I was recently looking into alternatives to Windows Intune for ways to check if non-Microsoft application updates are needed, and stumbled into a company called Secunia. More importantly to their being an alternative to Intune, they developed a neat way to look at your App-V packages and tell you if those need updates too.
Secuna, based in Denmark, has several products aimed at managing the patching process. The company maintains a database of information about app versions and security risks, and then uses that with a couple of products, PSI and CSI, to automatically advise and possibly remediate.
The free personal product, Secunia PSI (Personal Software Inspector), that covers most of the standard ISV applications. It adds an agent to your PC that looks at your installed applications and compares it to the database. It then tells you what isn’t patched, what the risk is, and where to go for the update. Sometimes the update is automated, but often you need to go visit the ISV website to perform the update.
After playing with PSI, I contacted them and suggested that because App-V programs don’t go to the Add/Remove programs list, these are ignored and it might be interesting to try to cover them. They blew me away when they responded that not only were they aware of this, the beta of the Commercial product Secunia CSI 5.0 has an added feature to address this! The product has since been released.
The CSI product (Corporate Software Inspector) is a centralized management product for multiple client machines; a better solution in the enterprise. From one console you can schedule scans on all of your Windows OSs and now Mac OSs. It works either with client agents, or can agentlessy scan clients. This also ties into their excellent database of security holes and available patches. Plus it can optionally tie into SCCM or WSUS if you have that.
The App-V scanning support is not implemented at the Windows machines using App-V. Instead, you run a scan on the file server hosting the App-V package repository (e.g.: “Content share”). You need to install a very little known tool released by Microsoft that is an Application Virtualization SFT Viewer tool. This tool, which integrates into the Windows Explorer, provides CSI access to check the versions of applications and provide it’s analysis.
Now from their console, you can determine which packages need to be updated for security fixes. Not a bad idea! While I did not perform a full evaluation of the product, it looked “interesting”.
CSI has a free trial version if you are interested. Visit their website at www.secunia.com. In addition to PSI and CSI, they also have a Vulnerability Intelligence Manager, and an Online Software Inspector.
The problem with Secunia in regards to the Enterprise enviroment is that adds YET ANOTHER agent to the system, that is scanning the exact same file system which already gets scanned by Configuration Manager, if that agent is installed.
Therefore, as we see it in our environment, the better solution would be a pure, efficient analysis plugin for Configuration Manager, instead utilizing the already existing functionality and data to analyze packages.
More client applications simply bog down the systems further increasing the dreadful logon times already experienced with all the agents that usually run on enterprise OS.
On a non-enterprise computer, startup and login times can be miniscule, yet on a domain they can be very long, upto several minutes, due to all the services that have to be started and processes that run on login and startup.