Summary

With NetChk Protect 7, the Shavlik Security Suite now provides a comprehensive solution with defense in depth to fend off today’s threats. The Suite helps organizations remain proactive, ensuring systems are fully patched and properly configured, while allowing them to be reactive with an antivirus and active protection solution required for the polymorphic threats organizations are faced with today.

Shavlik NetChk Protect bridges your physical and virtual environments with a single, easy-to-manage console that takes the complexity out of patch management, discovers and catalogs your software, hardware, and virtual assets, and delivers antivirus + antispyware that is fast, light on system resources, and stops today’s malware.

A Closer Look

Agentless and Agent-Based Solution

Shavlik offers the industry’s only solution that blends Agentless and Agent-based operations providing a configurable architecture that meets the needs of diverse enterprise environments. In places where Agents are a necessity, we offer an extremely flexible and powerful Agent and our Agentless implementation provides complete coverage and reduces the management overhead related to deploying agents.

Shavlik- Only Vendor Patching Offline Virtual Machines

Shavlik Technologies has developed a way to patch all virtual machines, even those that are offline. This ensures that offline virtual images can be in a constant state of readiness to be deployed.

IT staff can quickly verify and report that 100% of the organization’s vulnerable machines – physical, virtual, and offline – have received a specific critical patch and are protected.

Simplify Network Security

Shavlik NetChk Protect provides you with an easy-to-implement, easy-to-use, and cost-effective method for improving your security posture. By taking the complexity out of the patch management task, it provides the fastest route to improved security and compliance. It also enables your less technical staff to manage the product.

Find and Fix Gaps in Your Network Security

Shavlik NetChk Protect has a unique architecture that combines agent-based and agentless technology to provide the industry’s most comprehensive discovery capability, allowing customers to confidently answer the question “How secure am I?” The flexibility provided by this hybrid approach enables you to address every machine in your enterprise -- from stationary machines to frequently disconnected devices to machines located in the DMZ to machines in locations with bandwidth constraints.

And Shavlik NetChk Protect doesn’t just detect gaps, it fixes them too. The program can be configured to immediately deploy all missing patches to machines immediately after a scan is performed. This one-step update process enables you to specify exactly when and how the patches will be deployed.

Any Patch, Anywhere Technology

Shavlik NetChk Protect scans Microsoft-based and third party programs running on the machines in your network. It assesses the current patch status of those machines and enables you to deploy any missing patches. In addition, Shavlik NetChk Protect also provides a custom patch editor that enables you to create and maintain custom patches on your machines. This enables you to patch virtually any Windows program on your network.

Product Features

Shavlik NetChk Protect contains a large number of product features. In addition to reviewing the following list, you can also see several of the product features in action by viewing the product tutorials available by clicking here.

• Ease of Use: Go from download to scanning in 30 minutes or less, leveraging Shavlik’s easy to use, industry-standard user interface. Offers a robust user experience, all from a single console.
• Multi-Tasking GUI: In NetChk Protect 7, you can launch a scan and continue to work within the console – whether that involves launching additional scans, downloading patches, reviewing prior scan results, or initiating deployments, all at the same time.
• Antivirus + Antispyware: NetChk Protect 7 includes a feature complete antivirus + antispyware engine. This next generation antimalware engine performs standard antivirus functions, including signature- and heuristic-based threat detection and remediation, behavioral analysis, and whitelisting.
• Active Protection with On-access File Scanning: Active Protection is an integrated component of the Antivirus + Antispyware engine. It provides real-time file scanning functions for each file as they are being accessed. This includes on-access scanning for all threats – including spyware, adware, malware, and viruses.
• Asset Management - Discover and Track: Shavlik’s asset management gives you a dynamic, up-to-date method to track your software, hardware and virtual assets.  You will discover physical and virtual machines you didn’t know you had and uncover software applications you didn’t know were installed. By eliminating these blind spots, you can quickly close the gaps in your security and policy compliance. The virtual machine asset information consolidates information about resources assigned to virtual machines as well as the operating system and applications installed. This puts all the relevant information at your finger tips enabling IT to make decisions with confidence and accuracy.
  
• Scheduled Data File Downloads: NetChk Protect 7 can be configured to automatically check for new patch and/or antivirus/spyware signatures on a recurring basis. The scheduled check and download function can occur hourly at intervals ranging from 1 to 24 hours – even when the NetChk console is closed.
• Automated Synchronization of Distribution Servers: With NetChk Protect 7, you can define the interval when you’d like to sync your distribution servers with the NetChk console or choose to manually sync your distribution servers. Specify that Shavlik Engines and Definitions be synchronized or Patches (or both). Distribution Server synchronization is linked to Scheduled Data File Downloads where you define the interval as every X hours, ranging from 1 to 24 hours. No more manual synchronization steps are needed.
• Support for Offline Virtual Images: Shavlik NetChk Protect enables you to scan and patch offline virtual images. Offline virtual images are those that aren’t powered on when a patch scan is performed. These virtual images may be powered on for only a few hours or days a month and then powered off until they are needed again the next month. It’s important to ensure that these systems are patched so that when they are brought online they don’t place your network at risk.
  
