Technology Overview
Advanced Network Security Assessment Technology
The Shavlik NetChk scan engine is the industry standard network security assessment tool. Previously licensed by Microsoft for use in the Microsoft Baseline Security Analyzer and the SMS 2003 SUS Feature Pack, the Shavlik NetChk engine has been significantly improved over time and continually adds ability to scan for even more products and security patches.
The Shavlik NetChk engine uses an Extensible Markup Language (XML) file that contains information about which Microsoft security hotfixes are available for each product. The XML file contains security bulletin name and title, and detailed data about product-specific security hotfixes, including:
- files in each hotfix package and their file versions
- registry keys that were applied by the hotfix installation package
- information about which patches supersede which other patches
- related Microsoft Knowledge Base article numbers
- third party analysis of the threat posed by a patch's vulnerability
- links to additional information from Bugtraq (BugtraqID) and cross references to the Common Vulnerabilities and Exposures (CVE) database hosted by Mitre.org (CVEID) and much more.
The XML file, called HFNetChk6b.XML was created and is hosted by Shavlik Technologies.
When you run Shavlik NetChk, the program must download a copy of this XML file so that it can identify the hotfixes that are available for each product. The XML file -- a digitally signed .cab file -- is available on the Shavlik web site in compressed form. Shavlik NetChk downloads the CAB file, verifies its digital signature, and then decompresses the CAB file to your local computer. If the CAB file is not located or cannot be downloaded, Shavlik NetChk will attempt to download an uncompressed copy of this file from the Shavlik website via SSL (https).
After the CAB file is decompressed, Shavlik NetChk scans your computer (or the selected computers) to determine the operating system, service packs, and programs that you are running. Shavlik NetChk then parses the XML file and identifies security patches that are available for your combination of installed software. Patches that are available for your computer but are not currently installed on your computer are displayed as 
in the resulting output. In the default configuration, Shavlik NetChk output displays only those patches that are necessary to bring your computer up to date. Shavlik NetChk recognizes roll-up packages and does not display those patches that are superseded by later patches.
In order to ensure a patch has been successfully installed and is still valid on a given system, the NetChk engine validates that the files that shipped in that patch are still present on the system being scanned. The file name, location, and version of each file in the patch is checked against the corresponding file on each system. If the file version of each file is equal to or greater than expected, the patch is considered installed. If any file version on the system being scanned is less than expected, the patch is flagged as missing.
Sometimes, patches that you have previously installed can be 'regressed' or effectively undone by the installation of Microsoft or third party applications. The NetChk scan algorithm will detect these instances and will flag these patches as uninstalled, citing the regressed file version as the reason the patch is no longer valid.
Network Security Built-In
Shavlik Technologies was founded as a network security company several years before delivering its first off-the-shelf software solution. So Shavlik security experts designed network security into its products from the ground up. This gives us certain advantages over competing solutions that were forced to add security features its products after the fact.
Below are some of the security features built in to Shavlik's solutions.
Patch Management - Check digital signature when downloading patches
After each patch is downloaded the Shavlik NetChk application automatically checks the digital signature of each patch. This ensures that the patch was both completely downloaded and is a legitimate patch. If the patch does not have a digital signature, either because it wasn't completely downloaded or it wasn't a valid patch, the application will not display this patch as downloaded and will not make the patch available for deployment.
The presence of the digital signature ensures that the patch has not been modified since it was created and signed. Shavlik checks several fields of the digital signature to ensure that the patch was signed by the intended audience and has not been tampered with since the release of the patch.
In most instances, failure to pass the digital signature check usually results from an incomplete download. This situation can be remedied by clearing the browser cache and re-downloading the patch.
To manually check the digital signature of the patch, right click the patch name in the Windows Explorer window. Select to view the ' Properties' of the file. If the file is digitally signed, it will have a digital signatures tab.
To verify that the signature is valid, select the digital signatures tab and highlight the signature and click the Details button. If the signature is valid, it will say 'The digital signature is OK'.
Check digital signature of downloaded patch database
The Shavlik NetChk scan engine downloads a patch database (hfnetchk5.cab) each time a scan is done. This database is created by Shavlik Technologies and includes all of the detailed patch information that assists the scan engine in determining the patch status of a given machine.
It is important that this patch database is genuine and complete. To this end, the patch database has been digitally signed by Shavlik Technologies and the scan engine will only use CAB files that are signed by Shavlik Technologies. If the CAB file has been modified by a third party, or has been replaced by a non-genuine source, the scan engine will halt and will not perform a patch scan. Once genuine patch database files can be used when performing patch scans.
NetChk system functions called only by Shavlik signed executables
The Shavlik NetChk application is a network security application. It is important that security applications monitor themselves to ensure that they are not modified by untrusted sources (thus becoming a security vulnerability on your network, rather than a security aid!)
To help ensure that the Shavlik application is free from malicious code and prevent trojans from violating the program or accessing sensitive information, the application performs several security self-checks. Specifically, each key Shavlik executable will only call key Shavlik-signed executables and DLLs. Likewise, all important Shavlik DLLs will only accept calls from signed Shavlik executables and DLLs. If a key EXE or DLL file is trojaned, the Shavlik digital signature will not be present and the requested function will not be executed.
