Winternals aims to reverse the effects of malicious-code attacks

PUBLISHER’S NOTE: Please note that, as of 9/29/03, all of your valued Network World Fusion newsletters will be delivered to you from nwfnews.com. If you use filters to manage your newsletters based on domain name, please adjust accordingly.

With all that’s going on in terms of worms, viruses and malicious attacks, it’s not surprising that whenever network managers get together the talk quickly turns to patches and patching. I’ve discussed how important it is to keep your systems patched up-to-date, but doing so raises a couple of questions.

The first question, of course, is how to find the time to keep everything patched. With new service packs and hot fixes coming out as frequently as once a day, tracking what’s been patched as well as what needs to be patched (or even which systems should not be patched) is a full time job. You need at least one more person to actually apply the patches. Automation is the way to go.

Somewhat prophetically, I think, I mentioned last March that I didn’t want to hear about patch management schemes … for another six months. Six months have passed, patching is once again big news and you should review the three newsletters from last winter that dealt with patch management (see links below).

But finding and applying patches is only part of the solution. The second question concerns what happens after you’ve discovered and installed the patch. Suppose it breaks something, suppose you reboot and the system won’t come up? Which is worse, an unpatched system or one that won’t boot? That’s why I’ve always recommended you first install the patch in a test system that mirrors, as closely as possible, your production machines. Test it there for a couple of weeks and be sure it doesn’t break anything before rolling it out in production.

Do you see the problem? How do you explain to your boss’s boss that the reason you got hit with the latest worm-of-the-week was that you were still testing the patch.

Well you know I wouldn’t mention it if I didn’t have a suggestion that might help. Winternals Software, which made a nice market for itself in the crash protection and system recovery market, recently released Winternals Recovery Manager (WRM) targeted at Windows Server 2003, XP, 2000, and NT4 systems. It allows network managers to quickly reverse the effects of malicious-code attacks while helping to mitigate the risks associated with emergency installation of critical updates.  That’s right, it protects from both the disease (worms, viruses) and the cure (patches)! You can get all the details at https://www.winternals.com/es/solutions/recoverymanager.asp but here are the highlights:

* Recovery Manager allows you to identify and undo changes to critical system files and settings.

* The Recovery Manager Boot Client can boot infected machines to an offline environment for safe and secure access, analysis, and repair, immediately suspending newly opened security holes, and preventing systems from further infecting themselves and others on the network.

* When an infected machine would otherwise require reinstallation or re-imaging, WRM provides a fast system repair option, reducing downtime and leaving application and user data intact.

* In the event that emergency installation of a critical update causes undesired behavior (e.g., the patch crashes your system), systems can be rolled back to previous working states, whether simultaneously in large groups, or individually.

* Recovery Manager even tracks and can undo system-level changes made by anti-virus solutions. More than a few of us have been unpleasantly surprised when our AV software did more damage than it prevented.

Do check out Windows Recovery Manager – it can save servers, networks and hair loss.