A big part of your strategy for managing security patches is having patch management software that can assist in the daunting task of detecting and deploying patches. Ecora’s Patch Manager product may fit the bill for your shop. Originally released last year as a beta product under the name Patchmeister, the product has a new name and price tag.

Free product available for trial

Ecora also offers PatchLite, a free product that performs patch detection and reporting but has no ability to deploy patches.

Installation and licensing
Patch Manager is available as a 15-day trial download from Ecora’s site. Prior to downloading you must set up an account with Ecora (this requires a username, company name, and e-mail address). After downloading and running the setup program, you must license the software prior to using it. Click on License and select Update License to begin the licensing process. Enter your Ecora username and password, and the trial license will download. The trial version is limited to scanning and patching 25 machines.

Getting started
Each time you launch Patch Manager, the software will automatically check for updates in the patch database. If updates are available, a dialog box (see Figure A) will appear, giving you the option to select the updates to download and install. The software can also be updated manually by selecting File | Update from the drop-down menu. Keeping the database of available patches updated is, of course, an important component in patch management.

Figure A

The Patch Manager interface is divided into two panes, with tabs on each pane (see Figure B). The left pane displays summary information and the right pane displays details. Once a scan is completed, the right pane separates into two panes, with the bottom pane displaying patch details. The buttons along the top of the screen control the main functions of the software.

Figure B

Initially, it seemed that the interface was somewhat confusing, but after using the program for several days, the layout seemed to flow better and make more sense. The built-in help provides answers to many of the common questions, and a full user manual is available for download on Ecora’s Web site.

Network discovery
The first step in patch deployment is determining which patches need to be deployed to which machines on your network. Prior to running the scan, the software must perform a discovery of machines on your network. Click the Scan button to begin the discovery and scanning process, and the Systems Management dialog box (see Figure C) will open. Previously discovered systems appear in the top pane, and selected systems appear in the bottom pane.

Figure C

Click the Discover button and the Systems Discover screen appears (see Figure D).

Figure D

The Discover Options are Best Method, Active Directory, NetBIOS, and Specify Hosts. Select the option that works best for your environment. The Specify Hosts option provides the most flexibility in that hosts can be specified by NetBIOS domain name, host name, FQDN, or a range of IP addresses. If you select Best Method or NetBIOS, you will need to further select the domain or domains you wish to discover. Once you make your selection, click the Next button to begin the network discovery.

When the discovery is complete, the Systems Management dialog will display the systems discovered in the top pane. A second tab will now appear titled Manage Groups And Systems. This tab allows you to place systems into groups for easier management. Highlight a system or group and then click the Properties button to set the credentials for scanning (see Figure E).

Figure E

By default, scanning is performed using the credentials of the user who is logged on. To properly detect patches, the scanning user account must be a member of the domain administrators group. In addition, all scanned machines must have the default administrator shares present or the scan will fail with insufficient credentials. On Windows 2000 and Windows XP machines, the remote registry service must also be enabled.

System scanning
To select a system for scanning, highlight it and click the Select button or double-click it to move it to the bottom pane. Once you’ve selected all the systems you want to scan, click the OK button to begin scanning. Scan time will vary depending on the number of systems selected for scanning. When the scan is complete, the left pane will display the results of the scan. The three tabs on the left pane break the results down by hosts, products, and patches (see Figure F).

Figure F

The Hosts tab displays the date and time of each recently completed scan. You can expand the results to list each PC scanned. Click on a particular PC to display the detailed information in the right pane. The details can be further divided by clicking the OS, IE, Media Player, or All button in the right pane. Clicking on a particular patch brings up the details of the patch in the lower portion of the right pane.

You can save the results of a scan in two ways: Clicking File | Save Scan lets you open the results of the scan later for examination and patch deployment. You can also save the results in HTML or CSV report format for later review by clicking File | Save. Specify the report file format by choosing File | Settings.

Patch deployment
Once the scan is completed and you review the results, patch deployment can begin. Double-click the check box next to a listed patch to place a checkmark in the box and select the patch for deployment. Click the Push button to display the Push dialog box (see Figure G).

Figure G

Patches can be installed immediately or scheduled for later by clicking the appropriate radio button. Clicking the Settings button allows you to set the patch install options. The Install Options allow you to use the QChain tool to push multiple patches at once with a single reboot. In addition, you can choose to reboot the remote machine after the patches are installed, and you can enter a separate username and password for access to the remote machine (see Figure H).

Figure H

Next, before deployment, you must download the selected patches to the local system that is actually running the Patch Manager software by selecting the Download All button from the Push dialog box. This will download the necessary patches to the appropriate directory in Patch Manager. If you do not click the Download All button, then a dialog will prompt the user that the patches need to be downloaded before the deployment process can proceed.

Also, although the manual states that patches cannot be downloaded manually, Ecora’s tech support informed me it is possible to download the files outside the software as long as the files are placed in the proper directory.

When all the patches are downloaded, click the Push button to begin the Push process. Once the patches are pushed and executed on the remote machine, a dialog alerts the end user that the machine will be rebooted in 60 seconds. Patch Manager displays a status update on the local machine when the patches have been deployed (see Figure I).

Figure I

The final step is to verify that the patches were successfully installed. Use Patch Manager to perform a new scan of the systems patched in order to verify that the patch deployment was completed.

Summary
Overall, my experience with the product was good. I did experience a few glitches and snags along the way, but Ecora’s tech support did an excellent job of resolving my issues. I exchanged several e-mails and phone calls during the time I was evaluating the product and always received a quick response. The company appears very dedicated to making Patch Manager a solid product.

Pricing for Patch Manger is on a per-node basis with an annual subscription. Prices range from $156 for a five-node license to $4,000 for a 500-node license. Additional discounts are available for purchasing multiple-year subscriptions.