Encrypted storage of cached credentials
The Shavlik NetChk application includes the ability to store usernames and passwords that are used for the patch scanning and deployment process. These credentials are extremely sensitive pieces of information and it is important to carefully guard access to this data.
Shavlik NetChk uses secure, tested encryption routines to ensure that the password information entered into the console is only available to trusted individuals. Shavlik uses Microsoft's Data Protection API (DPAPI), a secure, robust encryption routine that has been thoroughly reviewed by third party security professionals.
When credentials are presented to the Shavlik NetChk application, they are encrypted with DPAPI and are only available to the user who is currently logged on to the console (and entered the credentials), and is only available to this user from the same console where they entered the credentials. If a second person logs onto the console, they will need to enter their own credentials for each group of machines they wish to scan, as they are unable to access or decrypt the credentials entered by the first user. Similarly, if the original user entered their credentials to a shared SQL database from console1, they will need to re-enter their credentials if they are accessing the database from console2. (Shavlik has added a function to 'export credentials' from one console to another, though this may only be performed by the original user who entered the credentials, and only from the original console).
Uses built-in Operating System security during login and network communication (including Kerberos)
The Shavlik NetChk scan engine uses the built-in Operating System security mechanisms when communicating with other machines on the network. Specifically, when initiating a scan of a remote machine, the console will attempt to establish an authenticated session to the remote system over the Microsoft Session Service (TCP139) or Direct Host Service (TCP445). The connection requests are passed from the NetChk scan engine to the console's network stack where it is then managed by the OS security posture configured on the local console.
By default, the Operating System is to authenticate with remote systems using the NTLM challenge response process. During this process, the user's password is never sent across the network. Instead, the console requests a session with the remote system, the remote system issues a challenge token, the console machine encrypts the user's password with the challenge token, and the encrypted response is then sent back to the remote system. The encryption process uses a One Way Function (OWF) to encrypt this data, ensuring that it cannot be 'reversed'.
Systems may be further modified to use a stronger form of network traffic encryption, known as NTLMv2. If the Shavlik NetChk console has been configured to use NTLMv2 and the remote systems have been configured to use NTLMv2, then the passwords will traverse the network using the NTLMv2 protocol.
Further, if both the console machine and the remote machine are part of the same Active Directory Forest, and the machines are communicating with each other using fully qualified domain names, the authentication process can use the Microsoft Kerberos implementation to authenticate with each other.
It is important to note that the Shavlik NetChk scan engine is not performing any of it's own authentication. It is using the underlying security of the Operating System and the network. It is no more or no less secure than the mechanisms used by clients to logon to the domain or to access resources from a file server.
Customers who wish to enhance their network security protocols can implement IPSec (or similar) for network encryption, and two factor authentication for login to systems - the Shavlik NetChk scan engine will then take advantage of these security mechanisms while doing it's scan and deployment function.
Check digital signature when pushing patches to remote machines
Shavlik NetChk checks the digital signatures of the patches as they are downloaded from the vendor and moments before they are copied to remote systems.
During the patch deployment process, Shavlik NetChk copies the patches to specified locations on the remote machines. By default, these locations are secured such that only administrators (and the local system) can access these patches. This is important, as allowing regular users to access these patches might provide the local user with the chance to perform a privilege escalation attack. (Since the patch installation process runs with administrative permissions on the local system, replacing the intended patch with an executable to 'add my user account to the admins group' is an effective way of escalating one's permissions above the intended security state.)
To guard against privilege escalation attempts and other malicious activity, the deployment process on the remote machine also checks the digital signature of the patch a third time, to ensure that the patch is complete and is genuine. If the digital signature is not present and valid, the patch will not install.
Check digital signature before installing patch on remote machines
Shavlik NetChk checks the digital signatures of the patches as they are downloaded from the vendor and moments before they are copied to remote systems.
During the patch deployment process, Shavlik NetChk application copies the patches to specified locations on the remote machines. By default, these locations are secured such that only administrators (and the local system) can access these patches. This is important, as allowing regular users to access these patches might provide the local user with the chance to perform a privilege escalation attack. (Since the patch installation process runs with administrative permissions on the local system, replacing the intended patch with an executable to 'add my user account to the admins group' is an effective way of escalating one's permissions above the intended security state.)
To guard against privilege escalation attempts and other malicious activity, the deployment process on the remote machine also checks the digital signature of the patch a third time, to ensure that the patch is complete and is genuine. If the digital signature is not present and valid, the patch will not install.
Encrypted communication between remote machines and PatchPush Tracker
The Shavlik PatchPush Tracker is an application that helps monitor patch installation status on the remote systems. Each action, such as 'patch waiting for installation', 'patch installing', or 'patch installed, waiting for reboot', is sent from the remote machine to the Shavlik console and is encrypted to ensure that the data cannot be easily read by other computers on the network.