  Shavlik NetChk Protect makes it easy to scan and patch these offline virtual images. You simply reference the offline image or folder of images in a machine group and perform a scan like usual. You can also scan desktops and servers for the presence of virtual images that you may not even know about. Once the virtual images are identified, Shavlik NetChk Protect will perform a full patch assessment of each image and display the scan results alongside the results for running systems.
  
  Patching offline virtual images is similarly simple. You simply highlight the images and patches you’d like to install and then select Deploy from the Shavlik NetChk Protect menu. The patches will be copied to the offline images and will be installed the moment that the virtual image is started (or according to its scheduled deployment time).
• Flexible & Robust Scanning Options: Shavlik NetChk Protect provides a number of ways to perform a scan. The home page provides simple one-click methods for beginning a scan. Or, you can begin scans from within a machine group or with a favorite group. Scans can also be performed by domain, organizational unit, machine name, IP address or IP range.
  
  NetChk Protect allows you to schedule when a patch will be executed on each remote system. The deployment can be set for a specific date/time, immediately, at next reboot, or they can be copied to the machine but not installed. Reboots can occur immediately after the installation of patches, scheduled at the next occurrence of a specific time, or a specific date/time.
• Precise Reboot Options: NetChk Protect provides pinpoint control over when systems are rebooted- during planned downtime. This is a critical difference, particularly on servers.  Shavlik enables administrators to specify detailed, granular reboot instructions that allow for system restarting during scheduled windows. Remediation and reboots can be scheduled separately.
• Automated Patch Deployment: By enabling the Auto Deploy option, you can automatically enforce patch policies by correcting any discrepancies found on the scanned machines. Any missing patches are automatically deployed immediately after the scan.
• Support for Custom Patches: The program provides the ability to patch virtually any Windows application on your network, including custom applications and legacy applications. You can also scan for and deploy private patches from Microsoft Corporation. All of this is managed with the implementation of the Custom Patch File Editor. The editor’s wizard-like interface expertly guides you through the process of creating your own custom patch XML files. The program combines your custom XML files with the primary XML patch data file and uses that modified file when performing scans and deployments.
• Comprehensive Reporting: More than 20 built-in reports ranging from Executive Dashboard to Patch Status Detail. Reports detail everything from Seat License Count to Patch Status to Threat summary and detail information. Advanced filtering allows you to obtain a very granular view all the way down to specific machines or specific patches. Reports can be exported in 9 different formats. Automatically email reports or notifications by defining the email recipients in scan template, deployment template, or machine group.
• Automated E-Mailer: Shavlik NetChk Protect provides the ability to automatically e-mail scan results and reports to machine owners, network administrators, or executives.
• Support for Multiple Console Configurations: For large organizations there are many advantages to maintaining multiple consoles:
• The consoles can reside at physically distinct locations and be close to the machines they are managing
• You can distribute the workload across multiple consoles
• The scans, deployments, and remediations are performed much quicker
• You won't tie up your network trying to scan hundreds of geographically distinct machines from one location
• It cuts down on a lot of network traffic, especially over WANs
• The results from each console can be rolled up to and viewed from one central location

• Shavlik NetChk Agent: Shavlik NetChk Agent is an agent service. The agents configured by Shavlik NetChk Agent are distributed agents, meaning they are installed on physically distinct machines and have the ability to independently initiate specific actions. They are configured via the Shavlik NetChk Protect interface and then installed on the desired machines either by executing a menu command from the Shavlik NetChk Protect console or by manually installing them off a CD or flash drive. With Shavlik NetChk Agent you can create as many different agent policies as necessary to manage your network. This provides a great deal of flexibility, enabling you to assign different agent configurations to different machines in your organization.
  
