Security Validation of the Patch My PC Application Catalog

At Patch My PC, we understand that IT Security is vital to your organization, especially when considering a third-party patch management solution. We want to ensure you understand how we validate the integrity of the third-party updates included in our catalog.

The security validation of the updates and applications you deploy from Patch My PC products to your environment is extremely important. As such, the following is a detailed procedure of how we ensure the quality and integrity of the patches we publish in our third-party software update catalog.

The Patch My PC application catalog is a catalog of third-party applications and updates that Patch My PC maintains. Our team adds applications continuously and ensures that existing applications are updated over time as third-parties release application updates.

What is the Patch My PC application catalog?

The applications and updates we collect and support are available for deployment in your environment. You deploy the applications and updates using either the on-premise Publisher for Configuration Manager and Intune or through Patch My PC Cloud for Intune.

Topics covered in this article:

Step 1: Building the Catalog
Step 2: Check for Third-Party Updates
Step 3: Check the File Hash
Step 4: Run Through Virus Total
Step 5: Verify Updates are Digitally Signed
Step 6: Upload the Signed Catalog to Secure Storage
Patch My PC Unsigned Apps Table

Step 1: Building the Catalog

The Patch My PC Application Catalog contains applications for which there is a publicly accessible download of the installer that we can deploy and update. The catalog also includes some applications that do not publish a publicly accessible download. These are typically applications that you need to pay for, the installer is behind a paywall that requires an individual login and password, or the vendor uses a compressed file for its installer. We refer to such apps as binary-free applications.

In either case, Patch My PC engineers compile these third-party applications from vendors into our catalog and update them as vendors produce updates. This process includes downloading the update binary (EXE, MSI, or MSP) from the official vendor’s download mirror. This update binary will be the file executed on client computers to update the product. Again, if an application is binary-free, Patch My PC supports some of these, however, it is up to you, the customer, to pay for or log in to the vendor to get the update.

This process happens repeatedly for applications. For example, in February 2025, Patch My PC engineers added almost 100 new applications to our catalog and updated 1200 of the over 2000 applications we currently support. Customers are welcome to submit ideas for new applications to add to the Patch My PC catalog as long as an application meets specific criteria we use to add applications to our catalog.

Step 2: Checking for Third-Party Updates

The next part in the process of security validation of the Patch My PC Application Catalog is to check for third-party updates. Thus, we scan the third-party vendors’ applications we support and pick up updates when they are released.

When we add new updates to our catalog, the catalog metadata gets exported and saved into a CAB file. This catalog (.CAB) is imported into your environment and used to publish updates.

Again, this process of checking vendors for third-party updates happens continuously throughout the day and is why we recommend syncing daily with our products.

Step 3: Check the File Hash

The next step in the security validation process is to verify the digest we have for an application update matches one that was provided from the vendor.

What is a file hash?

A file hash is a unique, fixed-length string of characters generated by applying a mathematical algorithm to the contents of a file. Essentially, hashes are the output of an algorithm that verifies that the contents of the file are actually that specific file.

In other words, when Patch My PC engineers review a third-party update we’ve picked up, they make sure that the file hash we have for the update matches the one that the vendor released.

Step 4: Run Through Virus Total

Once we obtain the vendor’s binary and file hash, we then upload the binary to VirusTotal. VirusTotal will analyze the binary file through 55+ anti-virus engines. We post all VirusTotal results for any third-party updates released in our RSS feed and Catalog Release newsletter.

It is important to note that VirusTotal has a 650MB limit for file uploads, therefore, Patch My PC is not able to scan updates larger than 650MB with VirusTotal. For file uploads that exceed the VirusTotal limit, we check for viruses with Windows Defender. This accounts for roughly twenty percent of our current catalog.

Step 5: Verify Updates are Digitally Signed

Before the catalog metadata is evaluated for publishing, there is a digital signature check on the downloaded catalog file. This check validates the catalog is signed from Patch My PC.

When an updated binary is downloaded, we compare the hash of the downloaded binary with the hash from the catalog and only publish the update if they match.

It is important to understand that some applications are not digitally signed. For those applications, we compare against the vendor’s hash when possible. However, if an application is not signed, we get the application hash from GitHub and run it through Virus Total to make sure. A simple example is 7-Zip.

You can view a list of applications that are not digitally signed at the end of this article.

