This document outlines the various ways to activate the Protect Console.  These methods are also used when the protect subscription has been renewed and the license needs to be refreshed.

Help > Enter/Refresh license key

Shavlik Protect Activation window

Select "Product or Bundle license".

If this is a new license, enter your activation key and select Add.

Choose "Online activation".

Click "Activate online now"

If you are refreshing a license, leave the existing key and click "Activate online now"

Select "Product or Bundle license".

If this is a new license, enter your activation key and select Add.

If you are refreshing a license, leave the existing key

Choose "Offline activation".

Click "Create Request"

The manual activation request file "LicensInfo.xml will be saved to your desktop.

Move the XML file to a computer with Internet access.

Go to: https://license.shavlik.com/OfflineActivation to upload the file, "LicenseInfo.xml".

The license portal will generate a license file for you to download and import

Select "Download Manual License" to download the manual license file and move it to the console computer

Within Shavlik Protect, select Help>Enter/refresh license key.

Import the processed license to the console by selecting  "Import manual license"'.

Click "select file" to browse for the file, ProtectLicense.xml, and click "Open".

Shavlik Protect will process the file and the program will be activated.

Choose "Trial Mode" and hit "Create request".

Note : if you have a proxy, in order to go through the Shavlik licensing servers you will need to configure the parameters inside the "configure proxy" dialog box.

Shavlik Protect 8.x
Shavlik Protect 9.x

This document is meant to provide a full overview of how credentials are entered, used, and work within the Shavlik Protect product.

Credential Precedence for Physical Machines and Online Virtual Machines

Initiating actions from the home page, from a machine group, or from a favorite

The home page, machine groups and favorites can be used to initiate actions, patch scans, asset scans, power management, and to execute scripts. When performing these actions, Shavlik Protect will attempt to authenticate to each machine using a variety of credentials and will do so using the following strategy:

1.   If one or more of the following are available,  the credential with the highest precedence will be used. The precedence order is as follows:  

   1. Machine-level credentials

   2. Group-level credentials

   3. Default credentials

Example: If machine-level credentials are not available but group-level and default credentials are available, the program will use the group-level credentials.

2.   If the credential used above does not work, then Integrated Windows Authentication (the credentials of the person currently logged on to the program) will be used.

If neither of these credentials work, the scans and the power management tasks will fail.

One suggestion is to make your default credentials the same as the account credentials you typically use to log on to the program. This will eliminate problems that may occur if you forget to assign credentials.

Initiating an agent installation from a machine group

When using a machine group to push install the Shavlik Protect Agent service to connected target machines, the credentials used by the program follows the same strategy as above with one major exception -- integrated credentials will not be used. So the agent installation must be successful using machine-level, group-level, default, or explicitly supplied credentials.

Initiating actions from Machine View or Scan View

When initiating a scan, a patch deployment or a power management action from Machine View or Scan View, the program will attempt to authenticate to the target machines using a variety of credentials and will do so using the following strategy:

1.   If one or more of the following are available, the Protect console will try to authenticate using the credential with the highest precedence, where the precedence order is as follows:  

   1. Any manually or automatically assigned managed machine credentials (see the To Individual Machines in a Machine Group section in Supply Credentials for Machines (used if the scan credentials are invalid or missing, for example, if an agent performed the scan rather than the console)

2.   If the credential used above does not work, then Integrated Windows Authentication (the credentials of the person currently logged on to the program) will be used.

Note: Integrated credentials will not work for deployments to offline virtual machines or for rescans.

If neither of these credentials work then the action will fail.

Initiating an agent installation from Machine View or Scan View

When using Machine View or Scan View to push install the Shavlik Protect Agent service to connected target machines, the credentials used by the program follows the same strategy as immediately above with one major exception -- integrated credentials will not be used. So the agent installation must be successful using managed machine credentials, default credentials, or explicitly supplied credentials.

Credential Precedence for Offline Hosted Virtual Machines

Initiating actions from the home page, from a machine group, or from a favorite

The home page, machine groups and favorites can be used to initiate patch scans, asset scans, and power management actions and to execute scripts. When performing these actions, Shavlik Protect will attempt to authenticate to each offline hosted virtual machine using the browse credentials.

Initiating actions from Machine View or Scan View

When initiating a scan, a patch deployment or a power management action from Machine View or Scan View, the credentials that will be used to authenticate to an offline virtual machine depends on the power state of the machine when it was initially scanned.

If a machine was originally scanned in offline mode

The program will attempt to authenticate using the browse credentials.

