Non-invasive automatic offsite patch fingerprinting and updating system and method

US 20040003266A1
Filed: 03/20/2003
Published: 01/01/2004
Est. Priority Date: 09/22/2000
Status: Abandoned Application

First Claim

Patent Images

1. An automated method for updating software in a system having a first target computer in a non-update state connected across a network to an update server in a pre-update state, the system also having a package computer which may be inaccessible to the first target computer and is accessible to the update server, and a repository component accessible to the first target computer and the update server, the method comprising the steps of:

putting at least one patch fingerprint which defines a specific software update into the repository component;

gathering information about the first target computer;

comparing at least a portion of the gathered information with the patch fingerprint to determine if the specific software update is absent from the target computer;

placing at least one task identifier on an update task list, the task identifier specifying the first target computer, the task identifier also specifying at least one download address which references a location on the package computer that contains a software update for the first target computer;

in response to the task identifier, downloading the software update from the package computer to the update server; and

performing a second download of the software update from the update server to the first target computer.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and configured storage media are provided for discovering software updates, discovering if a given computer can use the software update, and then updating the computers with the software as needed automatically across a network without storing the updates on an intermediate machine within the network. Furthermore, when a failure is detected, the rollout is stopped and the software can be automatically removed from those computers that already were updated. The software update can be stored originally at an address that is inaccessible through the network firewall by intermediately uploading the software update to an update computer which is not a part of the network but has access through the firewall, which is then used to distribute the update.

606 Citations

62 Claims

1. An automated method for updating software in a system having a first target computer in a non-update state connected across a network to an update server in a pre-update state, the system also having a package computer which may be inaccessible to the first target computer and is accessible to the update server, and a repository component accessible to the first target computer and the update server, the method comprising the steps of:
- putting at least one patch fingerprint which defines a specific software update into the repository component;
  
  gathering information about the first target computer;
  
  comparing at least a portion of the gathered information with the patch fingerprint to determine if the specific software update is absent from the target computer;
  
  placing at least one task identifier on an update task list, the task identifier specifying the first target computer, the task identifier also specifying at least one download address which references a location on the package computer that contains a software update for the first target computer;
  
  in response to the task identifier, downloading the software update from the package computer to the update server; and
  
  performing a second download of the software update from the update server to the first target computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 2. The method of claim 1, further comprising the step of providing a patch definition file which is portable and which can be employed to replicate a patch on update servers in a plurality of networks.
  - 3. The method of claim 1, wherein the method operates proactively by performing the download steps without requiring an express administrator command to perform them.
  - 4. The method of claim 1, wherein the method operates proactively by caching a marked patch at the update server before deploying the patch to target computers, the patch marked as at least one of critical, high-priority, and security-related.
  - 5. The method of claim 1, further comprising at least two steps from the following group of security steps:
    - utilizing encryption to secure patch downloads;
      
      utilizing cyclic redundancy codes to secure patch downloads;
      
      utilizing digital signatures to secure patch downloads;
      