  Depending on how they are configured, when installed on a machine a Shavlik agent can:
• Scan for and deploy missing patches
• Scan for and remediate viruses, worms, Trojans and rootkits
• Report the results to the local console
• Machine Groups: Shavlik NetChk Protect uses machine groups to keep track of the machines that are included in a particular scan. The machine groups within Shavlik's product are flexible enough to allow you to organize and group machines based on OU, Domain or IP Ranges which will automatically identify new machines that are added to the network.
• Machine View: This extremely powerful and flexible tool enables you to display current information about every machine in your network that has been previously scanned and whose information resides in the database. It enables you to align management of your security posture with how you manage your network assets. The advantages of the Machine View include:
• You are not restricted to viewing just those machines involved in a particular scan. You can view all the machines that have ever been scanned.
• You can quickly assess the status of all machines in your organization.
• You can filter the information and drill down into the table for a more detailed analysis.
• You can view both patch and threat information at the same time. With the Scan view you can only view one or the other.
• Role-based Administration: You can assign different roles to different users of Shavlik NetChk Protect. This enables you to make the program available to a wide variety of people within your organization while maintaining control over its use. The role assigned to a user determines what that particular user can do.

All products created by Shavlik Technologies are built upon the following product principles. There are a number of examples of each principle evident in Shavlik NetChk Protect.

• Simplicity: If a product is difficult to use, chances are it won’t get used, no matter how many bells and whistles it may have. Our interface takes the complexity out of managing security.
• Easy to scan for and deploy patches enabling IT staff to manage more systems
• Ease-to-use asset management feature enables you to track and report your software, hardware, and virtual assets.
• Most direct route to patch compliance
• Fully automated vulnerability lifecycle
• Operationalize security, freeing up your critical IT staff for other tasks
• Facilitates gains in operational efficiency and delivers cost savings by simplifying complex network security
• Thoroughness: Our core security engines enable Shavlik to provide the industry’s deepest and broadest scanning capability that automatically detects and closes the gaps in your security state.
• Agent-based and agentless technology provides the best coverage
• Shavlik Technologies is the leader in accuracy, depth, and breadth of status on patches, configurations and unapproved software
• No need for rescans or use other tools- do it right the first time
• Detect and remove potentially harmful applications
• Provides coverage of 3rd Party Applications
• Used to audit other solutions for errors and omissions
• Validates that your patch policy requirements were actually implemented
• Default scan templates report on all installed and missing patches
• Architectural Flexibility: When working with rapidly changing technologies, flexibility is key. NetChk Protect provides you with the control to manage your network the way you want. You decide when and what systems are patched. Start scanning within 30 minutes or design a very detailed plan, it’s your choice.
  Shavlik NetChk Protect is extremely flexible because it:
• Offers multiple deployment options
• Is non-intrusive
• Can operate in either agentless or agent-based modes- you choose
• Provides the industry’s most flexible and granular deployment options
• Works with multiple products- Windows 2000 Professional Gold or later, Windows XP Professional SP1 or later, Windows 2000 Server Gold or later, Windows Server 2003 Family, Windows Server 2008 Gold or later and Windows Vista SP1
• Works with multiple machine types- servers, desktops, laptops, virtual machines
• Uses XML-based files that are constantly being updated to reflect ever changing software environments.
• Scalability: You want a product that is able to grow with your company. Shavlik NetChk Protect has the ability to accommodate ever increasing numbers of machines and software products.
• Distributed architecture
• Centralized management
• Agent/Agentless to address many different connectivity options
• Manage thousands of machines from a single console
• Time-to-Value: You want to be able to immediately begin using your investment. With its easy to use and intuitive interface, Shavlik NetChk Protect has you scanning, assessing, and patching your network in no time. Because there are very few setup tasks needed before using the product, the “time-to-value” payoff with Shavlik NetChk Protect is extremely high.

Protect 7

Console

Processor:

• Minimum: 500 MHz CPU
• Recommended: 2.0 GHz CPU (multi-processor machine if more than 1000 seat license)

Memory:

• Minimum: 256 MB of RAM
• Recommended: 2 GB of RAM (4 GB if more than 1000 seat license)

Video:

• 1024 x 768 screen resolution or higher (1280 x 1024 recommended)

Disk Space:

• 60 MB for application
• 2 GB or more for patch repository

Operating System (one of the following):

Note: NetChk Protect supports 32- and 64-bit versions of the listed operating systems for both console and target systems. Also note that a domain controller cannot be used as a console.

Minimum:

• Windows XP Professional, SP3 or later (SP2 or later if using 64-bit version)
• Windows Vista, SP1 or later, Business, Enterprise, or Ultimate Edition

Recommended:

• Windows Server 2003 Family, SP2 or later
• Windows Server 2008 Family, excluding Server Core

Database:

• Use of a SQL Server database (SQL Server 2000, SQL Server 2005, SQL Server 2005 Express Edition, SQL Server 2008, or SQL Server 2008 Express Edition) is required. If you do not have a SQL Server database, the option to install SQL Server 2008 Express Edition will be provided during the prerequisite software installation process.
• Note: SQL Server 2000 is supported in 7.0 but is not supported as a back-end database in 7.1 or later
• Size: 1.5 GB

Prerequisite Software:

