Patch-management products move toward remediation

Test shows BigFix, McAfee and PatchLink lead in easing remediation woes

Patch-management products have evolved from simply pushing out patches to now encompassing more preemptive security measures, including manipulating security configuration settings, deploying standard software packages, maintaining policy compliance and taking an active role in vulnerability remediation.

BigFix Enterprise Suite came out on top as the Clear Choice winner, performing well in all categories and standing out in ease of use and customization capabilities. McAfee's Hercules was a close second, falling slightly behind in its customization capabilities. PatchLink Update rounds out the top three. While it lacks some native support for advanced customization and reporting capabilities we were looking for in a product of this class, PatchLink does make these functions available in add-on components.

ProductBigFix Enterprise Suite 6.0McAfee (formerly Citadel) Hercules Remediation ManagerPatchLink Update 6.3
Price as tested$40 per seat, per year.$75,800 as tested, includes licensing and support for 500 workstations and 100 servers.$1,495 per server and $18 per node.

Best reporting; Custom Fixlets enable custom remediation actions; very easy to use.


Best interface; detailed access control.Strong complement of default reports that can be easily filtered based on key criteria; detailed access control.

Detailed access control could be improved.

Custom report engine not fully integrated into the product and is difficult to use.Separate components to get full custom packages and reporting.
ProductLANDesk Security Suite 8.7Altiris Client Security Management Suite 6.2Kace 3.0 (KBOX 1000 Series)
VendorLANDesk SoftwareAltirisKace Networks
Price as testedStarts at $59 per node.Starts at $88 per node plus $69 per node for patch management.Starts at $9,500.
ProsBased on strong foundation Management Suite, which allows for adding additional LANDesk services on a single platform.Client Security Management Suite adds endpoint security and application security in a single client.Appliance model allows for quick setup; ticketing supported; alerting service is unique.
ConsDifficult to navigate with poor user interface; custom scripting language required for custom remediation.Security Expressions not fully integrated into suite; patch deployment configuration lacks advanced options.Security components seem to take a back seat to ticket system and software distribution.
The breakdown BigFixCitadelPatchLinkLANDeskAltirisKace
Remediation functionality 30%
Product management and administration 25%54.553.52.54
Remediation workflow 15%33.53.532.53.5
Access control 15%354.544.51.5
Reporting 15%54343.52
TOTAL SCORE4.44.354.253.883.73.4
Scoring Key: 5: Exceptional; 4: Very good; 3: Average; 2: Below average; 1: Subpar or not available

We tested five key areas of each product:

* Remediation functionality tests exercised how well a product could remedy a system issue through support for the operating system overall, via patches, registry key and other configuration changes. Additionally we assessed how it facilitated manual and scheduled remediation tasks and whether it offered the ability to create custom remediation tasks.

* Remediation ticketing/workflow tests examined how well a product could implement a remediation process, including end-to-end management of the cycle.

* Reporting tests evaluated how well a product could provide useful information, through default and custom reports, on remediation tasks to administrators and management personnel.

* Access-control tests examined how access to the product could be controlled, focusing on flexibility, granularity and integration with standard enterprise user repositories.

* Product management and administration tests focused on what you need to do to use the product on a daily basis and keep it running.

Here are the details of how each product fared in our testing (see "How we did it" for a detailed test methodology).


The Altiris Client Security Management Suite 6.1 comprises SecurityExpressions -- a tool that provides the ability to check security configuration and compliance settings and then remediate those issues, via Endpoint Security, Local Security and Application Control modules. Patch Management is provided as a separate component. This combination of modules runs on the foundation architecture called the Altiris Notification Server. We focused on the SecurityExpressions and Patch Management components because that combination fulfilled the test criteria.

Altiris' combined modules handled all the basic remediation functionality we were looking for, excelling in the ability to create custom checks, such as for a specific registry key setting, and remediation actions, such as changing a registry key setting.

SecurityExpressions is not fully integrated into the Altiris system. For example, policy development in SecurityExpressions still occurs through a separate console, but policy checks can be seen in the Altiris console. Because SecurityExpressions is the heart of vulnerability remediation, we would like to see these fully integrated so that creation of policy and configuration checks follow the same interface and process as other Altiris products.

Likewise, we would like to see Patch Management included as part of the overall Client Security Management Suite, because it is an integral piece of the remediation scheme.

Management of all the modules occurs through a Web-based console, which was cumbersome to use. It was difficult to perform simple tasks, such as scheduling a patch deployment. The management console provides several dashboards showing charts and graphs, such as missing patches based on criticality. The graphs do not provide the ability to directly drill down to see the corresponding data. This would be a nice addition to make the process of identifying security details more efficient.

Patch-deployment settings, including reboot control and user notification, are handled through configuration policies. Administrators define a policy on how patches should be deployed. This is good if your settings are the same for every deployment, but requires some additional work if you need to deploy a patch comprising different settings. We had a hard time finding the settings in the console and documentation, a condition which required that we contact customer support.

