Overview
You have critical infrastructure systems and are bound by compliance standards. You want to know how does GFI LanGuard ensure update integrity for Microsoft and third party vendors as they are downloaded.
Solution
GFI LanGuard ensures updates integrity with several layers of protection.
Content Team checks
First, GFI Content Team determines the download links for updates and patches, and analyzes each file to ensure its data integrity by validating the downloads against the information from a vendor (installer signature + SHA1 hash) and performing additional security checks (no disclosure here).
Download links and hashes in an encrypted way are stored in the definitions database, which LanGuard server is daily updating during automatic Program Updates.
LanGuard server checks
Second, when the LanGuard server downloads a patch or an update, it is using the link from the definitions database, calculates a SHA1 hash and size of the downloaded file, and verifies that the correct file is downloaded. Hence, if a file has changed, it will not be downloaded for distribution.
Deployment checks
Finally, the SHA Hash and size are also checked as part of the deployment process on the target machine after the file is copied from the LanGuard server. This verifies both if the file is what we expect as well as if the full file was copied.
The PatchAgent.log file that is located on the target's machine's C:\Windows\Patches folder depicts this whole process. In summary, the system checks if the PatchAgent service is already installed and running on the machine. The PatchAgent verifies the SHA hash of the file to make sure it is executing the correct patch, and not a malicious code, as well as ensuring that the full copy was completed.
You can go through LanGuard's patch deployment process for more information about the PatchAgent.