Home » Help » Patch Management Architecture
On-PremisesCloud
Related Articles

The Patch Management Architecture

The Patch Management Architecture consists of the following components:

Patch Management Architecture

 Fig: Patch Management Architecture

External Patch Crawler

The External Patch Crawler at Zoho Corp. is a critical component in maintaining cybersecurity. It continuously probes the internet and vendor websites, such as those of Microsoft, Apple, Linux distributions, and other third-party applications, to gather vulnerability information. The process of managing this data involves several key steps such as:

  1. Scanning and Detection: The external crawler, operated by ManageEngine, continuously scans the internet and vendor websites (e.g., Microsoft, Google, Adobe) for the latest vulnerability details, patches, and software packages.
  2. Downloading and Assessing Patches and Software Packages: The crawler downloads the latest patches and software packages, then performs rigorous checks to ensure their authenticity and integrity. This includes verifying check-sums, SSL certificates, file integrity, and scanning for viruses and malware. The patches are also tested for silent installation capability using internal tools.
  3. Deployment and Installation Testing: After the initial assessments, the files are deployed to an internal testing environment. This step involves monitoring the patches and software for deployment and installation, and checking their compatibility and general functionality within the test environment.

    4. Only Windows and Mac patches will be tested before release to the central repository. It is recommended that Linux patches be tested in an environment before deployment.

  4. Publishing to the Central Repository: Once the patches and software have passed testing for both functional correctness and authenticity, the data is analyzed and consolidated to create a comprehensive vulnerability database. This database serves as a baseline for vulnerability assessment across the enterprise. The updated vulnerability database, along with successfully tested software packages, is then published to the Central Patch Repository. This repository allows admins and technicians to access the latest patches and create deployment packages for managed endpoints.

The entire process, from information gathering to patch analysis and publishing, is conducted periodically, ensuring that updates are incorporated into the Central Patch Repository promptly.

Once the updates are supported the corresponding patch details will be available in the Central Patch Repository.

  1. Third-party updates are supported within 6-9 hours from vendor release.
  2. Security updates are supported within 12-18 hours from vendor release.
  3. Non-security updates are supported within 24 hours from vendor release.

Once supported, the updates will be available in the product after the sync between the Central Patch Repository and the Patch Manager Plus server has occurred. as per the configured time (once every day at the time you have configured in the Patch Database settings). You can also manually initiate this sync for the patches to show up after they have been supported.

Central Patch Repository

 The Central Patch Repository is a portal in the Zoho Corp. site, which hosts the latest vulnerability database that has been published after a thorough analysis. This database is exposed for download by the Patch Manager Plus server situated in the customer site, and provides information required for patch scanning and installation. The data provided is encrypted and transferred over HTTPS.

Patch Manager Plus Server

 The Patch Manager Plus Server is located at the enterprise (customer site) and subscribes to the Central Patch Repository, to periodically download the vulnerability database. The server:

  • Scans the systems in the enterprise network.
  • Checks for missing and available patches against the comprehensive vulnerability database.
  • Downloads and deploys missing patches and service packs.
  • Generates reports to effectively manage the patch management process in your enterprise.

How does it Work?

Patch Management is a two-stage process:

Patch Assessment or Scanning

The systems in the network are periodically scanned to assess the patch needs. Using a comprehensive database consolidated from Microsoft's and other bulletins, the scanning mechanism checks for the existence and state of the patches by performing file version checks, registry checks and checksums. The vulnerability database is periodically updated with the latest information on patches, from the Central Patch Repository. The scanning logic automatically determines which updates are needed on each client system, taking into account the operating system, application, and update dependencies.

On successful completion of an assessment, the results of each assessment are returned and stored in the server database. The scan results can be viewed from the web console.

Patch Download and Deployment

On selecting the patches to be deployed, the server downloads the patches from the vendor website and verifies their integrity using checksum. Following this, the agent downloads the patches from the server. The URL of the patches downloaded from the server will be validated with the checksum. Patch binaries will be validated with checksum during the download and each time installation is initiated.