      utilizing a secure network protocol such as SSL to secure patch downloads, wherein at least one of the security steps is available in the particular method embodiment.
  - 6. The method of claim 1, wherein the step of downloading the software update from the update server to the first target computer is performed using a background downloading process, thereby reducing inconvenience to a user of the first target computer.
  - 7. The method of claim 1, wherein the step of downloading the software update from the update server to the first target computer is performed using bandwidth-throttled downloading, thereby allowing a network administrator to decide how bandwidth should be employed during a large deployment.
  - 8. The method of claim 1, wherein downloading is performed subject to a policy which limits the hours of operation, and the policy is set by an administrator, thereby allowing the administrator to decide when patch deployments are allowed to occur.
  - 9. The method of claim 1, further comprising preventing downloads of software updates from the update server to the package computer, thereby enhancing security of the package computer.
  - 10. The method of claim 1, wherein the method further comprises use of a chained installation feature permitting an administrator to have downloaded patches installed on the target computer with fewer reboots than would otherwise be required.
  - 11. The method of claim 1, wherein the method further comprises use of a download resumption feature which detects interruption of a downloading step and then after a reconnection resumes the downloading step from at or near the point in that downloading step at which the interruption occurred, thereby avoiding repetition of the entire downloading step to achieve the download.
  - 12. The method of claim 1, wherein the method further comprises use of a mobile-user support feature which allows an administrator to deploy a patch to the first target computer even though the first target computer is not connected to the network when the task identifier placing step occurs.
  - 13. The method of claim 1, wherein the method comprises downloading multiple patches which originated from multiple vendors.
  - 14. The method of claim 1, wherein the method further comprises the step of grouping a proper subset of target computers to form a group, whereby an operation that is applicable to an individual target computer can also be applied to the group.
  - 15. The method of claim 14, wherein the grouping step forms a group containing target computers that are specified by an administrator.
  - 16. The method of claim 14, wherein the grouping step forms a group containing target computers that are specified by a non-administrative user.
  - 17. The method of claim 14, wherein the grouping step forms a group containing target computers that are specified by identifying an operating system that is used by all of the target computers which are being placed in the group.
  - 18. The method of claim 14, wherein the grouping step forms a group containing target computers that are specified by identifying an application program that is used by all of the target computers which are being placed in the group.
  - 19. The method of claim 14, wherein the method further comprises the step of delegating limited administrative control to a group manager, whereby the group manager receives control over only those target computers that were placed in the group by the grouping step.
  - 20. The method of claim 1, wherein the method further comprises use of a mandatory patch baseline policy which specifies at least in part software that should be installed on the first target computer, and the method proactively downloads and installs on the first target computer a patch that is specified in the mandatory patch baseline policy.
  - 21. The method of claim 20, wherein the mandatory patch baseline policy sets a baseline for target computers that use a particular application.
  - 22. The method of claim 20, wherein the mandatory patch baseline policy mandates removal of unwanted software from a target computer.
  - 23. The method of claim 1, wherein the method further comprises use of a forbidden patch feature which specifies software that should not be installed on the first target computer, and the method attempts to prevent such installation from occurring.
  - 24. The method of claim 20, wherein the method further comprises automatically reinstalling a patch that is specified in the mandatory patch baseline policy after software in the patch was dropped from a target computer that is subject to the mandatory patch baseline policy.
  - 25. The method of claim 1, wherein the method further comprises the steps of grouping a proper subset of target computers to form a group, and using a mandatory patch baseline policy to specify at least in part software that should be installed on the target computers in the group.
  - 26. The method of claim 1, wherein the method further comprises use of a patch compliance assurance feature which specifies software that is locked on the first target computer, and the method proactively notifies an administrator if locked software is removed from the first target computer.
  - 27. The method of claim 1, wherein the method further comprises use of a change control feature which specifies at least one item that is locked on the target computer, and the method proactively notifies an administrator if a locked item is changed on the target computer, wherein the item is at least one of:
    - a hardware item, a service item, and a software item.
  - 28. The method of claim 1, wherein at least the step of downloading the software update from the update server to the first target computer recurs, thereby repeatedly updating a particular file on at least the first target computer.
  - 29. The method of claim 1, further comprising at least one step from a group of disaster recovery steps, the step helping an administrator recover and continue operation after a system failure, wherein the group of disaster recovery steps comprises:
    - creating another server with the same domain name as a failed server, reinstalling update server software on a server, restoring archived data, and restoring mirrored data, and wherein at least one of the disaster recovery steps is available in the particular method embodiment.
  - 30. The method of claim 1, further comprising the steps of maintaining a record of recent operations, and rolling back deployment of a patch, thereby allowing an administrator to undo a target computer patch installation that has caused problems.
  - 31. The method of claim 1, wherein the method further comprises use of a intelligent multiple patch deployment feature which matches patches with target computer operating systems, thereby relieving an administrator of the need to expressly and fully identify the operating system used on the target computer.
  - 32. The method of claim 1, wherein the method installs a security patch on the first target computer, thereby providing an administrator with a policy-driven way to hook into the target computer'"'"'s file system and stop at least one particular file from executing on the target computer.