If a machine was originally scanned in online mode

The program will attempt to authenticate using a variety of credentials and will do so using the following strategy:

1.   Try using any manually or automatically assigned managed machine credentials

2. If the following are available, try to authenticate using the credential with the highest precedence, where the precedence order is as follows:

   1. The administrator credential from the machine group. If the administrator credential exists but fails, the default credentials will not be tried.

   2. Default Credentials (used if the scan credentials are invalid or missing (for example, if an agent performed the scan rather than the console))

3.   If the credentials used above do not work, then Integrated Windows Authentication (the credentials of the person currently logged on to the program) will be used.

Note: Integrated credentials will not work for deployments to offline virtual machines or for rescans.

If none of these credentials work then the action will fail.

Defining Credentials

The Define Credential dialog can be accessed anywhere a credential is used within the Shavlik Protect interface (for example, from a machine group, from the Credentials Manager, etc.). It is used to specify a new user name and password pair that collectively define one credential. The credential is stored with strong encryption techniques. Only the administrator that creates the credential will be able to decrypt the credential and access it from within the program. If you elect to share the credential, however, it will be made available to other administrators as well as to Shavlik Protect service components.

Note: Credentials may be automatically defined for you during a product upgrade or when importing a machine group. Any credentials that are found during these processes are preserved and will be assigned friendly names according to their usage. The term Discovery filter is the friendly name assigned by the program to a machine group credential that it identifies during an upgrade or import process. Feel free to change the name to something that more closely reflects the usage of the credential in your organization.

Supplying Scan Credentials for Target Machines

Note: Browse credentials are slightly different from the scan credentials described in this section. Browse credentials are used by servers, domains, and organizational units to enumerate machines but do not actually authenticate to the individual machines.

This section provides information on how to define new scan credentials and how to assign the credentials to target machines. Credentials consist of a user name and password pair used to authenticate the program to specified target machines. One credential can be associated with any number of operations or entities. The credentials are stored with strong encryption techniques and are not available to anyone except the user who provided them.

The scan credentials you supply will be used to access remote machines, perform any scans, and push any necessary files. The supplied credentials will NOT be used to:

•   Authenticate to the local (console) machine

Rather, the program uses the credentials of the currently logged on user to authenticate to resources on the local machine. Therefore, in order to perform tasks on the local machine, make sure you log on using an account that has administrator and local machine access rights.

•   Perform a patch deployment

The machine credentials that you supply are used to provide access to the remote machine and to push the necessary patch deployment files. The actual deployment, however, will be run under the remote machine's Local System account.

You use a machine group to initially assign scan credentials to target machines. You can assign credentials to individual machines, to all machines in a machine group, or both. After a machine has been scanned and is contained in Shavlik Protect 's database of managed machines, you can use the Machine Properties dialog to assign different credentials if desired.

Important! If there are two or more administrators using Shavlik Protect, each administrator should provide their own machine credentials.

Assigning Credentials to Individual Machines in a Machine Group

To assign credentials to one or more machines in a machine group, in the bottom pane select the machines and then select Credentials > Set Admin Credentials.

On the Assign Credentials dialog, select from the list of available credentials or click New to define new credentials.

When credentials are applied to the selected machines, the icon in the Admin Credentials column will become active. In addition, the name of the assigned credential is displayed next to the icon.

Assigning Credentials to All Machines in a Machine Group

To assign credentials to all machines in a machine group, in the top pane select Credentials > Set Credentials.

On the Assign Credentials dialog, select from the list of available credentials or click New to define new credentials.

When credentials are assigned the icon will contain a check mark:

In addition, the button name will change to the name of the assigned credential.

Assigning Credentials to Virtual Machines

There are several different tabs that can be used to add virtual machines to a machine group. The credentials that will be used to scan and/or deploy patches to these machines depends on how the machines are defined to the group and on the current power state of each machine.

• Hosted Virtual Machines tab: Used to add virtual machines that are hosted by a server. The credentials used to scan each machine depends on the current power state of the machine. 

  • A hosted virtual machine that is offline at the time of a scan will be accessed using the server's browse credentials. Any individual credentials supplied for the machine are ignored.

• A hosted virtual machine that is online at the time of a scan will be accessed using scan credentials for that machine. See Assigning Credentials to Individual Machines in a Machine Group, above.

• Workstation Virtual Machines tab: Used to add offline virtual machines that reside on individual workstations. You should assign individual machine credentials for each virtual machine defined using this tab. If appropriate, credentials can also be assigned at the machine group level. The credentials are used during the mounting process and provide permission for Shavlik Protect to access the virtual machine files on the workstation. See Assigning Credentials to Individual Machines in a Machine Group, above. 

