This document will outline the process of shinking the Shavlik Protect database.

Note: In order to shrink Shavlik Protect or WMware vCenter Protect database, please ensure SQL Server Management Studio is installed. You may install it by selecting the link corresponding with your Microsoft SQL Server version below:

    •   SQL Server 2005 Express

    •   SQL Server 2008 Express

    •   SQL Server 2008 R2 Express

    •   SQL Server 2012 Express

1. Open Microsoft SQL Server Management Studio.
2. Connect to the appropriate SQL Server Instance and login with the appropriate credentials. This is [hostname]\SQLEXPRESS by default and uses Windows Authentication.
3. Expand the ‘Databases’ portion on the left hand side of the screen by clicking the '+' sign.
4. Right click on the ‘Protect’ database. Select 'Properties'.

5. Within the Database Properties window, select 'Options' on the left hand side of the screen.

6. Within this screen set the 'Recovery model' option to 'Simple'.

7. Click 'Ok'.
8. Right click on the ‘Protect’ database. Select 'Tasks' then 'Shrink' and select 'Database' from the submenu.

9. Within the new window, click 'OK'.
10. The window will close when the database shrink process has been completed.

This document outlines the symbols associated with an agent's status.

The agent is active on the machine.

The agent is not active on the machine.

The agent has been removed from the machine.

The agent has reported an error.

Protect Version: All

When using Shavlik Protect Standard, you receive the error pop up stating: "Shavlik Protect Standard cannot fully comunicate with the console service.  Some tasks requiring the console service will be unavailable until the service can be reached."

When Protect's components try to reach the console service it fails to communicate with the service.

There can be many reasons why this may happen. The steps listed below should help find the root cause of the error and fix it.

To fix this error you may need to follow the steps for one of the reasons listed below, or you may need to go through each one. The possible resolutions are listed in order from most common to least common.

If you are using a Proxy for web connections you need to bypass the proxy for local addresses

Here's how to set this:

• On the Protect console system go into Internet Explorer > Tools > Internet Options > Connections > LAN Settings.
• Put a check in the box for 'Bypass proxy server for local addresses'.

Note: If you are using a passthrough proxy you may need to enter the proxy information in, set the bypass, save the settings, and then come back in and remove the settings. This has been known to put the bypass into place even for passthrough proxies.

If you are unsure if you are using a proxy, you can try running the below listed commands from a command prompt screen (based on operating system level):

• Windows 7/2008/Vista 32-bit:
  netsh winhttp show proxy
• Windows 7/2008/Vista 64-bit:
  %windir%\SysWOW64\netsh winhttp show proxy
• Windows XP/2003 32-bit:
  proxycfg
• Windows XP/2003 64-bit:
  %windir%\SysWOW64\proxycfg

The Shavlik Protect Console service may be failing to connect to the database, in turn failing to properly start

This will also cause Protect to be unable to communicate with the service. This will usually only happen when using a remote SQL server for your Protect database.

To fix this:

• Close Protect.
• Go to Start > All Programs > Shavlik Protect > Database Setup tool.
• Choose to use your existing database.
• On the Database Configuration screen you will need to provide alternate credentials for the console service connection to the database. You would need to provide an account that has administrative access to the Protect database on the SQL server.

.NET in conjunction with Protect's components are not honoring the settings to bypass a proxy for local addresses.

You can manually enter the bypass for the proxy into the config files for Protect. This works because Protect will look to our config files prior to checking the IE settings or WinHTTP settings for the proxy.

How to do this:

• Locate the files:
  - C:\Program Files\LANDesk\Shavlik Protect\ST.Protect.exe.config
  - C:\Program Files\LANDesk\Shavlik Protect\ST.ServiceHost.exe.config
  Note 1: If you are on a 64 bit system they will be in the Program Files (x86) folder. You may also need to go into your Folder Options > View settings and enable 'Show hidden files, folders, and drives' as well as uncheck the 'Hide extensions for known file types' option.
  Note 2: You should backup these files, before changing, by coping them to a separate folder.
  
