Virtualization and Security: Beginners Guide Part 2

This is a follow up to a post I made a while back where we took a look at some of the security risks identified by Gartner and some of the Features of Shavlik Protect that can help you reduce these risks.  Today we will talk about a couple more of the items.


3 Utilize snapshots for rollback.

Vendors have gotten much better about turning out a stable patch, but it is always good to have an insurance policy.  Shavlik Protect supports rollback for patches that the vendor supports rollback.  In cases where the vendor does not support rollback the ability to snapshot a virtual machine before executing patches introduces a better and easier way to support rollback.  Protect has the ability to snapshot vSphere VMs before andor after patch deployments.  This snapshot can be reverted to very quickly and rolls back to the state before execution.  Most customers I speak to are concerned that they can revert if needed, but most don’t have to do this often. This is configurable in the Deployment Template under the Hosted VMs/Templates tab.

4 Updating VMware Tools.

One of the most important components to ensure is being updated in your vSphere environment is the VMware Tools.  This is the interface between the VM and the infrastructure for many VMware and 3rd party products.  Many vSphere admins think their tools are up to date because the summary for that machine shows it is up to date.  In fact that is only valid if you applied the latest VM Tools updates to your hypervisor.  Then there is a delay and often a reboot required until the status for that VM updates to show it is now out of date.  Now you need to update to the latest tools by having them run on VM startup which requires user intervention or by python script through some other means.  Throw in a cluster of hypervisors all on different versions and different versions of the tools and it gets to be a real mess.  The good news is there is a better way.  VMware has made their tools all backward compatible.  You can push the latest version of the 5.5 tools to your VMs regardless of what version each host is running on.  Shavlik Protect will detect an install of VMware Tools and update to the latest 5.5 tools.  This way you can ensure that as long as you have the one set of tools at the latest version and no new vulnerabilities have been discovered you have a secure version on every VM.  This was released as a security patch towards the middle of 2013 and most customers would likely already be updating in this way unless they utilize patch groups to approve what gets deployed. You can read more in our FAQ on updating VMware Tools.

These are some of the basics that can help you ensure you are delivering the same level of security to the virtual infrastructure as you are in your physical infrastructure.  It is important to make sure the teams involved are all in agreement and utilizing the tools available, and that policies are up to date and describe the coverage to both the physical and virtual infrastructures.  Also evaluate other tools you utilize to ensure they also cover your virtual infrastructure effectively.

Shavlik Protect adds support for VMware Tools

Hey all,

With today’s content update Shavlik Protect now supports updating VMware Tools.  This is included under the Non-Security patch type.  If you use the WUscan it will be detected on any VM that has tools installed and allow you to update to the latest version.  If you are using a patch group you can add the patch to a patch group.  It can be found under bulletin VMWT-001.  Remember to allow scanning for non-security patches if you are using a custom template.

To keep up to date on Shavlik Content releases you can subscribe to our Content Announcements list by email or RSS.  This will help keep you apprised of new product and patch support.

Shavlik Content Announcements by email
Shavlik Content Announcements by RSS feed.

Chris Goettl


Virtual Patches and the Data Center Environment

In advance of VMworld we caught up with Chris Goettl, Program Product Manager for Shavlik , to learn more about the patching in the data center environment.

Q:  What are some of the key things to consider when deploying patches in a datacenter environment?

Chris:   From the conversations I have with customers I think getting up and running quickly is important.  You would be surprised how long some products take to implement.  Many of our competitors deploy agent-based systems that take longer to implement.  We have talked to some of their customers that struggled with implementation. In fact, one was in year two of trying to roll out a well-known product.

Q:  What is different about Shavlik from a timing perspective?

Chris:  There are a few things that give us an advantage in this area; in fact, we can show value on the same day.   So for example, if you install our product, we can be up and running, assessing your environment, and can stage patches within the first hour.   There is no product in the market that can be installed and be up and running delivering patches to endpoints that fast. 

Q: How do your products complement VMware?

Chris:  Of course we can patch VMware offline and online machines as well as hypervisors, but there is another area where we work well together.  Our products help VMware introductory level customers maintain their patch capability. This all stems from our previous relationship with VMware (we were owned by VMware before joining the LANDesk family).

Q: How does Shavlik provide benefit to these customers?

Chris: Let’s say you have a virtual infrastructure with 50 VMs on standard servers.  If the customer is running vSphere or less, then you have a big challenge to maintain that infrastructure.  On the other hand, enterprise VMware customers that have vSphere have an extremely robust product that images the hypervisor.  Every time you reboot the hypervisor it actually reboots under the base image, so all the customer has to do is apply a patch to the base image and then every time they reboot the hypervisors they are up to date.

Q: So Shavlik helps bridge the gap between VMware standard and the enterprise? 