• Machine Name tab, Domain Name tab, or IP Address/Range tab: Used to add virtual machines that reside on individual workstations and that are online at the time of a scan. See Assigning Credentials to Individual Machines in a Machine Group, above.

Assigning New Credentials to Machines After They Have Been Scanned

After one or more machines have been scanned and are contained in Shavlik Protect 's database of managed machines, you can use the Machine Properties dialog to assign different credentials or to remove credentials.

There may be several reasons for providing different credentials to machines after a scan has been performed. If you have multiple administrators in your organization and each is responsible for a different domain, they will need to set their own credentials before performing an action. Or, your organization's policy may be to separate scan (assessment) duties from deployment duties, in which case different credentials are probably required.

Managing Credentials

Important! If there are two or more administrators using Shavlik Protect, each administrator should provide their own machine credentials.

The Credentials Manager is used to manage all credentials used within the program. It is also used to set the default credential for the program.

Although you can supply new credentials from several different areas of the program, all of the credentials can be edited and deleted from this single location. This greatly simplifies the credentials management process. For example, if a password that is used to authenticate a specific group of machines changes, you simply use the Credentials Manager to update the associated credential. All items assigned to that credential are automatically updated with the new password.

To manage the credentials used by the program, select Manage > Credentials.

Managing Individual Machine Properties (Explicitly supplied credentials)

You can set explicit credentials for machines via View > Machines > Right Click a machine > Machine Properties.

Credential: Specifies the credential used when authenticating Shavlik Protect to the machine. The credential you supply here will override credentials specified in other areas of the program. If you select None you effectively remove the credential currently assigned to the machine.

There may be several reasons for providing different credentials to a machine after a scan has been performed. If you have multiple administrators in your organization and each is responsible for a different domain, they will need to set their own credentials before performing an action. Or, your organization's policy may be to separate scan (assessment) duties from deployment duties, in which case different credentials are probably required.

How Shavlik Protect Manages Multiple Administrators

Shavlik Protect contains a number of built-in checks to guard against simultaneous and conflicting commands from different administrators. For example:

• The program will not allow duplicate group names or template names 

• The program will not allow simultaneous updates to any groups, templates, distribution servers, or agent policies by different administrators. If this situation should occur the second administrator will receive a warning message similar to the following:

• Only one console will be authorized to use the Database Maintenance tool. If an administrator at another console wants to perform maintenance on the database, that administrator must take ownership of that task before the program will allow the administrator to continue.
  • Note: The 'Take Ownership' button is only displayed if you have two or more consoles that share one database. If your organization uses multiple Shavlik Protect consoles that share the same database, only one console will be authorized to use the Database Maintenance tool. If an administrator at another console wants to perform maintenance on the database, that administrator must take ownership of the task before the program will allow the administrator to continue. Any existing maintenance tasks will be allowed to complete before ownership is transferred to another administrator.

Best Practices When Using Multiple Administrators

Recommendations

• You should upgrade your hardware platform by increasing the number of processors and the amount of installed memory on the console machine. This will increase performance in those instances when two or more administrators are logged on at the same time and performing tasks. 

  • Minimum suggested hardware requirements for two administrators: 2 processor cores and 4 GB RAM

  • For each additional administrator, add 1 processor core and 1 GB RAM

  • For a high performance system, use 16 processor cores and 32 GB RAM

• When two administrators log on to the same console they must use different accounts. The same account can be used only when logging on to different consoles.

• If you edit a group that is typically used by another administrator you should notify that person about the change.

• Each administrator should create their own credentials and assign them to machines.

• Each administrator should define default credentials that are the same as their logon credentials. This will eliminate problems that may occur if the administrator forgets to assign machine credentials.

Potential Issues When Using Multiple Administrators

Usage Issues

You must take a few common sense precautions when using multiple administrators.  Even though Shavlik Protect contains a number of built-in safety checks, it cannot guard against all possibilities. The program may act in unpredictable ways if the following occur:

•   If two administrators try to scan the same machine group or ESXi Hypervisor at the same time.

The machines will be scanned twice, causing potential performance issues. In addition, there may be administrative rights errors due to the multiple connections.

•   If two or more administrators try to deploy patches or bulletins to the same machine at the same time.

The most likely result is that one deployment task will succeed and the other will fail. But because the deployment that succeeds will likely perform a restart of the target machines, the machines may be in an unknown state when the other deployment fails.

