Manually installing an agent fails during the registration process.

  Error found in registration.log

• 'Error during registration. Error: Error 1300: Not all privileges or groups referenced are assigned to the caller'

  Error found  in the STAgentUI.log

• 'Error 1314: A required privilege is not held by the client'

This error is seen if the user account used to install the agent does not have the correct permissions.

Add required rights in User Rights Assignments.

     Known rights needed to install and register agents.

• "Act as Operating System"
• "Take Ownership"

1. Open Local Security Settings.
2. In the console tree, click User Rights Assignment.
   - Security Settings/Local Policies/User Rights Assignments
3. In the details pane, double-click the user right you want to change.
4. In UserRight Properties, click Add User or Group.
5. Add the user or group and click OK.

*Note: To open Local Security Policy, click Start, point to Settings, click Control Panel, double-click Administrative Tools, and then double-click Local Security Policy.

You can also check what rights the current user has by running the following command from a Windows Command Prompt.

>whoami /priv

Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:

Local policy settings
Site policy settings
Domain policy settings
OU policy settings

*Note: When a local setting is greyed out, it indicates that a GPO currently controls that setting.

Shavlik Protect 9.x

Many of the common Shavlik Protect scan errors can be corrected by changes to configuration or environment. This article lists the most common scan error messages and provides some guidance on correcting the issue.

Scan errors can occur:

• If one or more of the Shavlik Protect Scanning Prerequisites have not been met 
• If one or more configuration issues are present in Shavlik Protect 
• Due to one or more environmental issues

Shavlik NetChk Protect 7.x

VMware vCenter Protect 8.x

Shavlik Protect 9.x

This document is meant to provide information about specific patches that cannot be supported for patching within the Protect application.

The following patches from the January 14, 2014 Patch Tuesday will not be supported within Protect:

MS14-004 - DynamicsAX

Reason: The patch cannot be automated in Protect. See article http://community.shavlik.com/docs/DOC-23357 for more details.

MS14-001, KB2863901 only

Reason: This is a custom Microsoft patch for a specific customers which we cannot support.

You can find additional information for these patches at the corresponding Microsoft articles:

MS14-004

http://technet.microsoft.com/en-us/security/bulletin/ms14-004http://support.microsoft.com/kb/2880826

MS14-001

http://technet.microsoft.com/en-us/security/bulletin/MS14-001

Shavlik Protect 9.x

vCenter Protect 8.x

Shavlik SDK, All Versions

Shavlik Rebrands

Hi. I am wondering if there is a way to force or allow agentless patch deployment over a time range so that (for example) machines offline on Monday might get the message on Tuesday and patches could be deployed. This may be a feature request. It might also be something in scheduled tasks now, but I confess I have not delved into that part of Protect yet. Advice and guidance appreciated, thanks.

RE ProtectCloud users who have agents on their machines that connect through the Cloud: does the cloud console talk to my console? I have set 3 types of patch scans in the agent policy used by my remote folks. Do I need to ensure my console has patches downloaded in order for remote users to get them, or is the whole thing independent of my control and console used on network?

I also find the machine view of agent machines to work less than optimally, because some of the machines I have targeted for remote agents have never been scanned by my console. Any recommendations on this? Thanks.

I followed the steps of the following article: How to Schedule Automatic Definition Downloads

And when I go in Help> About and look for Data versions they are shown as still not updated.

In fact the files are effectivly updated but the GUI is not showing the current state of the file verison.

Close and reopen the Shavlik console.

Shavlik Protect 9.x

When running the Shavlik Migration Tool, clicking the 'Backup core settings', 'Backup user settings', 'Restore core settings',  'Restore user settings', button does nothing.

The ST.Backu.Protect.UI.Managed log shows this error:

This is caused by a missing patch: Q2468871, MSWU-544, Non-security Patches

Install the pre-requisite patch: Q2468871, MSWU-544, Non-security Patches. This patch must be installed on the Original console as well as the Target console.