33. A configured program storage medium having a configuration that represents data and instructions which will cause at least a portion of a computer system to perform method steps of an automated method for updating software in the system, the system having a first target computer in a non-update state connected across a network to an update server in a pre-update state, the system also having a package computer which may be inaccessible to the first target computer and is accessible to the update server, and a repository component accessible to the first target computer and the update server, the method comprising the steps of:
- putting at least one patch fingerprint which defines a specific software update into the repository component;
  
  gathering information about the first target computer;
  
  comparing at least a portion of the gathered information with the patch fingerprint to determine if the specific software update is absent from the target computer;
  
  placing at least one task identifier on an update task list, the task identifier specifying the first target computer, the task identifier also specifying at least one download address which references a location on the package computer that contains a software update for the first target computer;
  
  in response to the task identifier, downloading the software update from the package computer to the update server; and
  
  performing a second download of the software update from the update server to the first target computer.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62)
- - 34. The configured storage medium of claim 33, wherein the method further comprises the step of providing a patch definition file which is portable and which can be employed to replicate a patch on update servers in a plurality of networks.
  - 35. The configured storage medium of claim 33, wherein the method operates proactively by performing the download steps without requiring an express administrator command to perform them.
  - 36. The configured storage medium of claim 33, wherein the method operates proactively by caching a marked patch at the update server before deploying the patch to target computers, the patch marked as at least one of critical, high-priority, and security-related.
  - 37. The configured storage medium of claim 33, wherein the method further comprises at least two steps from the following group of security steps:
    - utilizing encryption to secure patch downloads;
      
      utilizing cyclic redundancy codes to secure patch downloads;
      
      utilizing digital signatures to secure patch downloads;
      