  
• Modify the "ST.ServiceHost.exe.Config" file, adding the following section within the "configuration" tags, at the bottom of the document:
  <system.net>
  <defaultProxy>
  <proxy proxyaddress="http://**PROXY**:**PORT**" bypassonlocal="true" />
  <bypasslist>
  <add address="127.0.0.1" />
  <add address="**PROTECT_CONSOLE_SYSTEM_NAME**" />
  </bypasslist>
  </defaultProxy>
  </system.net>
  
  
• Modify the "ST.Protect.exe.config" file, adding the following section within the existing "system.net" tags:
  <defaultProxy>
  <proxy proxyaddress="http://**PROXY**:**PORT**" bypassonlocal="true" />
  <bypasslist>
  <add address="127.0.0.1" />
  <add address="**PROTECT_CONSOLE_SYSTEM_NAME**" />
  </bypasslist>
  </defaultProxy>
  
  
• Make sure to File > Save after updating each of these files. Once this is done make sure to open services.msc, and perform a Restart on the Shavlik Protect Console service. Then you can re-open Protect, and test to see if it works.

Other items worth checking

• Ensure that inbound TCP ports 3121 is allowed on the Protect console system.
• Make sure the Protect console system is able to resolve itself.
• Make sure the hosts file does not contain invalid information. This is located in C:\Windows\System32\drivers\etc

• If you edit the information in the config files as mentioned in step three, be aware that you have now hardcoded the information that Protect uses for your proxy.
• If you make changes on your network you may need to go back and edit these files again at a later date.

• Shavlik Protect Standard 9.X

Hi Folks,

I'm new to Shavlik and am experimenting with patching a subset of management servers using Shavlik under the 30 day trial.

When running a deployment on say 10 servers discovered via vsphere, which are all in the one machine group using the same deployment template, the servers will only patch 2 at a time. So patches won't start installing on subsequent machines until the entire cycle including reboots has finished on the 1st two servers. I'd like deployment, installation and reboot of machines to be in parallel across the whole machine group. As some of our production environments contain hundreds of servers of the same type that should be patched together, doing 2 at a time will exceed matintence windows.

Is this a limitation of the trial or am I doing something wrong?

Cheers.

Edit: Sorry should add I want to deploy without agents if possible.

We updated our patching plicies a few weeks ago and found that many systems are still showing a great deal of missing patches. After inspecting various STPatch.log files it seems that all of the missing patches have ended up on the "retry" list and are therefore being skipped. After clearning this list on a client workstation then running a patch scan I'm seeing an odd error I don't know how to fix. It seems the patch is downloading fine but upon extraction it's failing to find the file. This seems new to us. Any advice?

Launching the Protect Interface crashes the Console Service.
Error found in ST.Protect.Managed:

The Protect license record/activation key has become corrupted.

Make a backup of the Registry

1. Navigate to the Activation key:
   • HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\Shavlik Protect\Console\Activation
2. Locate the string 'AK' which contains the Activation Key. Right click the 'AK' string, and choose Modify.

3. In the Edit String window, copy the Value Data. This is your Activation Key and will be used to re-activate the console.

4. Delete the registry key 'Activation':
   • HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\Shavlik Protect\Console\Activation

Note: Once the Activation key has been deleted, Protect will need to be licensed again.

5. Launch Protect, and at the Shavlik Protect Activation screen, enter your previously copied Activation Key (step 3).
   1. If the console has internet connectivity, activate online.
   2. If the console has NO internet connectivity, perform an Offline Activation.

Shavlik Protect 8.x
Shavlik Protect 9.x

This article covers how Daylight Savings may affect Scheduled Tasks.

Note: Though tested, results may vary by OS, and regional preferences.
A workaround is to delete the current scheduled task, and re-schedule it 5 minutes before or after the change to suit your needs.

During Daylight Beginning

If a task is scheduled to execute at the point Daylight Savings Time Begins, the clock will reach 2:00 am, initiate the task, and then the clock will skip forward to 3:00 am.