To download this patch please visit:

http://www.microsoft.com/en-us/download/details.aspx?id=3556

Related Document:

How to Include or Exclude Specific Patches in Scan Results

Shavlik Protect 9.x

Abstract : Agent installation prerequisites can be found in the Quick Start Guide here :http://www.shavlik.com/uploadedFiles/Support/Online_Documentation/Shavlik_Protect_90/agent-quick-start-guide.pdf

Agents can be installed via multiple methods, as follows:

Console Installation - Push method

Agents can be installed from the console, in which case all the configuration prerequisites are the same as those for an agentless patch deployment See Patch Scanning Prerequisites This includes enabling the remote registry service on the target machine and verifying that the proper TCP ports are open. During the install process, the agent machine will need to successfully resolve the console via DNS and connect to the console via TCP 3121 in order to obtain the assigned policy. An agent policy must be created and configured prior to installation.

Push Method Steps

• Create a new machine group.
• Add the agent machine to the machine group using a machine name, domain name, or IP address. You cannot use the Install / Reinstall Agent button to install  agents on machines that were added as organizational units, nested groups, or IP  address ranges by IP address.
• Specifiy the necessary, machine specific credentials.
• Select the machine, then select 'Install/Reinstall Agent'.

You can also select a previously scanned machine from the Machine View and select Install/Reinstall with Policy

Manual Installation

Agents can be installed from the target machine, in which case the agent machine will need to successfully resolve the console via DNS and connect via TCP 3121. Additionally, valid credentials for the console machine will need to be supplied, or a passphrase will need to be supplied. In the case of a passphrase being used, the passphrase will need to have been set on the console machine via the 'Agents' tab of the 'Tools>Options' menu. An agent policy must be created and configured on the console prior to installation. The preferred method of installation is as follows:

• Ensure that the console's datafiles have been updated successfully.
• Copy the 'STPlatformUpdater.exe' file from the console machine to the agent machine. This file is located in the following folder :
• C:\ProgramData\LANDesk\Shavlik Protect\Console\DataFiles
• Login to the agent machine using credentials with administrator level privileges on the local machine.
• Launch the installer.

If the IP address is used to specify the console URL, it will be necesarry to create an Alias for this same IP address on the console machine.

Scripted Installation

Agents can be installed using a script. This method of installation is very similar to a manual installation, with the exception that the target machine will run the installation using the 'Local System' account, and that the necessary installation options must be specified as command line switches. See the administration guide for further details outlining the necessary syntax.

Once the agent has been installed, the installer files for the necessary components will be downloaded and executed. The components installed will depend upon the configuration of the agent policy (i.e. if Active Protection is enabled, or a threat task is defined, the agent will download and install the threat engine component). The installer files, as well as all other necessary patch and data files, will be downloaded from the source as specified in the agent policy. If the agent is unable to obtain these files from the specified source, the agent will fail to perform as expected.

Logs

The installation log files can be located in any of the following locations, depending upon installation method:

C:\Windows\Temp\

C:\Windows\Temp\{stringvalue}\

%temp%\

The log files will be named as follows:

STPlatform*.log

AgentInstaller.log

Once the agent has been successfully installed, further log files (including installation log files from component installations) can be located in the agent data files (within the '...\Logs' subdirectory).

If you are using Protect Cloud synchronization, you have the ability to install a Shavlik Protect Agent from the cloud. This is particularly helpful if you have target machines that are away from the corporate network and unable to contact the console.

There are two basics steps to a cloud-based installation:

1. You (the adminstrator) must log on to the Protect Cloud service, create an agent key, and then email the key to the users of each target machine.
2. The user on each target machine will follow the email instructions to install and register the agent.

If you want to learn more about this feature, please refer tour Quick Start Guide about Agents, to the Best Practises guide or to the e-learning videos on our website.