Credential Issue

When you create credentials and assign them to machines, those credentials belong to your administrator account. If a different administrator (Administrator B) logs on and uses Shavlik Protect, they will not have access to the machine credentials you provided. The second administrator must provide their own machine credentials.

One of the ways this can be confusing is if Administrator B fails to provide their own machine credentials and tries to schedule a patch deployment from a scan that was performed by Administrator A. The deployment can be successfully scheduled if default credentials are available, but the actual patch deployment will likely fail because the patch deployment requires machine credentials -- credentials that were provided by Administrator A but that are not available to Administrator B.

Recommendations:

• Each administrator should create their own credentials and assign them to machines 

• Each administrator should define default credentials that are the same as their logon credentials. This will eliminate some of the problems that may occur if the administrator forgets to assign machine credentials.

Virtual Inventory Consideration

Unlike machine groups (which can be viewed by all administrators), vCenter Servers and ESXi Hypervisors can only be viewed by the administrator that added them to Shavlik Protect. If two different administrators want to manage the same vCenter Server or ESXi Hypervisors, both administrators must add the item to the Virtual Inventory list.

More information concerning credentials usage in Protect and possible known issues can be found in the following community documents:

Shavlik Protect Encryption Q&A

How-To troubleshoot Error 5 - Access is denied

Change Machine Credentials on Multiple Machines at Once

Account Lockout - Scheduler Service using Credentials

Shavlik Protect 9.x

vCenter Protect 8.x

Should an ordinary patch scan flag RealPlayer 16 as needing an update to RealPlayer Cloud 17?  I'm only getting detection to work with a software distribution scan.

It's still necessary to have an admin logged in when installing RealPlayer 17, so I deployed to a couple machines while I had admin logins open in VNC.  The deployments worked, but the rescan says they failed.

The initial scan correctly triggers RP17-001/QRP170461N - C$\Program Files (x86)\Real\RealPlayer\REALPLAY.EXE 16.0.3.51 < 17.0.4.61

After deploying and rebooting, the software distribution scan says File not found %REALPATH%\REALPLAY.EXE\  17.0.4.61

yet the file is there (assuming %REALPATH% has the same value as before).

Protect Standard 9.0.0 build 1182

Definition version 2.0.0.6260

Targets are Windows 7 Pro 64-bit

When we build a new server, after the initial build of the OS, the next step is to do a full patching on it.  We run 2 scans.  We do the normal Security Patch scans, which takes care of all of the monthly patches that MS releases.  We then do the Windows update and security tools scan.  On this scan it finds all the files, and it will copy them over, but it will never actually install a single one of the update or security tools.

Wondering if anyone has anything I can check.  The OS is installed from an SOE that the company's master server team builds for all clients to use for new server deploys.  I have tried checking with them and Shavlik, and no one can seem to figure out what is stopping them from running correctly.

Has the patch for KB2850061 been approved and pushed for Shavlik Protect yet?

MS says it was release 12/13/2013, and other patches released that day were approved by Shavlik a few days later per norm. However, I do not see that specific patch listed in the patch DB or available for adding to a patch group.

Is there a way, within Shavlik Protect, to throttle the download of patches from Vendor sites?  Whenever I manually run a scan with auto-deploy during business hours, the Patch Downloads saturate our Internet connection. 

We are using Shavlik Protect Standard to patch our systems. We are currently looking to revise our patch management policy. Does anyone have policy's or policy examples they would like to share. I hate to start from scratch when I know there is someone else that uses shavlik that must have a policy and procedure in please. Any help or assistance would be greatly appricated.

Thank you,

Devin C.

This document is meant to provide information about specific patches that cannot be supported for patching within the Protect application.

The following patches from the January 14, 2014 Patch Tuesday will not be supported within Protect:

MS14-004 - DynamicsAX

Reason: The patch cannot be automated in Protect.

MS14-001, KB2863901 only

Reason: This is a custom Microsoft patch for a specific customers which we cannot support.

You can find additional information for these patches at the corresponding Microsoft articles:

MS14-004

http://technet.microsoft.com/en-us/security/bulletin/ms14-004http://support.microsoft.com/kb/2880826

MS14-001

http://technet.microsoft.com/en-us/security/bulletin/MS14-001

Shavlik Protect 9.x

vCenter Protect 8.x

Shavlik SDK, All Versions

Shavlik Rebrands

This document explains why Microsoft Security Bulletin MS14-004 cannot be supported by Shavlik Protect.