Daylight Savings Ending

If a task is scheduled to execute at the point Daylight Savings Time ends, the clock will reach 2:00 am, initiate the task, and then the clock will roll back to 1:00 am.

I'm seeing many patches, primarliy Microsoft that keep failing on the download. They seem to fail with an error of "fialed signature check." If I Google the missing files, download them myself, then put them in the patches folder, then attemp to download missing patches again, the file is no longer downloaded as it sees the file I put there and gives it the virtual thumbs up so to speak.

So what's going on here in the console? Why does it keep getting a failed signature check on these files? It seems if I keep trying, eventually they may download but it's hit or miss.

http://community.shavlik.com/docs/DOC-23055 outlines a way to remove snapshots by faking another patch job shortly after the real one.  What I don't understand however, is in step 4, it says "You need to set this to take pre-deployment snapshots as well".  Would not the fake job create another snapshot after removing the previous one?

When both options, SQL and sanity check are selected, what is the exact order of operations?

Does SQL get stopped before the sanity check reboot and stay down for the duration of patching?

Does SQL bounce (start back up), and then go down for the patching?

My gut tells me it is the latter, not the former.

This document outlines how to run a DPDTrace. This may be necessary when troubleshooting detection issues.

DPD stands for Dynamic Product Detection.  It’s the method our scan engine uses to determine what supported products are installed on the machine.This tool was created for troubleshooting patch scan issues where we need to know what is going on during the DPD process.

Note- .Net Framework v4.0.30319 or newer needs to be installed for this to work

1. Download DPDTrace.zip and extract the file into a folder on the root of C:\
2. Read Disclaimer.txt.
3. Open Command Prompt and change directory to the DPDTrace folder.

4. Enter the following command, replacing {MACHINE_NAME} {ADMIN_USER_NAME} {PASSWORD} and {PATCHTYPE} with corresponding values. ({MACHINE_NAME} has to be the Target machine that is having the detection problem

          DPDTrace.bat {MACHINE_NAME} {ADMIN_USER_NAME} {PASSWORD} {PATCHTYPE} {VERSION}

6.      When the command line is run, a window titled 'Rename HF.1 Log' will appear with an OK button. Do not close this window as the scan continues.

7.     When the scan has completed the command prompt window will say 'Test Complete  Please zip up HFCLi folder and send it back to us'. At this point zip the directory "C:\DPDTrace\HFCLI" and send it back for analysis.

Patches kb2826026 & kb2760758 are scanned as missing by Shavlik patch analysis on servers with "Microsoft Access database engine 2010" installed but patch installation cannot be done.

-> Error during installation"The expected version of the product was not found on the system".

Do anyone has seen any know issues with these patches.

Hi,

after the last patch sequence (patches added on Nov 12) an old patch, MS11-025, which was installed on all servers years ago, is now reporting missing on about 50% of the servers.

These are my comments moved over from this thread: http://community.shavlik.com/docs/DOC-2156#comment-28129

The issue is that when using defined patch groups, time is wasted by installing patches that aren't really needed to bring an application up to the current level. This seems to work as intended if you don't define your patch groups but if you do, you can see what happens below.

Feature request ID: RE-1921

--

v9.0.0 Build 1182

I uninstalled Chrome on my test VM. Then ran a patch scan, no patches missing.

I then installed an old version of Chrome, 65.39.89.

I then ran another patch scan, 35 missing patches, all Chrome, it then downloads all 35.

Then after my pre-deployment reboot, all 35 proceed to install. The logic isn't there to just apply the latest skipping the outdated 34 previous patches.

There you go, it seems to waste a bunch of time applying (or attempting to apply) patches that it could be skipping only due to my choice of using defined patch groups (my v013.011.001 group) which contains all Security Patches that have been released up to any given date. In my example, this patch group would contain every security patch in the database with a release date prior to 11-1-2013.

The past few times  when performing a security patch scan I recieve this SQL error.

"A database operation failed.  Please verify you can connect to the configured database."

"A SQL Server query operation timed out.  Consider increasing the command timeout in the configuration file."