      utilizing a secure network protocol such as SSL to secure patch downloads, wherein at least one of the security steps is available in the particular method embodiment.
  - 38. The configured storage medium of claim 33, wherein the step of downloading the software update from the update server to the first target computer is performed using a background downloading process, thereby reducing inconvenience to a user of the first target computer.
  - 39. The configured storage medium of claim 33, wherein the step of downloading the software update from the update server to the first target computer is performed using bandwidth-throttled downloading, thereby allowing a network administrator to decide how bandwidth should be employed during a large deployment.
  - 40. The configured storage medium of claim 33, wherein downloading is performed subject to a policy which limits the hours of operation, and the policy is set by an administrator, thereby allowing the administrator to decide when patch deployments are allowed to occur.
  - 41. The configured storage medium of claim 33, wherein the method further comprises preventing downloads of software updates from the update server to the package computer, thereby enhancing security of the package computer.
  - 42. The configured storage medium of claim 33, wherein the method further comprises use of a chained installation feature permitting an administrator to have downloaded patches installed on the target computer with fewer reboots than would otherwise be required.
  - 43. The configured storage medium of claim 33, wherein the method further comprises use of a download resumption feature which detects interruption of a downloading step and then after a reconnection resumes the downloading step from at or near the point in that downloading step at which the interruption occurred, thereby avoiding repetition of the entire downloading step to achieve the download.
  - 44. The configured storage medium of claim 33, wherein the method further comprises use of a mobile-user support feature which allows an administrator to deploy a patch to the first target computer even though the first target computer is not connected to the network when the task identifier placing step occurs.
  - 45. The configured storage medium of claim 33, wherein the method comprises downloading multiple patches which originated from multiple vendors.
  - 46. The configured storage medium of claim 33, wherein the method further comprises the step of grouping a proper subset of target computers to form a group, whereby an operation that is applicable to an individual target computer can also be applied to the group.
  - 47. The configured storage medium of claim 46, wherein the grouping step forms a group containing target computers that are specified by an administrator.
  - 48. The configured storage medium of claim 46, wherein the grouping step forms a group containing target computers that are specified by a non-administrative user.
  - 49. The configured storage medium of claim 46, wherein the grouping step forms a group containing target computers that are specified by identifying an operating system that is used by all of the target computers which are being placed in the group.
  - 50. The configured storage medium of claim 46, wherein the grouping step forms a group containing target computers that are specified by identifying an application program that is used by all of the target computers which are being placed in the group.
  - 51. The configured storage medium of claim 46, wherein the method further comprises the step of delegating limited administrative control to a group manager, whereby the group manager receives control over only those target computers that were placed in the group by the grouping step.
  - 52. The configured storage medium of claim 33, wherein the method further comprises use of a mandatory patch baseline policy which specifies at least in part software that should be installed on the first target computer, and the method proactively downloads and installs on the first target computer a patch that is specified in the mandatory patch baseline policy.
  - 53. The configured storage medium of claim 52, wherein the mandatory patch baseline policy sets a baseline for target computers that use a particular application.
  - 54. The configured storage medium of claim 52, wherein the method further comprises automatically reinstalling a patch that is specified in the mandatory patch baseline policy after software in the patch was dropped from a target computer that is subject to the mandatory patch baseline policy.
  - 55. The configured storage medium of claim 33, wherein the method further comprises the steps of grouping a proper subset of target computers to form a group, and using a mandatory patch baseline policy to specify at least in part software that should be installed on the target computers in the group.
  - 56. The configured storage medium of claim 33, wherein the method further comprises use of a patch compliance assurance feature which specifies software that is locked on the first target computer, and the method proactively notifies an administrator if locked software is removed from the first target computer.
  - 57. The configured storage medium of claim 33, wherein the method further comprises use of a change control feature which specifies at least one item that is locked on the target computer, and the method proactively notifies an administrator if a locked item is changed on the target computer, wherein the item is at least one of:
    - a hardware item, a service item, and a software item.
  - 58. The configured storage medium of claim 33, wherein at least the step of downloading the software update from the update server to the first target computer recurs, thereby repeatedly updating a particular file on at least the first target computer.
  - 59. The configured storage medium of claim 33, wherein the method further comprises at least one step from a group of disaster recovery steps, the step helping an administrator recover and continue operation after a system failure, wherein the group of disaster recovery steps comprises:
    - creating another server with the same domain name as a failed server, reinstalling update server software on a server, restoring archived data, and restoring mirrored data, and wherein at least one of the disaster recovery steps is available in the particular method embodiment.
  - 60. The configured storage medium of claim 33, wherein the method further comprises the steps of maintaining a record of recent operations, and rolling back deployment of a patch, thereby allowing an administrator to undo a target computer patch installation that has caused problems.
  - 61. The configured storage medium of claim 33, wherein the method further comprises use of a intelligent multiple patch deployment feature which matches patches with target computer operating systems, thereby relieving an administrator of the need to expressly and fully identify the operating system used on the target computer.
  - 62. The configured storage medium of claim 33, wherein the method installs a security patch on the first target computer, thereby providing an administrator with a policy-driven way to hook into the target computer'"'"'s file system and stop at least one particular file from executing on the target computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lumension Security, Inc. (Ivanti Software, Inc.)
Original Assignee
Patchlink Corporation (Ivanti Software, Inc.)
Inventors
Andrew, Christopher A.H., Gordon, Jonathan M., Bacon, Michael, Moshir, Sean

Application Number

US10/394,447
Publication Number

US 20040003266A1
Time in Patent Office

Days
Field of Search
US Class Current

713/191
CPC Class Codes

G06F 8/62   Uninstallation

G06F 8/65   Updates security arrangemen...

H04L 63/0236   Filtering by address, proto...

Non-invasive automatic offsite patch fingerprinting and updating system and method

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

606 Citations

62 Claims

Specification

Solutions

Use Cases

Quick Links

Non-invasive automatic offsite patch fingerprinting and updating system and method

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

606 Citations

62 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links