Understanding 0patch

mitja.kolsek -

Software products often contain vulnerabilities - flaws that allow attackers to take control of one's computer. Usually software vendors provide official fixes for vulnerabilities in their products. But sometimes they don't because a product is no longer supported, or are slow at it, resulting in publicly known vulnerabilities that start getting exploited and users can't do anything to protect themselves. This is where we step in.

A patch (also called a micropatch due to its tiny size) is a small package with a few code instructions that replace a vulnerable section of code in a running application. A patch therefore fixes a vulnerability.

A patch is considered installed as soon as it is downloaded from the server and stored in a local database. This does not automatically mean that it is applicable to your computer, only that it is there waiting to be used in case it is needed.

An installed patch can get applied to a running process in order to eliminate a vulnerability in that process. This means that the vulnerable code section in the process is replaced with corrected code form the patch. Normally, a patch always gets applied to the vulnerable process it was designed for, but this can be prevented by either disabling the patch, excluding an application from patching, or disabling the 0patch Agent.

When a patch is removed from a running process, the corrected code from the patch is removed, and the original (vulnerable) code is restored in the process. Consequently, the process again becomes vulnerable to the attack previously blocked by the patch.

0patch does not change executable files on the file system. It only modifies running processes, which makes it really easy and quick to apply and remove patches without even relaunching applications, much less restarting your computer. Patching is done instantly and (if you want) silently, and so is un-patching.

Normally, all applications are being patched, which allows 0patch to provide maximal protection. However, for troubleshooting purposes, any application can be manualy excluded from patching. Such application does not get any patches applied until it gets un-excluded.

Each patch, when downloaded from the server, is initially enabled, which means it is getting applied to processes it was designed for.

For troubleshooting purposes, any patch can be manually disabled, which causes its immediate removal from all processes in which it is applied, and prevents its application to newly launched processes. Naturally, a disabled patch can be manually re-enabled.

The 0patch Server can mark an installed patch revoked, which permanently disables the patch without an option to manually enable it. This usually happens because a better patch was issued for the vulnerability fixed by the revoked patch.

Patches are being applied to processes by the 0patch Agent running on the computer. 0patch Agent must be registered on the 0patch server in order to receive patches, and must be able to communicate with 0patch server (see details). To register 0patch Agent, one needs a 0patch account on the 0patch Server.

Once registered, 0patch Agent periodically contacts 0patch Server to see if any new patches are available - and downloads them if they are. We call this process syncing, i.e., synchronizing with server. (See this article for details about bandwidth consumption.)

0patch Agent also periodically sends telemetry data to 0patch server, allowing us to monitor for problems and usage in order to be able to provide a better service. Telemetry data includes computer name and platform, local IP address, data on applied and disabled patches, data on excluded applications and whether Agent is enabled or not. (See this article for an exhaustive list.)

To learn more about 0patch Agent, consult the User Manual.

Multiple 0patch Agents deployed in an organization's network can be centrally managed via cloud-based 0patch Central.

Have more questions? Submit a request


  • 0

    Where is the uninstaller?

  • 0

    You can uninstall 0patch Agent by either double-clicking the installation package (*.msi) that you used for installing it and selecting "Remove", or via Control Panel, as for any other installed application. Note that you will not be able to do the former in case you have updated the Agent at least once, as that effectively brings a new installation package on your computer which you can no longer uninstall with the original installation package. In such case you should be able to find the current installation package in %systemroot%\temp folder.

Please sign in to leave a comment.