The latest release of Shavlik Technologies' patch management software, software that assists in applying updates from software suppliers that fix security holes or other problems, automates more of the process with the aim of raising return on investment for customers.

HFNetChkPro 4.0 from Shavlik adds drag-and-drop patch management and features supporting grouping by patch or machine, setting service priorities, template creation and quick-scanning with a single click. The product is built on the same engine that Shavlik licenses to Microsoft for its HFNetChk scanning engine underlying the Microsoft Baseline Security Analyzer (MBSA) and the Microsoft Systems Management Server (SMS). It is non-agent-based, meaning no software is required on the remote computer in order for it to be managed.

"When Microsoft releases a patch, we have tools that decompose it and analyze how it works," says Mark Shavlik, CEO and founder of the company. "Every one of them is a little different. We capture the difference in an XML file and we use those to drive our engines. We focus on security updates."

Microsoft's application patches, such as to Office, tend to be very large files, while the operating system patches tend to be granular.

"Microsoft is all over the map on this," Shavlik says.

While that might be a good thing for his company in the short term, Shavlik would prefer that Microsoft become more formal and disciplined in how it manages its patches.

"If we get people to do patch management, we get a win," he says.

With the 4.0 release, administrators can now conduct group scans, enable them to select specific servers or departments such as HR or finance, and point to specific products such as Microsoft's Office or IIS.

Administrators can build templates for scanning groups, which can be edited. Improved collaboration features enable administrators to quickly determine severity ratings from Microsoft, and also receive third-party threat assessment and comments about patches from industry leaders. Push features enable patches to be automatically deployed.

The 4.0 version offers greater support for Microsoft products, including Windows NT 4.0, Windows 2003 Server, IIS 4, 5, 5.1 and 6.0, Exchange Server 5.5 and Microsoft Outlook. The 4.0 release is also Active Directory-aware, meaning administrators can scan and deploy patches to machines by organizational unit.

Pricing for the 4.0 release beings at $23.75 per server or workstation for 100 managed CPUs, so that the minimum order is $2,375; maintenance is 25% of list annually. The company's typical sale is in the $3,000 to $5,000 range.

Future plans include more support for non-English speaking customers, and extending to non-Microsoft operating system platforms, Shavlik says.