Patch bulletin MS14-004 (http://technet.microsoft.com/en-us/security/bulletin/ms14-004) references a security update for Microsoft Dynamics® AX that resolves a security vulnerability in the software. Some administrators may wonder why MS14-004 cannot be found under patches in Shavlik Protect. Restrictions on this security update from Microsoft does not allow for it to be distributed through Shavlik Protect or any other standard means.

According to Microsoft's official bulletin article:

"Due to the servicing model for Microsoft Dynamics AX updates, Microsoft is releasing these updates to the Microsoft Download Center, Microsoft Dynamics CustomerSource, and Microsoft Dynamics PartnerSource only."

From <http://technet.microsoft.com/en-us/security/bulletin/ms14-004>

For this reason, Shavlik Protect is unable to provide this security update to customers for patching. For those with affected software (see next section of article), the security update referenced in this bulletin as noted above is only available through Microsoft Download Center, Microsoft Dynamics CustomerSource, and Microsoft Dynamics PartnerSource.

This security update is applicable to the following software versions:

From <http://technet.microsoft.com/en-us/security/bulletin/ms14-004>

Microsoft KB Article for Security Bulletin MS14-004

Shavlik Protect 9.x
vCenter Protect 8.x

Environmental and setup prerequisites for Power Management and Wake-on-Lan functionality

Power Management Requirements

Before performing a power management task, please confirm that you meet the following requirements.

General Requirements

• Power management tasks performed from machine groups will be successful on physical machines and online virtual machines, but not on offline virtual machines

• A power management license key is required for all power tasks

• An asset management license key is also required for Wake-on-LAN tasks

• In order for power state changes to be made to a target machine, a user must be logged on to the machine or the local security policy Interactive logon: Do not require

• CTRL+ALT+DEL must be disabled.

• The proper credentials must be available:
  • When initiating a power management action from Machine View or Scan View, the program will attempt to authenticate to the target machines using the credentials used in the most recent patch scan. If those credentials are invalid or missing (for example, if an agent performed the scan rather than the console) the program will attempt to authenticate to the machines using the default credentials. If the default credentials do not work the program will attempt to authenticate using the account credentials of the person currently logged on to the program. If those credentials do not work, the power management task will fail.

• When initiating a power management action from a machine group or a favorite, the program will attempt to authenticate to the machines using the credentials defined in the machine group. If those credentials are invalid or missing, the program will attempt to authenticate to machines using the default credentials. If the default credentials do not work, the program will attempt to authenticate using the account credentials of the person currently logged on to the program. If those credentials do not work , the power management task will fail.

Sleep and Hibernate Requirements

In order to put a machine in or take a machine out of a sleep or hibernate state, its operating system must be configured to allow the operation.

Wake-on-LAN (WoL) Requirements

Hardware Requirements:

• WoL tasks must be performed on physical machines, not on virtual machines
• WoL must be enabled in the BIOS of the target machines. See your hardware vendor's product documentation for details.
• Target machines must have either a wired or a wireless Network Interface Card (NIC) that supports WoL. See your hardware vendor's product documentation for details.
• Target machines can be in sleep, hibernate, or powered off states.
• Network cards on the target machines must have power available (either electric or battery).
• Any intervening routers may need to be configured to forward subnet-directed broadcasts. See your hardware vendor's product documentation for details on configuring your routers.
• Whether you need to configure your routers depends on where your target machines are located. If all the target machines are located on the same subnet as the console, your routers do not need to be reconfigured. If some of your target machines are behind one or more routers and thus on different subnets, the intervening routers must be configured to forward subnet-directed broadcasts on UDP port 9.

Software Requirements

• A hardware asset scan of each target machine must be performed prior to initiating a WoL request. The scan is needed in order to obtain the MAC address of each target machine. When configuring the hardware asset scan, make sure the Network option is selected.
• Each target machine's operating system must be configured to allow WoL.
• Outbound UDP port 9 must be open on the console machine.

Power Status Scan Requirements

A power status scan can be performed on physical machines, online virtual machines, and offline virtual machines.

A 3rd party freeware application can be used to verify that the target workstation is setup properly to receive Magic Packets. This is explained in the following document: Wake-on-Lan Magic Packet Test http://community.shavlik.com/docs/DOC-23187

Protect 9.X

Protect 8.X

When attempting to add machines to a machine group in Protect via the Organizational Unit tab when clicking 'Browse Active Directory' you experience any of the followng:

-You see the message "The list of servers for this workgroup are currently unavailable".

-The OU list is missing machines that you expect to show up.

For any number of reasons the Protect application is unable to either connect to or browse active directory.

Here are troubleshooting steps that should help:

1) Check that the "Browse Credentials" are set correctly and have access to active directory.