We also must note that Altiris does not support more advanced patch-deployment options available in other products, such as pause or deferral.

Access control is tied to the underlying Windows groups and is administered from the product console, so it is easy to integrate with enterprise roles and identity management processes. A few default roles, such as Administrator and Guest, are included, and administrators can create their own custom roles. Permissions are assigned to each of the roles and can be very detailed.

However, the user interface for setting security permissions means there is some lack of centralized control. You grant access from the properties tab for different objects as opposed to defining access control from a centralized point. For example, if you want to provide access to reports, you go to the Reports permission tab and make the necessary changes.

The reporting engine provides basic functionality but could be improved. We were able to schedule report runs and create standard reports showing missing Windows patches and remediation actions taken. Exporting reports is not available within the management console. A separate utility called ImportExportUtil is available to export data from the notification server. Trend reports should be available in the next version, according to the vendor.


The BigFix Enterprise Suite comprises the BigFix Server and management console, with agents running on client systems. The management console is a thick-client console that runs on most Windows platforms and is accessed by administrators with the appropriate credentials. Reports are available through a Web-based reporting system. For testing, we installed all management components on a single server, but they can be distributed and scaled easily.

BigFix easily handled basic remediation functions in this test. While the product supports hundreds of system checks out of the box, BigFix excels in its ability to support custom checks and custom deployments. Administrators can create customized Fixlets, the BigFix term for checks and remediation actions, with almost infinite possibility.

Usability also is a big win for BigFix, with easy right-click selection for deploying a fix on the fly. Actions can be scheduled and security baselines defined to ensure systems adhere to defined policies and standards. In our testing, BigFix was the easiest product to navigate and use.

BigFix provided the best options for deploying patches, covering the standard reboot notification and user suppression options. BigFix also provided some options not available in other products we reviewed, such as the ability to define a specific system criteria or attribute to provide additional detail controls for the remediation measures we were deploying. For example, we were able to define that a system must match a specific Active Directory path before the desired remediation action would take place.

There is a wizard available to create a patch-deployment rollback, which helps ease the process but is a little cumbersome.

One area where BigFix could use some improvement is access control. The product includes only three roles and offers only the ability to control a few user privileges.

The Web-based reporting system was the best we tested, providing an intuitive interface to create standard reports and flexibility to create custom reports. Reports can be exported to multiple formats and scheduled, with results e-mailed upon completion.

BigFix's visualization tool is an added bonus that maps your network into a sphere for better viewing. This provides the ability to identify changing trends in your environment, such as visualizing which systems do not have a specific patch installed. This could help assist in pinpointing a network segment or remote office that is not updating properly.

McAfee (formerly Citadel)

Hercules, which has always been a remediation product at its core, comprises the core Hercules Server; the Channel Server, which handles communication with the core server; and the Download Server, which stays in sync with new vulnerabilities and remedies made available by the company. The product uses Microsoft's SQL Reporting Services as its report engine. The Hercules agent resides on client systems.

The management interface was one of the easiest tested. One of the best features was the quick-start module that walked us through all the key actions needed to use the system, such as deploying agents, performing system inventory, launching security assessments and creating reports. The documentation provided by Hercules was excellent, accurate and easy to follow, serving as a great resource through our review process.

Access control is the strength of the McAfee package. Custom roles can be created, with each role having the ability to be assigned any subset of more than 70 identified tasks. This provides the flexibility to create access controls that best fit with an organization's structure. For example, you can create a role for a subset of your Windows server-management team and provide team members only the specific tasks they need to perform.

Remediation functions worked well, supporting all of our key actions. One note is that while Hercules supports the creation of custom remedies, detection is not as easily defined as in other products tested. For example, you can create a remedy to run a script or change a registry key setting, but you cannot easily create a custom vulnerability check to define how to examine the system to see whether the remediation action needs to be performed.

Deployments of remediation actions were easy to perform, for both manual and scheduled tasks. For manual tasks, you select the option from the right-click menu; for scheduled tasks, you only have to walk through a wizard.

For patch-deployment options, Hercules supports standard settings, such as user deferral and user messages, but it does not support some of the advanced options, such as limiting number of deferrals or amount of time to delay a remediation action.

Reporting is one area where Hercules could use some improvement. The ability to schedule canned reports and create custom reports is available, but those tasks are done through SQL Reporting Services, not through the Hercules product itself. These tasks should be better integrated into the Hercules console for improved ease of use.


Kace KBOX is an appliance-based solution that combines patch deployment, software distribution, vulnerability assessment and help-desk ticketing services. This product is positioned as an all-in-one solution for the small to midsize enterprise.

Compared with other products we tested, functionality, user interface and reporting capabilities are not as advanced. Administration is handled through a browser-based interface that is not intuitive or easy to navigate without training.

1 2 Page 1
Page 1 of 2
SD-WAN buyers guide: Key questions to ask vendors (and yourself)