One result of Microsoft's developing patch management strategy will be the eventual elimination of Shavlik Technologies LLC's scanning technology in favor of something developed in-house by Redmond.
Microsoft executives said recently that Shavlik's HFNetChk will not be a part of Windows Update Services (WUS), the next version of Microsoft's basic patching technology. HFNetChk, which Microsoft uses in its Microsoft Baseline Security Analyzer (MBSA), is the command-line tool that IT administrators use to assess whether computers lack security patches.
When WUS, formally called Software Update Services 2.0, is available later this year, customers will have a rebuilt scanning engine made by Microsoft, according to Steve Anderson, Microsoft's director of Windows Server marketing.
Eric Schultze, Shavlik's chief security architect and formerly a strategist on Microsoft's "trustworthy computing" team, said that most of Shavlik's revenue is from direct sales, so the loss of Microsoft as a marquee customer won't be a financial one.
"Microsoft is moving in its own direction, and it's a start in the right direction," Schultze said.
Picking up where WUS leaves off
Shavlik's HFNetChk will co-exist with WUS, but Schultze said that WUS still can't get every job done by itself. WUS will initially only provide patching support for versions for Service Pack 3 and later versions of Windows 2000 Server; Windows Server 2003 and Windows XP Professional and subsequent versions; Office XP and Office XP Service Pack 2 and above; Exchange 2003; SQL Server 2000 and Microsoft SQL Server Desktop Engine 2000, according to Microsoft.
The latter three platforms are not yet supported by the initial WUS beta, according to the WUS data sheet. There is no support for Windows NT, Office 2000, Exchange 2000 or ISA [Internet Security and Acceleration] Server -- most of which are products still in wide use.
"[Our advantage] going forward is that Shavlik covers more products," Schultze said. "We do legacy products and we are adding more non-Microsoft platforms.
Schultze said that another key difference between WUS and HFNetChk is that WUS is agent-based and HFNetChk is agentless. (Agentless means that IT administrators can scan a computer without an agent installed on the machine.) WUS, by contrast, will require an agent on the client. The WUS scanning engine will contact a remote engine and ask for a WUS result.
Agents are helpful when there are devices on the network that are not always connected, such as laptops. During the time when a laptop is connected, the agent will wake up and permit scanning.
Shavlik, Roseville, Minn., also sells an agent-based product.
Analysts familiar with Microsoft's scanning technology said that WUS will help the company offer a more scalable technology. Microsoft is doing what it has to do to meet the needs of its clients, said Chris Byrnes, vice president at Meta Group, a Stamford, Conn., consulting firm.
"The integration of vulnerability assessment and patch management is something we are seeing across the industry, and Microsoft will follow that curve," Byrnes said.