Patch Deployment Security

Shavlik Protect takes the security of patch deployment very seriously. To that end, each patch undergoes up to three signature validation checks and is stored in a location on the remote machine with tight security permissions. If any of the signature checks fail, the patch will not be deployed.

During deployment, when a patch is copied to a remote system, the copy is not initiated unless the patch is signed. This is to prevent someone from tampering with the copy of the patch stored in the patch download directory. Before a patch is pushed out, it is always checked for a valid signature to ensure you are getting a legitimate patch.

Once the patch is copied to the deployment target it might sit for a period of time for a scheduled deployment. To prevent against someone from tampering with the patch, the signature is checked again before deploying on that machine. Additionally, the patch directory that Shavlik Protect creates on the remote machine has permissions set to LOCALSYSTEM and Local Administrators only so other users will not be able to modify, add or remove files from the deployment directory.