Protect Cloud Prerequisites

• Must be running Shavlik Protect Standard or Shavlik Protect Advanced.
• Must have a Protect Cloud account (How to register the Console http://community.shavlik.com/docs/DOC-23158).
• Shavlik Protect console should be registered.
• Applies only to agents that are configured to use Protect Cloud synchronization.
• The console must have a reliable Internet connection.
• Outgoing TCP ports 80 (http) and 443 (https) must be available when communicating with Protect Cloud.
• The URL protectservices.shavlik.com must be accessible when communicating with Protect Cloud.

Shavlik Protect 9.x

Our Development team is always excited to hear what new ideas you have for our product! Each and every idea is reviewed and given serious thought on if and how your idea could be implemented. Here is how you can let us know!

There are 2 ways of submitting a feature request. The first is through Protect. This can be done by going to Help-> Submit a Feature Request.

The Second is by going directly to this link. Here you can give your ideas.

https://www.accompa.com/featureidea.html?fname=shavlik

Verify that an existing Microsoft SQL Database meets Pre-Requisites to use Integrated Windows Authentication to access a remote SQL Server

User Account and domain prerequisites

• The Shavlik Protect console and SQL Server must be joined to the same domain or reside in

different domains that have a trusted relationship. This is so the console and the server can compare credentials and establish a secure connection.

• For security purposes, Shavlik recommends using Windows authentication where possible.

• On the SQL Server,  verify that a machine account has been created that represents the Protect Console. It will be in the domain\machinename format. The machine account is the console's machine name and must contain a trailing $ . You should be able to see the machine account under the Security node under Logins.  If the machine account exists, right click the machine account and select Properties. Verify that Window authentication is selected and the default database is the one that you use for Protect.  Normally the database name is ShavlikScans if you created the database from a Protect 8 installation and Protect if you started with Protect 9.  If the machine account does not exist, follow instructions in the Document "Manually Configuring a Remote SQL Server to Accept Machine Account Credentials" http://community.shavlik.com/docs/DOC-23340

A machine account representing the Protect Console must also exist for the specfic Protect database.

For an explanation of the permissions specified above, reference Protect SQL Account Configuration for least privilege requirements http://community.shavlik.com/docs/DOC-1463

The machine accounts described above should have been created automatically during product installation.  If the account information is missing follow  Instructions in the Document "Manually Configuring a Remote SQL Server to Accept Machine Account Credentials" http://community.shavlik.com/docs/DOC-23340

Protect 9.X

Protect 8.X

Data Rollup results differ on the Primary and Secondary Console in the results view or in reports (Deployment Status by Machine).

Primary Console

Secondary Console

Minutes between sending console's results is set to send to frequently. The deployment does have results qued but they are not complete. The incomplete results are sent to the Primary Console. Once the incomplete results are sent to the Primary Console the updated complete results will not be resent via data rollup.

Have the console send the results less frequently. For example 1440 minutes would be once every 24 hours (default is 240 minutes).

The results are sent based on the last time the Shavlik Protect Console service was started, that is when the timer begins.

You receive and unexpected error when clicking Help > Refresh Files, or navigating to View > Patches.

The ST.Protect.Native log contains the following error:

Unable to load the custom XML file [C:\ProgramData\Shavlik Technologies\NetChk\pathtoxmlfile]

Protect is attempting and failing to import an invalid custom patch XML created by the user.

Navigate to directory containing custom patch XML.

Protect 9.x

Windows Vista and Newer: C:\ProgramData\LANDesk\Shavlik Protect\Console

Windows XP: C:\Documents and Settings\All Users\Application Data\LANDesk\Shavlik Protect\Console

Protect 8.x

Windows Vista and Newer: C:\ProgramData\Shavlik Technologies\NetChk

Windows XP: C:\Documents and Settings\All Users\Application Data\Shavlik Technologies\NetChk

Identify the custom patch file by its .XML extension, right click the file, choose rename, add .OLD at the end.

This will effectively remove the file from being processed by Protect, and allow verifying that the abscense of that file fixes the problem.

Protect Version: All

• Patch Scans stalls or freezes between step '4. Scan for Patches' and step '5. Wait for Results.'
• Scans go from '1 of 1 machine complete. 0 machines not scanned' to '0 of 0 machine complete. 0 machines not scanned'.
• Protect's ST.ServiceHost.Managed.Log contains an error such as:
  • Failed to determine service pack name for product 'xxx'
  • The required attribute 'Ordinal' was not found

Example of error found in the ST.ServiceHost.Managed.Log:

2013-09-20T16:52:08.7528184Z 0011 W PatchResultXmlSerializer.cs:225|Failed to determine service pack name for product 'Microsoft Report Viewer Redistributable 2008'.

2013-09-20T16:52:08.7684416Z 0011 E LegacyResultSerializer.cs:77|866959a1c7464ff9972859b295b69244: System.Xml.XmlException: The required attribute 'Ordinal' was not found Line 2, position 80304.

at ST.Core.Xml.XmlReaderExtensions.GetAttributeAsInt32(XmlReader reader, String name)

at ST.Services.Serializers.PatchResultXmlSerializer.ParseAssessedProduct(XmlReader reader, Int32 machineLanguageLcid)

at ST.Services.Serializers.PatchResultXmlSerializer.ParseAssessedProducts(XmlReader reader, Int32 machineLanguageLcid)

at ST.Services.Serializers.PatchResultXmlSerializer.ParseResult(XmlReader reader, PatchResultDto result)

at ST.Services.Import.Patch.PatchResultXmlSerializer.ParseMachineResult(XmlReader reader, Result`1 scanResult)

at ST.Services.Import.Patch.PatchResultXmlSerializer.ReadResult(ResultEnvelope envelope, XmlReader reader)

at ST.Services.Import.Patch.PatchResultXmlSerializer.Deserialize(Guid resultId, XmlReader reader)

at ST.Services.Import.LegacyResultSerializer`1.ParseResultBatch(ResultFile resultFile, Stream resultStream)

at ST.Services.Import.LegacyResultSerializer`1.Deserialize(ResultFile file)

2013-09-20T16:52:08.7684416Z 0011 W Dispatcher.cs:193|Invalid/incomplete results file encountered 'C:\Documents and Settings\All Users\Application Data\LANDesk\Shavlik Protect\Console\Arrivals\Patch\Xml\Invalid/incomplete results'.

2013-09-20T16:52:08.7684416Z 0011 W ResultFileQueueManager.cs:147|Result file 'C:\Documents and Settings\All Users\Application Data\LANDesk\Shavlik Protect\Console\Arrivals\Patch\Xml\866959a1c7464ff9972859b295b69244' is duplicate or invalid. Moving to bad files.

This issue is caused because Protect's product detection is finding a version of an application that needs a repair/reinstall or is not supported, such as a beta or RC version of a product. The scan failing out due to this is a known defect that should be fixed in a future version of Protect.

First, ensure that you have the latest patch definitions by going to Help > About. Outdated patch definitions can cause this issue to occur. Running Help > Refresh Files should update your patch definitions.

If you continue to have the issue, it will be best to open a case directly with support. You can open a case at,http://support.shavlik.com/

If you can provide the following information at the time you open a case it will help to expedite support's ability to provide a resolution:

• Protect Console side Logs as noted in this document:
  • http://community.shavlik.com/docs/DOC-22921
• A copy of the 'Arrivals' folder, which can be found in the following location:
  • Version 9 -
    • Vista & Later: C:\ProgramData\LANDesk\Shavlik Protect\Console\Arrivals
    • Earlier OS's: C:\Documents and Settings\All Users\Application Data\LANDesk\Shavlik Protect\Console\Arrivals
  • Version 8 -
    • Vista & Later: C:\ProgramData\Shavlik Technologies\Console\Arrivals
    • Earlier OS's: C:\Documents and Settings\All Users\Application Data\Shavlik Technologies\Console\Arrivals

If you are aware of which system may be causing the scan to fail out, it can also be helpful to obtain the following information:

• A DPD Trace of target system found to have this problem. Refer to the following document:
  • http://community.shavlik.com/docs/DOC-22997
• An Export of the following registry keys from the target system: 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products

Shavlik Protect 9.x

Symptoms

Deploying an out of date installs a different version than intended / installs the latest version available.

*Note:This issue may occur for different Vendor Software. This Document will explain using Adobe Flash as an Example.

Example:

When using out of date scan data, or scanning for a specific patch (How to Find/Exclude Specific Patches in Scan Results), the Scan results indicate a Patch is missing, which is older than the latest available patch for the specified product.

Current Latest Patch Available for Adobe Flash (at time of writing): 11.8.800.175

Scanning results identifying missing Version: 11.8.800.094

Target Machine's Currently Installed Version: 11.7.700.224

When choosing to install the detected missing patch version (11.8.8.094) a newer version is installed (11.8.800.175).

Cause

1. Adobe currently utilizes a static URL for all of its newest Flash releases ('http://fpdownload.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_active_x.msi').
2. Shavlik does not host patches for download, but rather utilizes vendors public URL's for download.

Because the same URL is used for each new patch release, when Protect attempts to download the 'outdated' patch version (11.8.800.094) the URL responds with a download for the latest patch version (11.8.800.175).

Solution

Option 1 - Use Latest Version of Patch

Verify Protect is using up to date detection data (Help  > Refresh Files).
Use the latest version of Patch accordingly.

Option 2 - Use Outdated Specific Version

If it is necsesary or desirable to use a specific outdated version of Flash, the installation media would have to be obtained manually and installed manually; Protect does not offer an automatic means to install the outdated version due to the static URL discussed previously.

Hi,

I have just scanned one of my machines with vCenter Protect 8.0. It lists many missing patches, one of them is MSWU-765 (Q2836939). The vCenter displays it under the product .NET Framework 4 and released in June 2013. But the KB article of the microsoft shows that the patch is for .NET 2.0 which was released in September 2013.

Here is the link to KB article:

http://support.microsoft.com/kb/2836941

Why is this difference? Attached snapshot of vCenter Protect scan.

Thanks

Srikanth Badireddy

When viewing patch MSWU-765 (Q2836939) within Protect, either in Patch View or within scan results, you may see it list affected products with .NET 2.0, 3.5, and 4 as well as Windows 7 and other newer operating systems. This appears to conflict with the 'Applies To' section of the MS KB article for this patch:

http://support.microsoft.com/kb/2836941

Applies to

-Microsoft .NET Framework 2.0 Service Pack 2, when used with:

Microsoft Windows Server 2003 Service Pack 2

Microsoft Windows XP Service Pack 3

Our data content team provided the following explanation about why this differs from the 'Applies to' section of the mentioned MS KB article:

At the time of release we bundled all June and September .net non-security updates into that one bulletin(MSWU-765) instead of breaking them out into 10 different ones. Since only one kb can be listed per bulletin (within Protect XML) it references just that one KB. In reality, this one bulletin contains multiple .net kbs.

The detection for this should be correct - you should apply the patch.

Shavlik Protect 9.x

vCenter Protect 8.x

Hello all,

Using Protect 9.0, if I create a machine group for patching and set it to start at midnight, do all servers start or once or run sequentially??

Thanks.

So i've been failing on the connect to existing database section.
Is it required the account being used be a 'sysadmin' on the sql instance.

the instructions only say db_owner and a few others which i have marked.

I've opened a support ticket, but thought i would ask the community.    

We currently use Shavlik 9.0.1182.0, have created a machine group that currently only has (9) servers in it.  These servers all have agents installed.  We have created an Agent Policy that utilizes a patch task.  This patch task also has a custom patch scan template, a deployment template and a deploy patch group all configured. 

When running  a scan and patch from the home screen against this machine group and picking all the same options (scan template, deployment and patch templates) but manually running them we get a notification via email due to the email info being setup on the scan patch template.  A record of the scan also is indicated under the “results”. 

I am unable to find a way to get notified that the patch policy process ran or to see this activity in the “results” tab.  Where do I set or can it be set that we get notified via email that the agent policy ran as scheduled.
thanks