Understanding 0patch

Mitja Kolsek -

Software products often contain vulnerabilities - flaws that allow attackers to take control of one's computer. Usually software vendors provide official fixes for vulnerabilities in their products. But sometimes they don't because a product is no longer supported, or are slow at it, resulting in publicly known vulnerabilities that start getting exploited and users can't do anything to protect themselves. This is where we step in.

A patch (also called a micropatch due to its tiny size) is a small package with a few code instructions that replace a vulnerable section of code in a running application. A patch therefore fixes a vulnerability.

A patch is considered installed as soon as it is downloaded from the server and stored in a local database. This does not automatically mean that it is applicable to your computer, only that it is there waiting to be used in case it is needed.

An installed patch can get applied to a running process in order to eliminate a vulnerability in that process. This means that the vulnerable code section in the process is replaced with corrected code form the patch. Normally, a patch always gets applied to the vulnerable process it was designed for, but this can be prevented by either disabling the patch, excluding an application from patching, or disabling the 0patch Agent.

When a patch is removed from a running process, the corrected code from the patch is removed, and the original (vulnerable) code is restored in the process. Consequently, the process again becomes vulnerable to the attack previously blocked by the patch.

0patch does not change executable files on the file system. It only modifies running processes, which makes it really easy and quick to apply and remove patches without even relaunching applications, much less restarting your computer. Patching is done instantly and (if you want) silently, and so is un-patching.

Normally, all applications are being patched, which allows 0patch to provide maximal protection. However, for troubleshooting purposes, any application can be manualy excluded from patching. Such application does not get any patches applied until it gets un-excluded.

Each patch, when downloaded from the server, is initially enabled, which means it is getting applied to processes it was designed for.

For troubleshooting purposes, any patch can be manually disabled, which causes its immediate removal from all processes in which it is applied, and prevents its application to newly launched processes. Naturally, a disabled patch can be manually re-enabled.

The 0patch Server can mark an installed patch revoked, which permanently disables the patch without an option to manually enable it. This usually happens because a better patch was issued for the vulnerability fixed by the revoked patch.

Patches are being applied to processes by the 0patch Agent running on the computer. 0patch Agent must be registered on the 0patch server in order to receive patches, and must be able to communicate with 0patch server (see details). To register 0patch Agent, one needs a 0patch account on the 0patch Server.

Once registered, 0patch Agent periodically contacts 0patch Server to see if any new patches are available - and downloads them if they are. We call this process syncing, i.e., synchronizing with server. (See this article for details about bandwidth consumption.)

0patch Agent also periodically sends telemetry data to 0patch server, allowing us to monitor for problems and usage in order to be able to provide a better service. Telemetry data includes computer name and platform, local IP address, data on applied and disabled patches, data on excluded applications and whether Agent is enabled or not. (See this article for an exhaustive list.)

To learn more about 0patch Agent, consult the User Manual.

Multiple 0patch Agents deployed in an organization's network can be centrally managed via cloud-based 0patch Central.

Have more questions? Submit a request

7 Comments

  • 0
    Avatar
    dejan

    Where is the uninstaller?

  • 0
    Avatar
    Mitja Kolsek

    You can uninstall 0patch Agent by either double-clicking the installation package (*.msi) that you used for installing it and selecting "Remove", or via Control Panel, as for any other installed application. Note that you will not be able to do the former in case you have updated the Agent at least once, as that effectively brings a new installation package on your computer which you can no longer uninstall with the original installation package. In such case you should be able to find the current installation package in %systemroot%\temp folder.

  • 0
    Avatar
    phototransformations

    This is an old post, so I'm commenting just to help out other users who have an issue I had with 0Patch. After installation and activation, a few days later, after much troubleshooting, I found that PowerShell no longer worked. This occurred on both a Windows 10 and Windows 11 installation. Uninstalled 0Patch. That it breaks PowerShell seems to me to be a significant oversight that outweighs any potential benefit.

  • 0
    Avatar
    Mitja Kolsek

    Hi phototransformations, thank you for reporting your problem. No users have ever reported problems with PowerShell before and we know many users - including ourselves - are using PowerShell on computers running 0patch. Therefore, I suspect some special situation on your computers that we haven't encountered before (perhaps some compatibility issue with other installed programs or computer configuration). We'd really like to investigate your problem so I took the liberty of creating a ticket from your post, which means you'll get an email to the address you used for registering here. With your assistance, we should be able to reproduce the problem and fix it. Thanks again!

  • 1
    Avatar
    Mitja Kolsek

    Follow-up to the above: With the kind help of phototransformations we were able to reproduce this issue and track it down to compatibility with Avast's Anti-Rootkit Shield. This article describes the problem and provides a workaround.

  • 0
    Avatar
    jasonbrown.journo

    Unrelated, just some feedback for team ui/ux - thank you for the explanation (in brackets) - that explained what was going on, perfect. 

  • 0
    Avatar
    Mitja Kolsek

    Thank you jasonbrown.journo, and thanks to users who had previously reported their justified confusion whether being unable to connect to server meant the patches are still being applied or not.

Please sign in to leave a comment.