
• Windows Server 2008, Datacenter
• Windows Server 2008, Standard - Core
• Windows Server 2008, Enterprise - Core
• Windows Server 2008, Datacenter - Core
• Windows Server 2008 R2, Standard
• Windows Server 2008 R2, Enterprise
• Windows Server 2008 R2, Datacenter
• Windows Server 2008 R2, Standard - Core
• Windows Server 2008 R2, Enterprise - Core
• Windows Server 2008 R2, Datacenter - Core
• Windows 8
• Windows 8 Pro
• Windows 8 Enterprise
• Windows Server 2012, Foundation Edition
• Windows Server 2012, Essentials Edition
• Windows Server 2012, Standard Edition
• Windows Server 2012, Datacenter Edition

Note: Windows 2000 machines must contain Internet Explorer 7.0 or later in order to receive patch deployments.

Virtual Machines (offline images created by any of the following):

• VMware ESX Server 4.0 or later (VMware Tools is required on the Virtual Machines)
• VMware ESXi 4.1 or later (VMware Tools is required on the Virtual Machines)
• VMware vCenter (formally VMware VirtualCenter) 4.0 or later (VMware Tools is required on the Virtual Machines)
• VMware Workstation 8.0 or later
• VMware Player

Configuration Requirements:

• Remote Registry service must be running
• Simple File Sharing must be turned off
• Server service must be running
• NetBIOS (tcp139) or Direct Host (tcp445) ports must be accessible
• When deploying patches on Windows Vista or later operating systems, the Windows Update service Startup type must be set to either Manual or Automatic.
• Remote Desktop connections must be allowed in order for the console to make an RDP connection with the target machine.

Products Supported:

• See http://xml.shavlik.com/data/supportedproduct78.htm for the current list

Disk Space:

• Free space equal to five times the size of the patches being deployed

Supported Languages (for patch download):

• Arabic, Chinese (Simplified), Chinese (Traditional), Czech, Danish, Dutch, English, Finnish, French, German, Greek, Hebrew, Hungarian, Italian, Japanese, Korean, Norwegian, Polish, Portuguese (Brazil), Portuguese (Portugal), Russian, Spanish, Swedish, Thai, Turkish

Clients Running Shavlik Protect Agent

Note: An NTFS file system is required on agent machines.

Processor:

• 500 MHz or faster CPU

Memory:

• Minimum: 256 MB RAM
• Recommended: 512 MB RAM or higher

Disk Space:

• 30 MB for NetChk Agent client
• 500 MB or more for patch repository

Operating Systems (any of the following):

• Windows XP SP2 or later
• Windows Vista Family
• Windows 7 Family
• Windows 8 Family excluding Windows RT
• Windows Server 2003 Family
• Windows Server 2008 Family
• Windows Server 2008 Family R2
• Windows Server 2012 Family

Prerequisite Software:

• MSXML 3.0 or later

Configuration Requirements

• Workstation service must be running

Port Requirements

These are the default port requirements. The port numbers are configurable.

	Inbound Ports (Basic NAT Firewall)
	TCP 80	TCP 135	TCP 137-139 OR TCP 445 (Windows file sharing / directory services)	TCP 443	TCP 3121	TCP 3122	TCP 4155	TCP 5120	TCP 5985
Client System		X (For Asset Scans)	X				X (For listening agents)	X	X (For WinRM protocol)
Console System					X	X
Distribution Server	X		X	X

	Outbound Ports (Highly Restricted Network Environment)
	TCP 80	TCP 137-139 OR TCP 445 (Windows file sharing / directory services)	TCP 443	TCP 3121	TCP 5120	UDP 9
Client System	X (For Agents)	X	X (for Cloud Agents)	X (For Agents and Deployment Tracker)
Console System	X	X	X (for Cloud Sync)		X	X (For WoL & error reporting)
Distribution Server