Taking a look at GFI Max Patch Management
I mentioned in an earlier blog post that one of the vendor relationships my business has really committed to since we went through a merger is GFI Max. Prior to the merger, my business was using GFI Max and the business we merged with was using Kaseya – and we had to make a choice over which RMM (Remote Monitoring & Management) tool to use as a merged company going forwards.
All signs pointed towards using Kaseya – it was more powerful, with greater scripting capabilities and more advanced features. But it required an investment in time to un-tap that advanced functionality, time we didn’t have with everything happening as part of the merger process. Additionally, Kaseya required a significant financial investment. In contrast, GFI Max had a smaller feature set, but could do 80% of what we wanted “out of the box” with little or no training required, and a much smaller up-front investment.
We were upfront with both vendors about our feelings, and it was the GFI Max team who came through strong here – being open and honest about their plans, sharing their roadmap with us and committing to it.
Deciding on GFI Max
The decision was made to the GFI Max guys, and I’m pleased to say we’ve never regretted that. I know many similar companies that have really invested time and money into their relationship with Kaseya, and are reaping the rewards, but for us GFI Max is now one of our key vendors.
We’ve held the guys in Scotland to their promises though – and one of the commitments GFI Max made was to plug the gap in their tool where there was no centralised Patch Management capability. Since Hound-Dog (as GFI Max used to be known) became part of the GFI Software family, we’ve been itching to see the GFI product line such as GFI LanGuard integrated into GFI Max. This past week, David Hay and Mark Petrie at GFI Max shared with us a sneak peek at Agent v8.5.0 Release Candidate, which would incorporate Patch Management into the GFI Max tool. I thought I’d share that sneak peek with the readers of this blog, as I know many of you are fellow GFI Max users yourselves.
Patch Management and Vulnerability Scanning
The new Patch Management and Vulnerability features are incorporated into the existing Advanced Monitoring Agent deployed to Workstations and Servers when Agent v8.5.0 RC is deployed.
Once deployed, you’ll find a new folder called “LANguard 10 Agent” appears on the C:Program FilesGFI directory of workstations and servers, and a new GFI LANguard 10 Agent Service begins to run. You’ll also spot a new Windows Process called “lsass.exe” running.
We’re told that a more white-label approach to conceal this directory and service will be used in an upcoming Agent release, in line with the rest of the GFI Max suite.
Then you can enable the Patch Management settings from the Dashboard Settings menu, under a new menu item.
From this new settings section, you can be very granular about how Patch Management is handled – doing so via a hierarchical structure which is inherited down by Server/Workstation, Client and individual machine. The feature can be turned on or off, or customised, at any level.
As well as patches, there is the capability to scan for Vulnerabilities – using known many of the well known Vulnerability databases.
Talking of databases – both patches and vulnerability scans cover Microsoft plus a lot of 3rd party software too. Mozilla, Adobe and other products are already scanned for.
You also have the option of enabling the feature to scan only (where you can manually view the Patches and Vulnerabilities in a report) or by generating an Alert, which will be highlighted on the GFI Max Dashboard and/or within your PSA tool.
Those of you familiar with Windows Software Update Services (WSUS) will also appreciate the ability to auto-approve Microsoft Patches at different levels – from Critical only, through to all updates.
After enabling, deployment and scanning should start to happen within two 24×7 Check schedules – so around 30 minutes or so.
Once the scans begin to happen, and if Alerting is turned on, you’ll see a Vulnerability Check appear on the Checks section of the Dashboard for each deployed agent – this will show the number of missing patches and any Vulnerabilities identified.
If you click on the blue underlined details next to the Alert, you’ll be able to drill down into a report that shows the Missing Patches and Vulnerabilities.
From this screen, you’ll then be able to select Patches for deployment as you choose. Simple!
Points to note – Vulnerabilities are highlighted, but you’ll need to manually go and fix them. Naturally there is no simple way (nor would you want to) click a box to patch a MySQL installation, or update a Firewall.
Also, if a patch is deployed which *doesn’t* have a silent installation option, when deployed this will need user interaction.
Additionally, if a patch requires a reboot, you’ll need to make arrangements for this. GFI Max won’t automatically reboot your machine.