Chris: Right, so we have a hypervisor feature within our product.  When IT installs Shavlik Protect the feature is already in place.  With Protect, you install it and type in the IP address or the server name for the hypervisor and a credential.  Protect connects, you click on a scan button, click on which patches you want, click deploy, and that is about it.  It really is a matter of months to minutes.

It's Possible! The Ability to Patch VMware Offline Machines with Shavlik Protect

In advance of VMworld we caught up with Anne Steiner, principal product manager at LANDesk, to learn more about how Shavlik Protect patches VMware virtual machines and templates.

Q: Shavlik has always been known for its ability to patch online virtual machines but there is an added capability that some may not be familiar with.  Shavlik can also patch offline VMware VMs as well as offline VMware templates.  What is the benefit in being able to do this?

Anne: IT departments generally have an image or a template that helps them create various user VMs.   These templates behave similarly to offline VMs.  When IT goes to create VMs for folks like you and me, they don’t want to have to go through a two-step process of creating the VM and then on top of that having to patch it.  Patching in that way takes extra time and manpower.  If the offline templates can be kept current all the time, IT can deploy a virtual machine without having to worry about whether the VM  is up to date.   

Q:  You mentioned patching offline machines, how does that work? 

Anne: If a VMware VM happens to be offline (maybe it is powered down to conserve power or offline maintenance) Shavlik has the ability to see the VMWare VM in your virtual infrastructure, recognize that it is offline, bring it up and patch it, and then put it back to rest.  The advantage is we’ll keep your entire virtual infrastructure up to date regardless of whether VM’s are online or offline.

Q: Shavlik Protect has a feature called Snapshot.  Can you tell us about it?

A:  In the Shavlik patch process, we allow users to take a snapshot which provides a restore point to revert to a known good configuration.  After the snapshot is created the user applies the patches and knows that if something were to happen, like one of the patches damages the VM for example, they would very easily be able to go back to that snapshot and have everything the way it was before the patches were deployed.  In other words, snapshots can be used as is a bit of an insurance policy.

Hello from VMworld 2013


VMworld 2013 is underway and we are having a great show so far.  The Shavlik booth has seen steady traffic from the welcome reception on Sunday through the entire day yesterday.  We have had long time customers who recall HFNetChk command line versions all the way to VMware customers who have been using us for the past six months.  Everybody was excited to hear about the new features of Shavlik Protect 9.0 and the fact that they are entitled to the upgrade from the VMware branded vCenter Protect to Shavlik Protect at no additional cost.



If you are out at the show stop by and see us in Booth 2247 near the New Innovators kiosks.  Enter to win a ThinkPad X1 Carbon and pick up some Shavlik swag.



Chris Goettl



Seamless Support for Hosted VMs and Physical Machines

NetChk Protect has had the ability to scan an offline Virtual Machine and deploy a package to the machine that will install when it next boots. In our next release of NetChk Protect 7.8 (Currently in Beta) we have expanded the functionality of our Hosted VM support. We have added the following features:

  • Support for Templates – You can now fully patch a template just like a physical or virtual machine.
  • Pre and Post Deployment Snapshot – Easy rollback for an entire deployment.
  • Stateless support for Hosted Virtual Machines – Scan online, deploy offline, mix and match any way you want. It doesn’t matter to us. We will handle it.
  • Disable networking while deploying to offline virtual machines – Think DR warm site. You have the machines off and ready to bring online at a moment’s notice. It would be a shame to bring them up unpatched and vulnerable. Scan them offline, deploy a package, it boots up and installs the patches in a disconnected state to keep the VM secure through the entire process. The best part is you treat it just like any other machine in our product. We do the heavy lifting.
  • Scheduled deployment to offline VMs and Templates – Schedule deployments to these machines just like any other.

I invite you to do two things. First, join Kim Fors and myself this Friday as we discuss and demonstrate this functionality in a live webinar. Second, take these new features for a test drive first hand. Contact for more details.


Chris Goettl
Product Owner
Shavlik Technologies

Shavlik NetChk Protect 7.8 Beta Coming Soon!

NetChk Protect 7.8 is nearing Beta.  We have a good list of participants started already, but there is room for more. Requests will be on a first come first serverd basis.  If you would like to participate please contact us at  This release boasts many new features, but there are a couple in particular that I know people are interested in.

Agent SP Deployment:  Now you can approve SPs and allow the agent to deploy them in a more automated fashion.

VM features:  Template support, snapshotting, state aware scan and deployment to on and offline VMs.

Archive File Support:  This will open up to more supported products, but I will just say one thing and I know many of you will understand what I am talking about.  Bye bye Apple Application Support.  Yes, this is the release where we say goodbye to the pain of patching Apple products.

DB Maintenance: Purge old data script is now built into the product under this new feature set.

There are many more new features to play with.  Join the beta and get an inside look at the exciting new feature set coming your way around mid March.


Chris Goettl
Agile Product Owner
Shavlik Technologies