Patch My PC Cloud is a cloud-native solution that is primarily designed for customers using Intune. It automates the packaging, deployment, and updating of third-party applications across devices. This process streamlines your security and compliance.
We understand that the security validation process for Patch My PC Cloud is important to our customers. As such, we have detailed the security processes we use when it comes to connecting with the Patch My PC application catalog to provide our services via Patch My PC Cloud below.
How does the Patch My PC application catalog connect to Patch My PC Cloud?
Within Patch My PC Cloud, there is a job that runs on a schedule every 15 minutes that looks for changes in the catalog cab file that’s being served to it. Patch My PC Cloud has its own identifier, much like a customer ID, that allows publishing to occur.
When Patch My PC Cloud identifies the catalog cab file, it looks for any new updates in the catalog cab file. Once it finds what is new, it brings that in and publishes it in the VM using an internal API directly to the Patch My PC Cloud catalog.
So, when a customer logs in to the Patch My PC Cloud portal, they have the most up-to-date catalog. The new updates that are brought in are deployed based on the customer’s sync schedule. That’s when the new updates are pushed out to a customer’s environment.
How does security validation happen with PMPC Cloud?
The Patch My PC catalog within Patch My PC Cloud is updated every 15 minutes based on the changes in our latest cab file. Of course, any catalog changes are validated with hash checks, signature verification, and our dual code-signing certificate process to ensure that files are valid. If any of these validation checks fail, the catalog is tossed.
In other words, Patch My PC Cloud downloads the catalog, verifies that it’s signed with our dual code-signing certificate, ensures that it is a valid signature, and makes sure the cab file hasn’t changed. Once this is complete, the updates are imported.
Once the updates are imported, it goes through and looks for any new updates and checks to see if those updates are already published. If they aren’t published, then Patch My PC Cloud catalog downloads the product. It checks the hash and the catalog from the product to ensure it matches. If it doesn’t match, it doesn’t upload. If the hash matches, it uploads.
Essentially, all this is to ensure that the catalog the updates are pulling from the same catalog we signed and that the files that it uploads to Patch My PC Cloud match what we have.
Preventing a Man-in-the-Middle (MitM) attack
To help prevent third-party file compromise, we check the file with Virus Total. If the file passes, we check for digital signatures on the file, and make sure the file comes from the vendor it says it’s from.
Some files though are too large to run through Virus Total. If this is the case, we run the file through Microsoft Defender which picks up issues. Therefore, Patch My PC does its best to ensure our customers download a safe catalog.
Preventing an insider threat
If a Patch My PC employee were to try to compromise the catalog, the DevOps detections set up would notify other employees immediately that the catalog is compromised and cannot move forward in the approval process.
For example, if an employee were to try and put a malicious link somewhere in the catalog, DevOps detections would see it and bring it up as an issue.
Preventing a third-party file compromise
To prevent third-party file compromise, we validate the file through Virus Total. If the file passes, we check for digital signatures on the file, and make sure the file comes from the vendor it says it’s from.
Some files though are too large to run through Virus Total. If this is the case, we run the file through Microsoft Defender which picks up any issues.
Therefore, Patch My PC ensures our customers are never downloading a “bad” or corrupted catalog. Additionally, this type of protection also ensures that if a third party is compromised, Patch My PC prevents the download from ever being downloaded and deployed in your environment.
Exceeding the industry standard
The process above far exceeds the industry standard. A typical systems administrator, when packaging software themselves, goes to a vendor website, clicks download, drags it into a folder, packages it, and sends it out. Very little to no verification is ever done to ensure the file is not compromised.
This is not done out of negligence or malicious intent, but because verifying the security of even one file takes a lot of time, energy, and effort. A typical systems administrator has very little of any of these due to the increasing workload and daily demands of the job.
Even the verification of even one file can add hours of work to a process that already takes 2-3 hours to complete. Given that a typical small company has 50 applications installed, you can see how a systems administrator workload does not allow for such security assurances.
Patch My PC on the other hand, not only automates this process for seamless deployment in your environment, but does so with verifications, hash checks, and code-signing validations to ensure no third-party file compromise.
We do our due diligence and once we have the third-party file signed and in our cab catalog, we can guarantee that the file you receive is the exact same file we got from the vendor.
All the testing Patch My PC goes through as part of our application catalog pipeline allows us to provide a well-tested experience to our customers. Part of this process is ensuring that all the testing work that is completed is used in your environment.
Customer verification
It’s important to note that once updates are in a customer’s environment, it’s up to you to complete a final quality check against your specific environment.