2) Make sure NetBIOS is enabled.

- Go into Computer Management > Device Manager.

- Click View > Show hidden devices.

- Under Non-Plug and Play Drivers locate NETBT.

- Right click on NETBT and go to Properties.

- Ensure the General tab lists this device as working properly.

- Ensure the Driver tab lists this device with a current status of Started.

3) On your Protect console system, open command prompt, and run NBTSTAT -R

This command purges the contents of the NetBIOS name cache and then reloads the #PRE-tagged entries from the Lmhosts file. The #Pre section is where domain controllers may be listed.  For more information on nbtstat commands see this Microsoft Technet article: http://technet.microsoft.com/en-us/library/bb490938.aspx

4) If you are having problems enumerating Organizational Units across domains, ensure that the Protect console has access to a DNS server that provides lookups to all involved domains.

You can edit the host file (C:\WINDOWS\system32\drivers\etc)

Add an entry for:

[Net Bios Name of Domain Controller] [IP Address]

or

[DomainName] [IP Address of primary DC]

5) Enable the Computer Browser service. The computer browser service is disabled by default on Server 2008 R2, but it should start without error.

See this document: http://community.shavlik.com/docs/DOC-22966

-Is there an error in the event log? This can help narrow down what is going wrong.

-The computer browser service will automatically stop if your registry settings are not configured to maintain the browse list. To verify your settings do the following:

-Go to Start> Run

-Type regedit

-Press enter

-Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters

-The MaintainServerList value should be set to Yes or Auto. If this Value is No then the computer browser service will not start.

6) Check to make sure netbios ports are open. (139 & 445)

7) A couple other things that may help troubleshoot:

-Check if the "Browse Network" button in the Machine Group configuration dialog on the Machine Name tab functions as expected.

-Make sure you can browse your network (Network Places) using Windows Explorer.

The following Microsoft articles may also prove helpful:

Troubleshooting Active Directory (2003):

http://technet.microsoft.com/en-us/library/cc776795(v=ws.10).aspxhttp://technet.microsoft.com/en-us/library/cc737561(v=WS.10).aspx

Troubleshooting Active Directory Domains & Trusts (2008 R2):

http://technet.microsoft.com/en-us/library/cc770264.aspx#BKMK_1

Shavlik Protect 9.x

vCenter Protect 8.x

This document explains how to tell if Protect is scanning for a specific Virus?

The Shavlik Protect Threat Protection engine is based on the Vipre SDK engine, and uses threat definitions created by GFI's ThreatTrack Security (formerly Sunbelt Software). You can do browse for or search for specific viruses on the following website.

http://sunbeltsecurity.com/BrowseCategories.aspx

Shavlik Protect 8.x
Shavlik Protect 9.x

How to manually configure a remote SQL Server to accept machine account credentials

Manually Configuring a Remote SQL Server to Accept Machine Account Credentials

Note: The manual process described here is required only if the automated account creation process failed during product installation.

If you are using Integrated Windows Authentication to access a remote SQL Server, in order for Shavlik Protect to interact properly with the server you must configure the server to accept machine account credentials. The best time to do this is immediately after you have installed Shavlik Protect but before you actually start the program. You can, however, perform these steps after starting the program. Any scans you initiate prior to this that require interaction with a remote SQL Server database will probably fail.

This section describes how to configure a remote SQL Server to accept Windows authentication (machine account) credentials from the Shavlik Protect console. For security purposes, Shavlik recommends using Windows authentication where possible. Microsoft SQL Server Management Studio is used as the editor in the following examples but you can use a different tool if you prefer.

1. The Shavlik Protect console and SQL Server must be joined to the same domain or reside in different domains that have a trusted relationship.

This is so the console and the server can compare credentials and establish a secure connection.

2. On SQL Server, create a new login account for Shavlik Protect to use.

You must have securityadmin privileges in order to create an account.To do this: Within the Security node, right-click Logins and select New Login. Type the login name using a SAM-compatible format (domain\machine name). The machine account is your console's machine name and must contain a trailing $.Note: Do not use the Search option. You must manually type the name because it is a special name.Make sure you choose Windows Authentication and that the Default database box specifies the Shavlik Protect database. For example:

3. For your Shavlik Protect database, create a new user login using the console machine account.

Right-click the Users folder, select New User, browse to find the Login name, and then paste the name in the User name box. Assign the user the db_datareader,db_datawriter, STCatalogUpdate, and STExec roles. For example:

4. Start Shavlik Protect.
5. Perform any troubleshooting as necessary.

• You can use the SQL Server activity monitor to determine if connection attempts are successful when performing a patch scan.
• If you ran Shavlik Protect before creating the SQL Server user account, some services may fail to connect to SQL Server. You should select Control Panel > Administrative Tools > Services and try restarting the services.
• If the connection attempts are failing you can view the messages in the SQL Server logs to determine why the failures are occurring.

