Avast Business Patch Management review: Don't give up the day job just yet

Regular patch deployment is one of those things that we all know we should do, but the hassle of patch management can often mean we don't do it as regularly as we could. Patch management is often a struggle for businesses faced with a seemingly never-ending stream of updates, both for Microsoft's Windows software and for sundry other business applications.

Avast comes to the rescue; its Business Patch Management (BPM) solution aims to provide centralised cloud management of patches for Windows endpoints from a single web console. Not only does it manage all Windows systems, but it supports over a thousand third-party apps, allowing you to ditch all your disparate update processes and bring them under one roof.

BPM lets you decide when to scan for updates and set schedules to determine the time they should be deployed so you can minimise their impact on business operations. Updates can be reviewed, you can use settings templates to control how endpoints are restarted, and even choose to ignore specific ones.

Avast Business Patch Management review: Deployment

The first thing you need to be aware of is that BPM is an add-on enhancement to Avast's Business Antivirus, so you can't currently use it separately and will have to purchase an Antivirus subscription in addition to a BPM plan. We raised this with Avast and it advised us it is in the process of splitting the two products apart as a future feature.

Before using BPM, you'll need to configure your Windows systems to stop automatic updates and Avast provides help on its support site showing various methods, including using Group Policy Object (GPO). Hardly elegant, but Avast also told us it will be implementing a feature in the console that allows automatic updates to be remotely disabled on systems with the Avast software installed.

Deployment is a swift process; you can simply create a custom installer utility from the console and send it to your endpoints. Delivery methods include copying it to endpoints and installing it manually, emailing a download link to users or linking up with Active Directory and using a master agent to automate the process.

Advanced installer options allow it to be customized further for Windows workstations and servers. Endpoints can be placed in different groups, each with their own settings template that determines what AV components to install (there are a lot) plus patch management scan and deployment schedules.

Avast Business Patch Management review: Product evolution

We've been testing BPM in the lab for three months and initially found an alarming number of issues that were cause for concern. These included patches being scheduled but never deployed, endpoint reboot tasks constantly being created, some third-party apps failing to update and the original dashboard patch status widgets being very uninformative.

During this time, we've been in regular contact with Avast's development team, although we're unsure whether regular customers would have received the same level of support. That said, rather than being ignored, we've seen many of our criticisms being resolved and our suggestions being implemented.

The patch management dashboard widgets have been improved so the device summary provides hot links for pulling up quick views of vulnerable systems and those in danger. Rather than presenting a static status table, the patch summary widget now has direct links to systems with issues and the task list can be updated at will with a filter for sorting them into chronological order.

Most third-party apps installed on our test systems were updated successfully and included the latest Office and Adobe apps plus all popular web browsers - Avast provides a downloadable list which currently shows more than 1,200 supported apps. Some less common apps such as the FileZilla 4 FTP client had to be updated manually and Java updates aren't currently supported, due to Oracle changing its Java patch download processes.

We highlighted the latter to Avast which plans to add a console link that will allow Java patches to be manually uploaded for distribution by BPM. Despite these glitches, BPM's support for the majority of common business apps will make it easier to manage their updates from one console.

Avast Business Patch Management review: Management console

Avast's cloud console is very informative; the dashboard provides an overview of protected systems with an unmissable banner across the top that alerts you when systems are deemed vulnerable or in danger. The interactive patch widgets keep you posted on endpoint update status while below are two charts that focus on installed AV components and detected malware threats.

Notifications are posted in date order and, where relevant, will have a link alongside that takes you straight to the affected system for a closer look. The device list can be filtered to show those with patch-related issues and endpoints have colour-coded icons for easy status identification.

The Device Settings page is where you create templates to control BPM agent behaviour. You can choose daily, weekly or monthly patch scan schedules, opt to deploy them immediately or at a specific time, control how and when endpoints are restarted and permit users to postpone or cancel the reboot.

You can view patch deployment status and apply filters to fine-tune the information while a drop-down menu for each patch allows you to force deployment, ignore it or roll it back on a specific endpoint. Avast provides a set of graphical reports so you can check on patch deployments, see systems that have failed tasks or missing patches and check on patched applications.

Avast Business Patch Management review: Verdict

Avast's Business Patch Management is clearly a work in progress although the number of updates pushed out during our test period shows plenty of commitment. At its foundation, BPM's centralized cloud console and myriad deployment controls look capable of bringing order to Windows patch-related chaos and its support for third-party app updates makes it more versatile than classic products such as Microsoft's WSUS (Windows Server Update Services).

However, it isn't a smart move tying BPM in with Avast's antivirus products as this could easily double acquisition costs. Businesses that like the look of BPM but already have a preferred AV vendor other than Avast will need to wait until it is available as a standalone product.