Step 6: Upload the Signed Catalog to Secure Storage

Once the catalog is validated, only then will the catalog metadata be evaluated for processing. Since we don’t control the servers used for content downloads, it’s essential to ensure the file downloaded from the vendor’s website is the exact same file used when initially creating the update that went through the VirusTotal scans.

To ensure the integrity of the catalog when downloaded and imported to your environment, we code-sign the catalog file with our code-signing certificate. The certificate is hardware-based and tightly controlled to only a few vetted and trusted individuals within Patch My PC. 

When the catalog gets downloaded into your environment, the import will only occur in our publishing service, SCCM 1806+, or SCUP if the catalog is code-signed from a trusted publisher.

After all the previous steps have been completed, we upload the signed catalog to secure storage, so only Patch My PC can connect to the storage. This is where the catalog is hosted.

When Patch My PC Publisher or Patch My PC Cloud needs to access the catalog, they download the cab file via https where it is served to customers.

Learn more about the security validation of the Patch My PC Publisher or Patch My PC Cloud.

As mentioned earlier, some applications are not digitally signed. For those applications, we get the application hash from GitHub and run it through Virus Total to make sure. Below is the list of applications this applies to.

VendorProduct Name
3d-io GmbHExr-IO (EXE)
Alfen N.V.ACE Service Installer (MSI-x86)
Angry IP ScannerAngry IP Scanner (EXE-x86)
AntmicroRenode (MSI-x64)
Apache Software FoundationApache Groovy (MSI-x86)
AppeeeAppeee (User-x64)
ApSIC, S.L.ApSIC Xbench (EXE-x64)
Armin OsajAuto Dark Mode (EXE-x86)
AstroComma, Inc.AstroGrep (EXE-x86)
beeftext.orgBeeftext (EXE-x64)
Benthic SoftwareBenthic Software PLEdit 6.x (EXE-x64)
Benthic SoftwareBenthic Software PLEdit 6.x (EXE-x86)
BitfocusBitfocus Companion Satellite (EXE-x64)
Blueberry Software (UK) Ltd.FlashBack Express
Bram Moolenaar et al.Vim (EXE-x64)
Bram Moolenaar et al.Vim (EXE-x86)
Brian AppsSizer (MSI-x86)
Cartamundi DigitalFundels (EXE-x86)
CCLNetLogo (MSI-x64)
CCLNetLogo (MSI-x86)
Celestia Development TeamCelestia (EXE-x64)
Chris KlimasTwine (EXE-x64)
Chris KlimasTwine (User-x64)
Cisco Systems, Inc.Chez Scheme (EXE-x64)
Clip2netClip2net (EXE-x86)
CompuSolveMinuteTraq
den4b TeamReNamer (EXE-x86)
East-TecColorVeil (EXE-x64)
Emmanouil KonstantinidisGitify (EXE-x64)
Exacq TechnologiesexacqVision Client (EXE-x64)
Exacq TechnologiesexacqVision Client (MSI-x64)
Fabio SpampinatoNotable (User-x64)
Far GroupFar Manager 3 (MSI-x64)
Far GroupFar Manager 3 (MSI-x86)
GanttProjectGanttProject
Giorgio TaniPeaZip (x64)
Giorgio TaniPeaZip (x86)
Giuseppe PenoneCherryTree (EXE-x64)
GNU OctaveOctave (EXE-x64)
Greenfoot TeamGreenfoot (MSI-x64)
Hanna KnutssonQalculate! (MSI-x64)
Hanna KnutssonQalculate! (MSI-x86)
Henrik WenzAll-in-One Messenger (User-x64)
Igor Pavlov7-Zip (x64) – EXE Install
Igor Pavlov7-Zip (x64) – MSI Install
Igor Pavlov7-Zip (x86) – EXE Install
Igor Pavlov7-Zip (x86) – MSI Install
IronPython TeamIronPython 3 (MSI-x64)
Ivan ZaharievIZArc