Allowing Other Users Access to the Program

Note: This section also applies if you are using the role-based administration feature.

If you wish to allow other users access to the program, you may need to configure SQL Server so that those users have the necessary database permissions. Specifically, when using Windows integrated authentication, users without administrative rights on the database machine must be granted read and write permission to all tables and views. They must also be granted execute permission to all stored procedures in the Shavlik Protect application database. They may not otherwise be able to start Shavlik Protect.

One way to grant these permissions is to assign your users the db_owner role. For security reasons, however, this may not be the best solution. A safer alternative is to grant execute permission at the database level. You do this by assigning the users in question to the STExec role.

For an explanation of the permissions specified above, reference Protect SQL Account Configuration for least privilege requirements http://community.shavlik.com/docs/DOC-1463

Protect 9.X

Protect 8.X

I would like some Best Practices posted for MS Hyper-v servers. Is it just another server? Is there a way to patch offline servers? Do you need virus protection on the VM? etc.

This document outlines how to cancel a scheduled task.

In Protect choose Manage> Scheduled Tasks.

For Deployments

Select the target machine in the tree on the left. Deployments are scheduled on the target machine.

For Scans

Select the Console machine in the tree on the left. All agent-less scans are stored in the Console's scheduler. This means that even if you are scanning a different target machine, you still select the Console machine from the tree.

When the intended machine has been selected, the Scheduled Jobs should automatically populate in the list on the right.

Right click the desired job, and choose Delete.

When prompted to confirm, choose Delete.

After the job is deleted the Scheduler for the selected machine should refresh, and the scheduled task should no longer be displayed.

Shavlik Protect 9.x
vCenter Prtoect 8.x

This document outlines how to schedule a patch scan to take place at a future date/time.

A scan can be scheduled to run a single time at a specified date/time. Alternatively the scan may be scheduled to run at the same time on different days, or on a desginated day each month; these scheduled scans occur until removed from the scheduler.

Related Document: How to Cancel / Delete Scheduled Tasks

Once

Scheduling a scan using the 'Once' option will cause a scan to be run a single time at the designated date/time.

Example: The image shows a scheduled scan that will begin on February 1, 2014 at 6:00 PM. Because this is a 'Once' type scan, it will not occur again.

Recurring - Daily

Scheduling a scan to be 'Recurring Daily' will cause the scan to be run at the designated time on the specified days. To stop the jobs from continuing to run, the scheduled task must be deleted.

Example: The image shows a scheduled scan that will occur Weekdays (Monday, Tuesday, Wednesday, Thursday, Friday) at 6:00 PM. Because this is recurring, this will happen every week at the same time on the same days.

Recurring - Monthly

Scheduling a scan to be 'Recurring Monthly' will cause the scan to be run at the designated time on the specified day each month. To stop the jobs from continuing to run, the scheduled task must be deleted.

Day of Month to Run

Example: The image shows a scheduled scan that will occur the 21st day of every month at 6:00 PM. Because this is recurring, this will happen every month on the 21st at the same time.

 

The First, Second, Third, Fourth, Last Occurance of Day

Example: The image shows a scheduled scan that will occur the SecondTuesday each month at 6:00 PM. Because this is recurring, this will happen every month on the 2nd Tuesday at the same time.

 

 

 

When scheduling a scan there are 4 options to define.

1. Name this operation (optional):
   • This will be displayed in the scheduled task manager, scan results, and logging.
2. Select/confirm targets:
   • Define the machine groups that will be part of the scheduled scan by adding checkmarks to them.
3. Select schedule:
   • Select the scheduling options. More information on this in beggining of this document.
4. Select/confirm operation:
   • Identify the scan template to be utilized.
5. After setting up the the scan to use the template desired, the machines needing to be scanned, and the frequency of the scan to occur, click the Schedule button.

If the job is scheduled successfully you will see a toast popup indicating such.

Within Protect, click the Home button in the upper left corner of the GUI. The Home screen will display options to setup a scheduled scan.

Note: One or more groups may be selected to have the scheduled job ran against them.

Within Protect, in the navigation panel on the left of the interface, select to view Machine Groups.

Click on the intended Machine Group.

Within the Machine Group editing window, choose Run Operation.