Patch Management - Extensive Patch Testing Process
Shavlik tests all Microsoft network security patches before making them available for scanning and deployment with Shavlik NetChk solutions. Specifically, when a new patch is released, or an existing patch is updated, Shavlik patch testing ensures the following:
- Bulletin and patch specific information from Microsoft, including the bulletin title, bulletin number, bulletin summary, KB numbers, and download meta page URLs have been accurately stated and recorded.
- Patches for each bulletin in each Shavlik support language are available at the vendor specified download location.
- Patches have been digitally signed by Microsoft.
- The patch fingerprint consisting of affected products and services packs, filenames, file versions, file locations, file checksums, and registry keys written by the patch are accurately recorded in the Shavlik XML files.
- The deployment instruction set including: the direct download URL for each patch for each Shavlik supported language, the patch size, and installation and rollback switches for silent, unattended, and no-reboot installation are accurately recorded in the Shavlik XML files
Shavlik then tests each patch in each Shavlik supported language on each Operating System\Service Pack\Application combination to ensure proper detection, installation, and rollback (where applicable). File by file comparisons are performed before and after patch installation to ensure patch supersedence has been properly taken into account. The Shavlik lab is equipped to test patches against hundreds of Operating System and Application combinations to ensure that patch assessment and deployment functions will operate as intended on client systems.
Further, Shavlik rigorously tests each patch to ensure that installation or rollback of the patch does not introduce unintended consequences on the system, including loss of application compatibility, feature break, or regression. Any issues specific to installation, rollback, and/or performance are noted in the Shavlik XML file and are displayed to customers via the 'Shavlik Comment' portion of the Shavlik NetChk interface. When needed, Shavlik confers with Microsoft to ensure that the patch meets expectations.
Note: Shavlik does NOT test the patches to ensure that they address the security issue referenced in the security bulletin. This testing is best performed by the vendor (Microsoft) and the security researcher who initially reported the security flaw. Shavlik does, however, test the patches in all other aspects to ensure a smooth experience for their customers with respect to installation, rollback, and basic functionality.
Once the patch and the fingerprint and deployment data has been approved by the Shavlik lab, the Shavlik XML files are CABbed, signed, and posted to xml.shavlik.com.
Emails are then sent to members of the Shavlik-XML mailing list informing them of the availability of the new XML files. More information about the Shavlik-XML mailing lists is available here: http://hfnetchk.shavlik.com/xmlsubscribe.asp
Copies of the XML announce mailings are also posted to the XML Announcements forum: http://forum.shavlik.com/viewforum.php?f=29
Shavlik strives to have the patch XML files for new patch releases made available on the same business day the bulletin and patches are announced. To date, Shavlik has met this goal and updated XML files have been available on the same business day as the bulletins have been released. Please note, however, that XML updates may not be available for 24 hours or longer after bulletin release should our testing warrant additional time.
More information about the time between Microsoft's bulletin release and the availability of the XML files can be found in Shavlik KnowledgeBase Article SKB 83: http://forum.shavlik.com/viewtopic.php?t=83
Agents or Agentless For Flexible Deployment
To use an agent or not should be your choice. Many vulnerability management solutions require you to install an agent on each computer you want to manage. Without an agent, you cannot check a computer, and you may not even know it is on your network and unsecured. These agents use valuable network and computer resources, often times using many more resources than are needed for the minimal work they do. In some cases, the agents also conflict with other applications you have installed on those systems forcing you to spend additional time resolving complex configuration issues.
With the Shavlik solution, you choose whether to use an agent-based solution. The agentless approach allows you to manage connected systems with minimal installation and configuration requirements. You can be up and running within 30 minutes, and the advanced product design limits the impact on your network resources. For example, while many network scanning products send 50MB to 80MB of data across your network for each computer scanned, the Shavlik agentless solution sends only 2MB to 2.5MB of data per computer.
Shavlik Technologies also provides the flexibility to use an agentless approach for managing difficult to access devices, such as computers on the other side of a firewall and at a remote site. The Shavlik solution can leverage IPSEC port filtering to maintain a secure environment while allowing Shavlik products to connect through your firewall. You can also install a Distributed Policy Manager behind the firewall or in a DMZ. The Distributed Policy Manager eliminates network bandwidth issues found in network scanner products and does not require you to install agents to protect those computers.
Managing frequently disconnected devices, such as laptop computers, is critical to protecting your enterprise. Many products cover only the devices attached to your network at the time of a scan. Some products also cannot connect to computers behind a firewall or across a WAN. With this limitation, your policies are inconsistently implemented. Different policies are enforced on different systems, and many policies are often outdated at remote locations and on remote systems.
For managing frequently disconnected devices, or in cases where you prefer to use an agent, you can choose to use the Shavlik agent-based solution that ensures those devices are consistently protected, even while disconnected from your network. Shavlik agents use throttling and other advanced design techniques to limit their overall impact on processor, memory, and disk space while they send only what is needed across your network. With this powerful flexibility and design, you can implement the Shavlik solution the way you want to meet your requirements. You can mix agent and agentless implementations in one environment and accomplish seamless protection from your single set of policies and the central roll up of assessment and remediation data.