Thankfully, most vendors provide silent installation options which don’t require a reboot, so this won’t be an issue – but GFI tell us they’ll provide a feature to highlight those patches that *do* experience these issues in an upcoming release so you can be aware of the additional steps you need to make.
Site Concentrator Feature
It’s worth noting that you can also specify a Site Concentrator – a server agent which will act as a Cache from which all other Agents will download their updates. This gets around the problem of dozens or hundreds of agents all trying to download the same updates via the Internet and clogging up the bandwidth.
One caveat to be aware of is, that at this RC release of the Agent, you can’t specify the directory to download patches to. Therefore if you’re short of space on a Server C: drive, it may be worth re-installing the Agent to a drive where there is drive space free to store downloads.
There is also what looks like a strong reporting facility for generating documents to share with clients – perhaps when doing a Network Admin visit or up-front assessment of a new client, it’d be possible to highlight all the areas that are vulnerable or require patching.
Additionally, the Vulnerability and Patch scan can be incorporated into the Daily, Weekly and Monthly reports – so you can highlight patches installed, missing or Vulnerabilities therein.
Demo of GFI Patch Management
If you’re more a visual person then I’d encourage you to head to YouTube – GFI’s Chris Martin has made a Demo Video available of the new Patch Management features across on YouTube
http://www.youtube.com/watch?v=crGBSsic0-w
Closing Notes
Closing notes – Release date for the Release Candidate Agent should be sometime this week – in fact, I wouldn’t be surprised if by the time you’d read this and visited your GFI Max Dashboard, you see the Patch Management features available!
If you’re a GFI Max client and would like to feedback to them anything about this new feature or anything else – I’d strongly urge you to check out the LinkedIn Discussion group at http://www.linkedin.com/groups?mostPopular=&gid=1986499 – there’s a ton of talk going on which the GFI Max team actively monitor and respond to, and it’s a great example of a vendor engaging with their clients in a proactive fashion. We use the group ourselves and there is a good vibe there!
So there you have it – a one-stop-shop for deploying Patches and highlighting Vulnerabilities on client workstations and servers! We’re excited to have this functionality after patiently waiting for it, and it re-affirms our faith in GFI Max to deliver on their promises. Thanks to David and Mark at GFI Max for taking the time to share this with us, and in turn, allowing me to share with my blog readers!
Comments
8 thoughts on Taking a look at GFI Max Patch Management
IAN
28TH SEPTEMBER 2010 15:10:31
great post, and am looking forward to using this in the field! However you may want to remove the pricing from the post - GFI are (rightly) reluctant to advertise/publish pricing in the wild.
RICHARD
28TH SEPTEMBER 2010 16:10:28
Ian - good call, pricing removed. :-)
IAN
28TH SEPTEMBER 2010 16:46:36
no worries Richard :)
JULES
29TH SEPTEMBER 2010 10:34:39
Hows GFI's ability to performance monitor? Is it still a self-tuning nightmare? Or is it auto-baselining yet?
RICHARD
29TH SEPTEMBER 2010 12:39:13
Jules - the Performance Monitoring features work reasonably well "out of the box" and can easily be tweaked. That said, there's no easy way to set PerfMon to ignore alerts during certain times - overnight, backup windows, etc - so we don't use the feature as it generates a lot of irritating false alerts. I understand an improvement to this situation is on the roadmap.
RORY BREEN
29TH MARCH 2012 22:02:39
Richard, good article, I have been *playing* with GFI's patching and it generally works well. Due to my background I would always recommend Nominating a client pc (one of each OS type) as the tester and setting that with auto install on Critical and Important with an install schedule of every Friday. Ensuring the client informs you of any issues before the last Friday of the month. I then manually authorise all updates to the remaining computers the last Friday of the month. For servers, I generally install Critical and Important updates forcing a reboot, with manually supervised installs of feature packs and rollups, in particular Exchange rollups.. In addition I've had limited success with 3rd party updates unless I force a reboot..
RICHARD TUBB
1ST APRIL 2012 11:37:20
Rory - great feedback. As long as you think about how you're going to deploy patches in a structured fashion, you'll do ok.
ERIC SMITH
5TH NOVEMBER 2020 07:22:17
Most software companies conduct Patch management as part of their internal process to fix issues with the software version.