Shavlik NetChk Protect 6.1 review

Price when reviewed

Shavlik’s NetChk Protect focuses on vulnerability management and brings together an interesting mix of patch management, spyware and malware scanning and remediation, and serves it all up under a single management console.

Patch management is its primary function and along with keeping up to speed with the never-ending stream of Microsoft patches, NetChk Protect now allows you to retrieve and apply updates to non-Microsoft and legacy apps using a custom patch file editor.

For testing, we loaded the main console on a Boston Supermicro dual 3GHz Xeon 5160 system running Windows Server 2008 Enterprise. It’s a smooth process and we liked the fact that for the majority of functions NetChk Protect doesn’t require an agent since it can scan remote systems, check their patch status and deploy updates without them.

Shavlik does include agents, however, as it recognises the need to support mobile users that aren’t always connected to the network and remote sites with low bandwidth links. NetChk Protect also has the ability to remove or disable dodgy applications and spyware, and for this you’ll need to deploy an agent.

This can be pushed from the main console where it runs as a single local service, but note that at the time of review Vista wasn’t supported by the agent and nor can it be used to run the console.

From the cheerfully designed main console you can gather together your systems by creating machine groups using a range of methods such as domains, OUs, IP address ranges and so on, and fire off on-demand and scheduled patch and spyware scans at will. The results are posted in the console, where you can browse by individual system or view a range of charts and graphs that provide a detailed overview.

We’ll look at the spyware scanning functions first since we had some issues with them. You have two options where the console can do this over the network without loading any software on each client, but this will incur higher bandwidth overheads. The alternative is Shavlik’s dissolving service scan, which loads the scan engine on each client locally to reduce network overheads and improve performance.

During testing, we found the latter method can have an unhealthy appetite for CPU resources. You can use a slider bar in your spyware scan policy that goes from 10 to 100% CPU utilisation. At the maximum setting we saw a scan on the core server taking around 25% of CPU resources – not good for a dual Xeon 5160 server although it did only take three minutes to complete.

Changing our policy to the lowest utilisation caused the scan to run in regular short bursts and take around five times longer to complete. Less well-endowed systems suffered more with a venerable dual-socket, single-core Xeon server getting clobbered at up to 65% utilisation.

Nevertheless, the resulting reports are very detailed since you can see each system’s vulnerabilities and view all identified spyware, the level of importance for each instance and the remediation status. To remove spyware you need to configure a distribution server, although we found this a simple enough task.

Real-time protection can also be activated, and this allows you to block or allow certain actions on client systems such as changing IE security levels and enforcing a specific homepage.

Patch management is where NetChk Protect really hits the mark. We scanned a range of Windows Server 2008 and 2003 systems and XP clients and were impressed with the results. An unpatched Server 2003 R1 system, for example, required more than patches including the SP2 update while some XP clients we’d assumed were fully updated came back with a range of patches plus extra ones for Microsoft Office.

Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.

Todays Highlights
How to See Google Search History
how to download photos from google photos