The Run Operation screen will display options to setup a scheduled scan.

In Protect choose View> Machines.

In Machine View, select the Machine(s) to schedule the scan against.
Right Click
Choose Patch Scan
Select the desired Scan Template

The Run Operation screen will display options to setup a scheduled scan.

Shavlik Protect 9.x

Anyone know what this "DependencyID=211" is?

It appears to be causing Protect 8.0 to not scan for a specific patch, and I don't know why...

2014-01-17T20:35:18.1647500Z 0ddc V ProductDependencies.cpp:77 DependencyID=211 = PassedDependency=false

2014-01-17T20:35:18.1647500Z 0ddc V PatchTest.cpp:1872 Not scanning for Q# Q2892075 because did not pass dependencies.

Sorry if this is limited inform,ation - first posting and I'm not sure what is normally expected.

The snippet is from a trace file output by hfcli

Thanks & Regards,

Jim

A patch that was manually downloaded and placed in the patch repository, does not show as downloaded in protect.

This is often caused by the patch not having the Shavlik Name.
Some vendors will update their patches but utilize the same file name. When the file has the same name, it causes issues with Protect's ability to delineate between different files. To resolve this, Protect utilizes a 'Shavlik Name'. A Shavlik Name is the unique file name given to a file when the vendor chooses to not give one. The name is the only change that occurs on the file, and will typically consist of append the name with the file version, and language of the patch where applicable.

Example:
Adobe Flash patches are hosted under a generic name: install_flash_player_11_plugin.exe
To differentiate between files, a Shavlik Name is given to the file that specifies version, and bit version: install_flash_player_11_plugin_64bit119900170.exe

Modify the patches file name, by giving it the corresponding Shavlik Name.
To identify the Shavlik File name of the patch:

• Open Patch View (View> Patch View)
• Right click the column headers and select 'Column Chooser'

• In the Customization window, drag the 'Download File Name' option into the Patch View window.

• Search for the Q# of the patch
• When the patch is found in Patch view, expand its view and the Shavlik Name will be displayed under the Download File Name column.

Note:
You can also enable the Vendor File Name option in the Customization window to see what the files default name is when hosted by the Vendor.

Shavlik Protect 9.x
vCenter Prtoect 8.x

This document explains what is meant by "informational" items under patch status in Shavlik Protect.

Some users may be unsure what "Informational" items are in Protect. These items can sometimes be found under the "Current Patch Status" column in the patches tab when viewing scan results or individual machine listings in the machines view. This article explains what "informational" means and why it can be found in the scan results.

After running a scan in Shavlik Protect, under the default view- under original patch status, in addition to patch installed, and patch missing- there can often be found informational items.

Informational status identifies products on the target machine that have been fully patched or for which there exists no applicable patches. This informational status is meant to be an indicator that all available patches have been applied for the designated products.

In this example above, all of the products on the right (Internet Explorer 11, Direct X 9.0c, etc.) have been fully patched on the target machine, and do not currently require patching.

Informational items cannot have actions performed on them as they do not reference a particluar patch- but rather a fully patched product.

Shavlik Protect 9.x
vCenter Protect 8.x

Recurring Scheduled Tasks are being deleted.

The Scheduled Tasks log tab shows a status 1326 when the deleted task was last attempted.

The ST.Activation.managed.SYSTEM@NT AUTHORITY log shows the following error:"Failed to check access to '192.0.7.18', error: 1326".

System error code 1326 means "Logon failure: The user name or password is incorrect." This error code may also display as "ERROR_LOGON_FAILURE" or as the value 0x52E.

The Scheduled Tasks log tab shows a status 1331 when the deleted task was last attempted.

The ST.Activation.managed.SYSTEM@NT AUTHORITY log shows the following error:"Failed to check access to '192.0.7.18', error: 1331".

System error code 1331 means "Logon failure: account currently disabled." This error code may also display as "ERROR_ACCOUNT_DISABLED" or as the value 0x533.

Shavlik Protect will delete a recurring task after credentials fail.  A new task will need to be created with proper credentials.

Verify that Credentials are correct for the target machine in the scan task using the following steps:

• Verify which user was logged into the console machine when the scan task was created and log in to the console machine as that user.
• Verify the credential listed as default credential under Manage Credentials
• Login to the console as the user listed as default credential under Manager Credential in the last login.
 
 
• Make sure that you can access the default administrative share (c$) on the target machine.
 

For other scanning prequisities please visit the following link to online help:

http://www.shavlik.com/onlinehelp/Protect90HTMLHelp/Scanning_prerequisites.htm

Protect Version: All