Since I was not the person who installed/setup Shavlik, I'm not to sure where to begin looking to resolve this issue.  All scans I have done (about 6-7 since this error popped up) have turned out OK, all machines that are normally scanned are sucessfully scanned, and I have been able to push patches just fine, however I don't want this error to bite me in the long run.  If someone could point me in the right direction I would appreciate it.  I have linked an attachment of the error message below.

Thanks in advance

I have an environment that has PCs with multiple NICs and IP addresses.  I also use Hamachi to create a VPN session back to the Shavlik Protect Console.  When I add an agent or scan a machine remotely, the IP address that shows up for the machine is not always the correct IP Address (Hamachi).  On our machines we use the advance feature in the NIC configuration to prioritize the order of the NICs. Hamachi is not first in line and cannot be first.  I currently have an agent that lists the main NIC IP Address for deploying patches(10.0.0.0).  In the Machine view it list the Hamachi 25.0.0.0\24 address.  I can communicate with the agent without issues but cannot deploy patches due to the wrong IP Address showing in the patch deployment screen. 

Is there a way to modify the IP Addresses for an agent on the console and also is there a way to tell Shavlik which IP address to use?

Any Help would be greatly appreciated.

Bill

Email reports not generated after Agent Patch Scan.

Email Reports are enabled in a Patch Scan template under the email tab.

Report is not generated when Patch Scan Template is in a Agent Policy.

Report is generated Succesfully when the same Patch Scan template is used in a Agent-Less scan

The email notification tab in a patch scan template only applies to agentlessscans and deployments initiated from the console; it does not apply to tasks started by agents that may also be using the same patch scan template

Product Version: All

Virtual machines are visible in the machine group  under the Hosted Virtual Machine tab.  The Pre-Deployment Snapshot option is enabled in the deployment template. Pre-Deployment Snapshots are not being taken.

Adminsitrator did not add the Virtual Machine to the Machine Group through the Hosted Virtual Machines Tab.

Add Virtual Machines to the Machine Group using the Hosted Virtual Machine Tab as found under Adding Virtual Machines to a Machine Group of the Protect Administration Guidehttp://www.shavlik.com/uploadedFiles/Support/Online_Documentation/Shavlik_Protect_90/administration-guide.pdf

Protect Version: All

Sending updates to Agents on the Cloud returns message: "Agent didn't respond."

The Agent didn't respond message refers to communication on a local network and does not refer to synchronization with the Cloud Server.  Administrators should expect this message if they are updating agents outside of the firewall through the Protect Cloud.  For more information on Cloud Agents see http://www.shavlik.com/support/Protect90HTMLHelp/Installing_Agents_from_the_Cloud.htm

Shavlik Protect 9.x
vCenter Prtoect 8.x

Shavlik Protect Console Service crashes frequently and/or will not stay started.

An accumulation of files in the 'BadFiles' directory or the 'NonRoutable' directory can cause the Console Service to fail to stay started.

Navigate to the Arrivals Directory. Any files that are located within a BadFiles directory or the NonRoutable directory should be deleted.

• Vista & Newer: C:\ProgramData\LANDesk\Shavlik Protect\Console\Arrivals
• XP/2003: C:\Documents and Settings\All Users\Application Data\LANDesk\Shavlik Protect\Console\Arrivals

CLI to delete all files in Arrivals Directory

NOTE:Ensure you enter the directory of the Arrivals pathexactly. This command will delete all files in all subdirectories of the directory indicated. Running command line statements is done at the users own risk.

The following command can be ran in command prompt to delete all files within the Assets directory.

Open command prompt and enter the following command replacing  {PATH_TO_ARRIVALS} with the literal path to your console system's Arrivals directory.

• del {PATH_TO_ARRIVALS}\*.* /S /Q > C:\Deleted_Arrivals_Files.txt

Example:

• del "C:\Programdata\LANDesk\Shavlik Protect\Console\Arrivals"\*.* /S /Q > C:\Deleted_Arrivals_Files.txt

Note: The switch to output to a text file is optional (i.e. C:\Deleted_Arrivals_Files.txt).

Protect Version: All