Patch Management - Extensive Patch Testing Process

Shavlik tests all Microsoft network security patches before making them available for scanning and deployment with Shavlik NetChk solutions. Specifically, when a new patch is released, or an existing patch is updated, Shavlik patch testing ensures the following:

• Bulletin and patch specific information from Microsoft, including the bulletin title, bulletin number, bulletin summary, KB numbers, and download meta page URLs have been accurately stated and recorded.
• Patches for each bulletin in each Shavlik support language are available at the vendor specified download location.
• Patches have been digitally signed by Microsoft.
• The patch fingerprint consisting of affected products and services packs, filenames, file versions, file locations, file checksums, and registry keys written by the patch are accurately recorded in the Shavlik XML files.
• The deployment instruction set including: the direct download URL for each patch for each Shavlik supported language, the patch size, and installation and rollback switches for silent, unattended, and no-reboot installation are accurately recorded in the Shavlik XML files
  

Shavlik then tests each patch in each Shavlik supported language on each Operating System\Service Pack\Application combination to ensure proper detection, installation, and rollback (where applicable). File by file comparisons are performed before and after patch installation to ensure patch supersedence has been properly taken into account. The Shavlik lab is equipped to test patches against hundreds of Operating System and Application combinations to ensure that patch assessment and deployment functions will operate as intended on client systems.

Further, Shavlik rigorously tests each patch to ensure that installation or rollback of the patch does not introduce unintended consequences on the system, including loss of application compatibility, feature break, or regression. Any issues specific to installation, rollback, and/or performance are noted in the Shavlik XML file and are displayed to customers via the 'Shavlik Comment' portion of the Shavlik NetChk interface. When needed, Shavlik confers with Microsoft to ensure that the patch meets expectations.

Note: Shavlik does NOT test the patches to ensure that they address the security issue referenced in the security bulletin. This testing is best performed by the vendor (Microsoft) and the security researcher who initially reported the security flaw. Shavlik does, however, test the patches in all other aspects to ensure a smooth experience for their customers with respect to installation, rollback, and basic functionality.

Once the patch and the fingerprint and deployment data has been approved by the Shavlik lab, the Shavlik XML files are CABbed, signed, and posted to xml.shavlik.com.

Emails are then sent to members of the Shavlik-XML mailing list informing them of the availability of the new XML files. More information about the Shavlik-XML mailing lists is available here: http://hfnetchk.shavlik.com/xmlsubscribe.asp

Copies of the XML announce mailings are also posted to the XML Announcements forum: http://forum.shavlik.com/viewforum.php?f=29

Shavlik strives to have the patch XML files for new patch releases made available on the same business day the bulletin and patches are announced. To date, Shavlik has met this goal and updated XML files have been available on the same business day as the bulletins have been released. Please note, however, that XML updates may not be available for 24 hours or longer after bulletin release should our testing warrant additional time.

More information about the time between Microsoft's bulletin release and the availability of the XML files can be found in Shavlik KnowledgeBase Article SKB 83: http://forum.shavlik.com/viewtopic.php?t=83

Advanced Network Security Assessment Technology
Network Security Built-In
Cloud Computing
Agents or Agentless For Flexible Deployment
Design Principles