There has been a recent spate of malvertising targeting popular downloads. These paid advertisements masquerade as legitimate download links for popular software packages. The files they serve up look legitimate, but they include software that you don’t want. Using a package manager is one way to avoid this problem. Chocolatey is the name of a good package manager for Windows. It sidesteps malvertising and solves other system maintenance problems for you too.
What is Chocolatey?
Chocolatey is a package manager for the Windows command line, similar in concept and use to apt in Debian Linux, yum in Red Hat Linux, and brew in Mac OS X, and for that matter, Microsoft’s own winget. You install Chocolatey by running a PowerShell command, and then after that, you can install a software package by typing a command like choco install firefox.
Sometimes Windows can be as easy as Linux.
I discovered Chocolatey by accident when researching something else. Then I built up a Windows machine for the first time in about a year and a half, so I didn’t have recent downloads of any of the software I wanted to run on that machine. But it didn’t matter. Chocolatey had packages for every last one of them. So rather than doing a dozen Google searches, all I had to do was type choco install followed by the names of whatever I wanted. Easy.
Not only that, it handles dependencies for you. So if the software you need requires a Visual C runtime and 78 different Microsoft KBs before it will run, Chocolatey will download and install all of them for you.
Updating software with Chocolatey
And choco isn’t just an installer. The vulnerability management professional in me is fond of reminding people that managing software isn’t the same as just installing it. You have to keep it up to date afterward. And if there is one thing that SCCM is phenomenally bad at, it’s keeping third party software up to date.
Chocolatey solves that problem too. As long as you installed the software with Chocolatey to begin with, you can update it with the command choco upgrade all. You will then look through every package you installed with it, and install the newer version if it has one.
And if your software auto updated on you, no worries. I tested that. Like 3 days after I installed Firefox, version 109, a new version 109.1 with security updates was released. Firefox applied it automatically. When I ran choco upgrade all, it noticed that Firefox had already updated and left it alone. It just moved on to the next thing without a complaint.
Chocolatey is free for personal use, and I’m going to use it on all of my personal systems from now on. You can pay for commercial support and use it for business, and I would recommend that. It will save you a tremendous amount of time when building systems, since it automates installing the vast majority of popular applications for Windows, both first and third party. It ensures that all of them are installed the same way, which makes troubleshooting at scale considerably easier.
And it means you have to run one command as part of your patch Tuesday routine to update all of your third party software. And it logs everything.
I’m not being paid a single cent to say this, but look into using Chocolatey at work. This isn’t a paid endorsement. It’s a recommendation from a security professional who knows that for profit corporations succeed at updating their systems 10% of the time, which is abysmally terrible. This is a situation that his existed for 20 years, and isn’t getting any better. If you can figure out how to migrate your build process to use Chocolatey and run the command choco upgrade all in a distributed fashion across all of your systems while complying with your change control process, you can go a long way towards solving that problem and you can do so affordably.
What do you think about winget / winstall?
I’ve used them and they’re useful, but Chocolatey has a much larger collection of packages, so I prefer it at this point.