Jacob CrowtherCryptr (User-x64)
Jim RadfordSuperPuTTY (MSI-x86)
JocsMarkText (EXE-x64)
JocsMarkText (User-x64)
Kai KramerKeyStore Explorer (EXE-x86)
Kai KramerKeyStore Explorer (User-x86)
Kai WilladsenMeld (MSI)
KDE e.V.KDiff3 (EXE-x64)
KLCPK-Lite Basic Codec Pack
KLCPK-Lite Full Codec Pack
KLCPK-Lite Mega Codec Pack
KLCPK-Lite Standard Codec Pack
KubernetesMinikube (EXE-x64)
LexikosAutoHotkey
LibrePCB DevelopersLibrePCB (EXE-x64)
LIGHTNING UK!ImgBurn
LogMeIn, Inc.LogMeIn Rescue Technician Console (MSI-x86)
Lukas HolecekCopyQ (EXE-x64)
Michael HansenQTextPad (EXE-x64)
Monash UniversityMiniZinc IDE (EXE-x64)
Monash UniversityMiniZinc IDE (User-x64)
MSEndpointMgrDriver Automation Tool
Nayam AmarsheUpscayl (EXE-x64)
neovim.ioNeovim (MSI-x64)
NETIONETIO Discover (EXE-x86)
New Breed SoftwareTux Paint (EXE-x64)
NikseSubtitle Edit (EXE-x64)
NullsoftNullsoft Scriptable Install System (EXE-x86)
NXLog LtdNXLog Community Edition (MSI)
OoklaSpeedtest by Ookla (MSI-x64)
Open Education FoundationOpenBoard (EXE)
Paul PacificoShutter Encoder (EXE-x64)
PDF ArrangerPDF Arranger (MSI-x64)
ProjectLibreProjectLibre (x64)
Prowise B.V.Prowise Reflect (EXE-x86)
PTRTECHUVtools (MSI-x64)
R Core TeamR For Windows
Radio-Sky PublishingRadio Eyes (EXE-x86)
Radio-Sky PublishingRadio-Sky Spectrograph (EXE-x86)
rawtherapee.comRawTherapee (EXE-x64)
Rico SuterNSwagStudio (MSI-x86)
Rob CaelersWorkrave (EXE-x86)
Scott BrogdenDitto (EXE-x64)
Scott BrogdenDitto (EXE-x86)
ShareX TeamShareX
Shining Light ProductionsOpenSSL 3.0 (EXE-x64)
Shining Light ProductionsOpenSSL 3.0 (MSI-x64)
Shining Light ProductionsOpenSSL 3.0 Light (EXE-x64)
Shining Light ProductionsOpenSSL 3.1 (EXE-x64)
Shining Light ProductionsOpenSSL 3.1 (MSI-x64)
Shining Light ProductionsOpenSSL 3.1 Light (EXE-x64)
Shining Light ProductionsOpenSSL 3.2 (EXE-x64)
Shining Light ProductionsOpenSSL 3.2 (MSI-x64)
Shining Light ProductionsOpenSSL 3.2 Light (EXE-x64)
Shining Light ProductionsOpenSSL Latest (EXE-x64)
Shining Light ProductionsOpenSSL Latest (MSI-x64)
Shining Light ProductionsOpenSSL Latest Light (EXE-x64)
Shining Light ProductionsOpenSSL Light 3.0 (MSI-x64)
Shining Light ProductionsOpenSSL Light 3.1 (MSI-x64)
Shining Light ProductionsOpenSSL Light 3.2 (MSI-x64)
Shining Light ProductionsOpenSSL Light Latest (MSI-x64)
Sigil-EbookSigil (EXE-x64)
Splunk, Inc.Splunk ACS CLI (EXE-x64)
sqlitestudio.plSQLiteStudio (EXE-x64)
sqlitestudio.plSQLiteStudio (EXE-x86)
Steve Borho and othersTortoiseHg (x64)
Steve Borho and othersTortoiseHg (x86)
strawberryperl.com projectStrawberry Perl (MSI-x64)
strawberryperl.com projectStrawberry Perl (MSI-x86)
Stylus LabsWrite (MSI-x64)
sylikcJPEGView (MSI-x64)
sylikcJPEGView (MSI-x86)
Tareq ImbasherNetPad (EXE-x64)
Tareq ImbasherNetPad (User-x64)
Tenacity TeamTenacity (EXE-x64)
Tenacity TeamTenacity (EXE-x86)
TeraTerm ProjectTera Term (EXE-x86)
The gPodder TeamgPodder (EXE-x86)
The jamovi Projectjamovi Desktop Current Release(EXE-x64)
The Open-Shell TeamOpen-Shell (EXE-x64)
The Scribus TeamScribus (EXE-x64)
The Scribus TeamScribus (EXE-x86)
The Volta MaintainersVolta (MSI-x64)
Tinn-R TeamTinn-R (EXE-x86)
Trimble, Inc.Trimble RINEX Converter (MSI-x86)
Versentsaml2aws (MSI-x64)
WasmerWasmer (EXE-x86)