• MSXML 6.0 SP2 Hotfix (for 7.1 or later)
• Internet Explorer 6.0 or later
• Windows Installer 4.5 or later (only required if installing SQL Express 2008 during NetChk Protect installation)
• Use of Microsoft SQL Server 2000 Service Pack 4 (or later), SQL Server 2005, SQL Server 2005 Express Edition, SQL Server 2008, or SQL Server 2008 Express Edition
• SQL Native Client or SQL 2008 Native Client (if using SQL Server 2008)
• Microsoft .NET Framework 3.5, SP1 or later
• Visual C++ 2008 SP1 Redistributable Package (provided in 7.1 or later)
• VMware^® Virtual Disk Development Kit 1.0.1

Configuration Requirements (7.1 or later):

• When performing an asset scan of the console machine, Windows Management Instrumentation (WMI) service must be enabled and the protocol allowed to the machine. In Windows Firewall, on Windows XP/Windows 2003 machines the service is called Remote Administration, and on Windows Vista/Windows Server 2008 machines the service is called Windows Management Instrumentation (WMI)/Remote Administration.

Clients (agentless)

Browser:

• Internet Explorer 4.0 or later required to receive patch deployments

Operating Systems (any of the following):

• Windows NT Workstation 4.0 SP6a or later
• Windows NT Server 4.0 SP6a or later
• Windows NT Server 4.0, Enterprise Edition SP6a or later
• Windows NT Server 4.0, Terminal Server Edition SP6a or later
• Windows 2000 Professional
• Windows 2000 Server
• Windows 2000 Advanced Server
• Windows 2000 Datacenter Server
• Windows 2000 Small Business Server
• Windows XP Professional
• Windows XP Tablet PC Edition
• Windows Server 2003, Enterprise Edition
• Windows Server 2003, Standard Edition
• Windows Server 2003, Web Edition
• Windows Server 2003 for Small Business Server
• Windows Server 2003, Datacenter Edition
• Windows Vista, Home Basic Edition
• Windows Vista, Home Premium Edition
• Windows Vista, Business Edition
• Windows Vista, Enterprise Edition
• Windows Vista, Ultimate Edition
• Windows Server 2008, Standard
• Windows Server 2008, Enterprise
• Windows Server 2008, Datacenter
• Windows Server 2008, Standard - Core
• Windows Server 2008, Enterprise - Core
• Windows Server 2008, Datacenter - Core

Virtual Machines (offline images created by any of the following):

• VMware ESX Server 3.0 or later
• VMware VirtualCenter 2.0 or later
• VMware Server
• VMware Workstation 4.0 or later
• VMware Player

Configuration Requirements:

• Remote Registry service must be running
• On Windows XP machines, Simple File Sharing must be turned off
• Server service must be running
• NetBIOS (tcp139) or Direct Host (tcp445) ports must be accessible
• When performing an asset scan, Windows Management Instrumentation (WMI) service must be enabled and the protocol allowed to the machine (TCP port 135). In Windows Firewall, on Windows XP/Windows 2003 machines the service is called Remote Administration, and on Windows Vista/Windows Server 2008 machines the service is called Windows Management Instrumentation (WMI)/Remote Administration.

Disk Space (for patch program):

• Free space equal to five times the size of the patches being deployed

Supported Languages (for patch program):

• Arabic, Chinese (Simplified), Chinese (Traditional), Czech, Danish, Dutch, English, Finnish, French, German, Greek, Hebrew, Hungarian, Italian, Japanese, Korean, Norwegian, Polish, Portuguese (Brazil), Portuguese (Portugal), Russian, Spanish, Swedish, Thai, Turkish

Clients Running NetChk Agent

Processor:

• 500 MHz or faster CPU

Memory:

• Minimum: 256 MB RAM
• Recommended: 512 MB RAM or higher

Disk Space:

• 30 MB for NetChk Agent client
• 500 MB or more for patch repository

Operating Systems (any of the following):

• Windows 2000 SP4 or later
• Windows XP SP2 or later
• Windows Vista Family
• Windows Server 2003 Family
• Windows Server 2008 Family

Prerequisite Software:

• MSXML 3.0 or later

Port Requirements

These are the default port requirements. The port numbers are configurable.

	Inbound Ports (Basic NAT Firewall)
	TCP 80	TCP 135	TCP 139 OR TCP 445	TCP 3121	TCP 4155	TCP 5120	TCP 443
Client System		X (For Asset Scans)	X		X (For listening agents)	X
Console System				X
Distribution Server	X		X				X

	Outbound Ports (Highly Restricted Network Environment)
	TCP 80	TCP 139 OR TCP 445	TCP 3121	TCP 5120
Client System	X (For Agents)	X	X (For Agents)
Console System	X	X		X
Distribution Server