Ask the Expert

Are there any patch management products that track the patching process?

We are a medium-sized organization and currently use WSUS for patch management. However, it does not offer any reporting features for tracking the process of patches. Are there any patch management products that offer the ability to identify applications and software, produce required patches and provide accurate reports for auditors? I am researching Ecora Patch Manager, Foundstone Enterprise and VAM.

    Requires Free Membership to View

There is certainly nothing wrong with the patch management products you are reviewing. Other patch management tools for Windows include products from Configuresoft, PatchLink, St. Bernard Software, BigFix and Shavlik Technologies. Shavlick developed the HFNetChk scanning engine Microsoft's Baseline Security Analyzer uses. There is a Basic Edition of their HFNetChkPro that is aimed at smaller organizations that do not need advanced patch management functions such as scheduled scans and email support. To learn more about their product visit

However, before you spend money from your IT budget, I suggest you look at combining Microsoft's free Baseline Security Analyzer (MBSA) version 2 with Microsoft Update and the Windows Server Update Services (WSUS), the patch and update component of Windows Server, which offers software distribution and update management for a Windows environment. You can use MBSA to generate the reports you need. MBSA is intended for small- and medium-sized organizations and detects common security misconfigurations, as well as missing security updates on several Windows-based computer systems, including Windows 2000, Windows XP, Windows Server 2003, Internet Information Server (IIS) 5.0, and 6.0, SQL Server 7.0 and 2000, Internet Explorer (IE) 5.01 and later, and Office 2000, 2002 and 2003. MBSA also scans for missing security updates, update rollups, and service packs published to Microsoft Update.

The reports produced by MBSA display severity ratings for any failed checks in accordance with Microsoft's security recommendations and offers specific guidance on how to fix the problem. The scan results also include details about any failed checks, provide a link to view the list of uninstalled security updates and links to the security bulletin that contains the patch, or instructions about obtaining the patch. Also, every vulnerability found includes the relevant Common Vulnerabilities and Exposures (CVE) ID. CVEs are standardized names for vulnerabilities and other information security exposures, the aim is to make it easier to share data across separate vulnerability and security tools, and create a common reference language for security professionals.

Look at other patch management products, but I recommend comparing their cost and feature list against using Microsoft's free tools. If you want a CVE-compatible tool, that is one which uses CVE names in a way that allows it to cross-link with other CVE-compatible products and services there is a list available on the CVE Web site at

For More Information:

This was first published in June 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: