Security Validation of the Patch My PC Application Catalog
At Patch My PC, we understand that IT Security is vital to your organization, especially when considering a third-party patch management solution. We want to ensure you understand how we validate the integrity of the third-party updates included in our catalog.
The security validation of the updates and applications you deploy from Patch My PC products to your environment is extremely important. As such, the following is a detailed procedure of how we ensure the quality and integrity of the patches we publish in our third-party software update catalog.
The Patch My PC application catalog is a catalog of third-party applications and updates that Patch My PC maintains. Our team adds applications continuously and ensures that existing applications are updated over time as third-parties release application updates.
What is the Patch My PC application catalog?
The applications and updates we collect and support are available for deployment in your environment. You deploy the applications and updates using either the on-premise Publisher for Configuration Manager and Intune or through Patch My PC Cloud for Intune.
Topics covered in this article:
Step 1: Building the Catalog
Step 2: Check for Third-Party Updates
Step 3: Check the File Hash
Step 4: Run Through Virus Total
Step 5: Verify Updates are Digitally Signed
Step 6: Upload the Signed Catalog to Secure Storage
Patch My PC Unsigned Apps Table
Step 1: Building the Catalog
The Patch My PC Application Catalog contains applications for which there is a publicly accessible download of the installer that we can deploy and update. The catalog also includes some applications that do not publish a publicly accessible download. These are typically applications that you need to pay for, the installer is behind a paywall that requires an individual login and password, or the vendor uses a compressed file for its installer. We refer to such apps as binary-free applications.
In either case, Patch My PC engineers compile these third-party applications from vendors into our catalog and update them as vendors produce updates. This process includes downloading the update binary (EXE, MSI, or MSP) from the official vendor’s download mirror. This update binary will be the file executed on client computers to update the product. Again, if an application is binary-free, Patch My PC supports some of these, however, it is up to you, the customer, to pay for or log in to the vendor to get the update.
This process happens repeatedly for applications. For example, in February 2025, Patch My PC engineers added almost 100 new applications to our catalog and updated 1200 of the over 2000 applications we currently support. Customers are welcome to submit ideas for new applications to add to the Patch My PC catalog as long as an application meets specific criteria we use to add applications to our catalog.
Step 2: Checking for Third-Party Updates
The next part in the process of security validation of the Patch My PC Application Catalog is to check for third-party updates. Thus, we scan the third-party vendors’ applications we support and pick up updates when they are released.
When we add new updates to our catalog, the catalog metadata gets exported and saved into a CAB file. This catalog (.CAB) is imported into your environment and used to publish updates.
Again, this process of checking vendors for third-party updates happens continuously throughout the day and is why we recommend syncing daily with our products.
Step 3: Check the File Hash
The next step in the security validation process is to verify the digest we have for an application update matches one that was provided from the vendor.
What is a file hash?
A file hash is a unique, fixed-length string of characters generated by applying a mathematical algorithm to the contents of a file. Essentially, hashes are the output of an algorithm that verifies that the contents of the file are actually that specific file.
In other words, when Patch My PC engineers review a third-party update we’ve picked up, they make sure that the file hash we have for the update matches the one that the vendor released.
Step 4: Run Through Virus Total
Once we obtain the vendor’s binary and file hash, we then upload the binary to VirusTotal. VirusTotal will analyze the binary file through 55+ anti-virus engines. We post all VirusTotal results for any third-party updates released in our RSS feed and Catalog Release newsletter.
It is important to note that VirusTotal has a 650MB limit for file uploads, therefore, Patch My PC is not able to scan updates larger than 650MB with VirusTotal. For file uploads that exceed the VirusTotal limit, we check for viruses with Windows Defender. This accounts for roughly twenty percent of our current catalog.
Step 5: Verify Updates are Digitally Signed
Before the catalog metadata is evaluated for publishing, there is a digital signature check on the downloaded catalog file. This check validates the catalog is signed from Patch My PC.
When an updated binary is downloaded, we compare the hash of the downloaded binary with the hash from the catalog and only publish the update if they match.
It is important to understand that some applications are not digitally signed. For those applications, we compare against the vendor’s hash when possible. However, if an application is not signed, we get the application hash from GitHub and run it through Virus Total to make sure. A simple example is 7-Zip.
You can view a list of applications that are not digitally signed at the end of this article.
Step 6: Upload the Signed Catalog to Secure Storage
Once the catalog is validated, only then will the catalog metadata be evaluated for processing. Since we don’t control the servers used for content downloads, it’s essential to ensure the file downloaded from the vendor’s website is the exact same file used when initially creating the update that went through the VirusTotal scans.
To ensure the integrity of the catalog when downloaded and imported to your environment, we code-sign the catalog file with our code-signing certificate. The certificate is hardware-based and tightly controlled to only a few vetted and trusted individuals within Patch My PC.
When the catalog gets downloaded into your environment, the import will only occur in our publishing service, SCCM 1806+, or SCUP if the catalog is code-signed from a trusted publisher.
After all the previous steps have been completed, we upload the signed catalog to secure storage, so only Patch My PC can connect to the storage. This is where the catalog is hosted.
When Patch My PC Publisher or Patch My PC Cloud needs to access the catalog, they download the cab file via https where it is served to customers.
Learn more about the security validation of the Patch My PC Publisher or Patch My PC Cloud.
As mentioned earlier, some applications are not digitally signed. For those applications, we get the application hash from GitHub and run it through Virus Total to make sure. Below is the list of applications this applies to.
Vendor | Product Name |
---|---|
3d-io GmbH | Exr-IO (EXE) |
Alfen N.V. | ACE Service Installer (MSI-x86) |
Angry IP Scanner | Angry IP Scanner (EXE-x86) |
Antmicro | Renode (MSI-x64) |
Apache Software Foundation | Apache Groovy (MSI-x86) |
Appeee | Appeee (User-x64) |
ApSIC, S.L. | ApSIC Xbench (EXE-x64) |
Armin Osaj | Auto Dark Mode (EXE-x86) |
AstroComma, Inc. | AstroGrep (EXE-x86) |
beeftext.org | Beeftext (EXE-x64) |
Benthic Software | Benthic Software PLEdit 6.x (EXE-x64) |
Benthic Software | Benthic Software PLEdit 6.x (EXE-x86) |
Bitfocus | Bitfocus Companion Satellite (EXE-x64) |
Blueberry Software (UK) Ltd. | FlashBack Express |
Bram Moolenaar et al. | Vim (EXE-x64) |
Bram Moolenaar et al. | Vim (EXE-x86) |
Brian Apps | Sizer (MSI-x86) |
Cartamundi Digital | Fundels (EXE-x86) |
CCL | NetLogo (MSI-x64) |
CCL | NetLogo (MSI-x86) |
Celestia Development Team | Celestia (EXE-x64) |
Chris Klimas | Twine (EXE-x64) |
Chris Klimas | Twine (User-x64) |
Cisco Systems, Inc. | Chez Scheme (EXE-x64) |
Clip2net | Clip2net (EXE-x86) |
CompuSolve | MinuteTraq |
den4b Team | ReNamer (EXE-x86) |
East-Tec | ColorVeil (EXE-x64) |
Emmanouil Konstantinidis | Gitify (EXE-x64) |
Exacq Technologies | exacqVision Client (EXE-x64) |
Exacq Technologies | exacqVision Client (MSI-x64) |
Fabio Spampinato | Notable (User-x64) |
Far Group | Far Manager 3 (MSI-x64) |
Far Group | Far Manager 3 (MSI-x86) |
GanttProject | GanttProject |
Giorgio Tani | PeaZip (x64) |
Giorgio Tani | PeaZip (x86) |
Giuseppe Penone | CherryTree (EXE-x64) |
GNU Octave | Octave (EXE-x64) |
Greenfoot Team | Greenfoot (MSI-x64) |
Hanna Knutsson | Qalculate! (MSI-x64) |
Hanna Knutsson | Qalculate! (MSI-x86) |
Henrik Wenz | All-in-One Messenger (User-x64) |
Igor Pavlov | 7-Zip (x64) – EXE Install |
Igor Pavlov | 7-Zip (x64) – MSI Install |
Igor Pavlov | 7-Zip (x86) – EXE Install |
Igor Pavlov | 7-Zip (x86) – MSI Install |
IronPython Team | IronPython 3 (MSI-x64) |
Ivan Zahariev | IZArc |
Jacob Crowther | Cryptr (User-x64) |
Jim Radford | SuperPuTTY (MSI-x86) |
Jocs | MarkText (EXE-x64) |
Jocs | MarkText (User-x64) |
Kai Kramer | KeyStore Explorer (EXE-x86) |
Kai Kramer | KeyStore Explorer (User-x86) |
Kai Willadsen | Meld (MSI) |
KDE e.V. | KDiff3 (EXE-x64) |
KLCP | K-Lite Basic Codec Pack |
KLCP | K-Lite Full Codec Pack |
KLCP | K-Lite Mega Codec Pack |
KLCP | K-Lite Standard Codec Pack |
Kubernetes | Minikube (EXE-x64) |
Lexikos | AutoHotkey |
LibrePCB Developers | LibrePCB (EXE-x64) |
LIGHTNING UK! | ImgBurn |
LogMeIn, Inc. | LogMeIn Rescue Technician Console (MSI-x86) |
Lukas Holecek | CopyQ (EXE-x64) |
Michael Hansen | QTextPad (EXE-x64) |
Monash University | MiniZinc IDE (EXE-x64) |
Monash University | MiniZinc IDE (User-x64) |
MSEndpointMgr | Driver Automation Tool |
Nayam Amarshe | Upscayl (EXE-x64) |
neovim.io | Neovim (MSI-x64) |
NETIO | NETIO Discover (EXE-x86) |
New Breed Software | Tux Paint (EXE-x64) |
Nikse | Subtitle Edit (EXE-x64) |
Nullsoft | Nullsoft Scriptable Install System (EXE-x86) |
NXLog Ltd | NXLog Community Edition (MSI) |
Ookla | Speedtest by Ookla (MSI-x64) |
Open Education Foundation | OpenBoard (EXE) |
Paul Pacifico | Shutter Encoder (EXE-x64) |
PDF Arranger | PDF Arranger (MSI-x64) |
ProjectLibre | ProjectLibre (x64) |
Prowise B.V. | Prowise Reflect (EXE-x86) |
PTRTECH | UVtools (MSI-x64) |
R Core Team | R For Windows |
Radio-Sky Publishing | Radio Eyes (EXE-x86) |
Radio-Sky Publishing | Radio-Sky Spectrograph (EXE-x86) |
rawtherapee.com | RawTherapee (EXE-x64) |
Rico Suter | NSwagStudio (MSI-x86) |
Rob Caelers | Workrave (EXE-x86) |
Scott Brogden | Ditto (EXE-x64) |
Scott Brogden | Ditto (EXE-x86) |
ShareX Team | ShareX |
Shining Light Productions | OpenSSL 3.0 (EXE-x64) |
Shining Light Productions | OpenSSL 3.0 (MSI-x64) |
Shining Light Productions | OpenSSL 3.0 Light (EXE-x64) |
Shining Light Productions | OpenSSL 3.1 (EXE-x64) |
Shining Light Productions | OpenSSL 3.1 (MSI-x64) |
Shining Light Productions | OpenSSL 3.1 Light (EXE-x64) |
Shining Light Productions | OpenSSL 3.2 (EXE-x64) |
Shining Light Productions | OpenSSL 3.2 (MSI-x64) |
Shining Light Productions | OpenSSL 3.2 Light (EXE-x64) |
Shining Light Productions | OpenSSL Latest (EXE-x64) |
Shining Light Productions | OpenSSL Latest (MSI-x64) |
Shining Light Productions | OpenSSL Latest Light (EXE-x64) |
Shining Light Productions | OpenSSL Light 3.0 (MSI-x64) |
Shining Light Productions | OpenSSL Light 3.1 (MSI-x64) |
Shining Light Productions | OpenSSL Light 3.2 (MSI-x64) |
Shining Light Productions | OpenSSL Light Latest (MSI-x64) |
Sigil-Ebook | Sigil (EXE-x64) |
Splunk, Inc. | Splunk ACS CLI (EXE-x64) |
sqlitestudio.pl | SQLiteStudio (EXE-x64) |
sqlitestudio.pl | SQLiteStudio (EXE-x86) |
Steve Borho and others | TortoiseHg (x64) |
Steve Borho and others | TortoiseHg (x86) |
strawberryperl.com project | Strawberry Perl (MSI-x64) |
strawberryperl.com project | Strawberry Perl (MSI-x86) |
Stylus Labs | Write (MSI-x64) |
sylikc | JPEGView (MSI-x64) |
sylikc | JPEGView (MSI-x86) |
Tareq Imbasher | NetPad (EXE-x64) |
Tareq Imbasher | NetPad (User-x64) |
Tenacity Team | Tenacity (EXE-x64) |
Tenacity Team | Tenacity (EXE-x86) |
TeraTerm Project | Tera Term (EXE-x86) |
The gPodder Team | gPodder (EXE-x86) |
The jamovi Project | jamovi Desktop Current Release(EXE-x64) |
The Open-Shell Team | Open-Shell (EXE-x64) |
The Scribus Team | Scribus (EXE-x64) |
The Scribus Team | Scribus (EXE-x86) |
The Volta Maintainers | Volta (MSI-x64) |
Tinn-R Team | Tinn-R (EXE-x86) |
Trimble, Inc. | Trimble RINEX Converter (MSI-x86) |
Versent | saml2aws (MSI-x64) |
Wasmer | Wasmer (EXE-x86) |