This article provides steps to purge a large database in Shavlik Protect for maintenance purposes.
Resolution
To purge the database of old data (clean up):
Using Database Maintenance tool built into Protect:
Launch Protect.
Navigate to Tools > Operations > Database Maintenance. (Note): In older versions this was under Tools > Database Maintenance.
Change the Delete results older than (days) or max results to keep to the desired amount.
(Optional): Enable the 'Rebuild Indexes' options and the option to 'Backup database and transaction log'.
Click Run Now. You will be prompted to confirm you want to run the maintenance task. After clicking to run the maintenance task you should see a pop up in the lower right of your screen stating the database maintenance task has started and will run in the background.
Wait approximately 15 minutes to allow time deletion of old results to take place. The operation runs as a background task and may take more or less time than this based on how many records are being deleted during the maintenance.
Alternate method of deleting results using Manage > Items
In Protect, go into Manage > Items from the menu.
You can select specific results to delete, then click 'Delete selected', or you can click 'Delete All'. This needs to be repeated for each type of results that you want to delete from your database (Patch Scans, Patch Deployments, etc.).
You will be prompted to confirm when you click a delete option.
You will then see a progress bar showing the status of the deletion of results. If you have a large amount of results to be deteted, this can take some time to run.
Additional optional steps to be performed within SQL Management Studio:
Launch the SQL Management Studio.
Expand Databases.
Right-click your ShavlikScans database and click Properties.
Click Options.
Change the Recovery Model from Full to Simple.
Click OK.
Right-click the ShavlikScans database again and click Tasks.
Click Shrink> Files.
Change the File type to log.
Under Shrink Action, click Reorganize pages before releasing unused space and set the Shrink file to field to 0.
Click OK. This truncates the transaction log to 0 bytes.
(Optional) Repeat Steps 8 through 10 and reset the Recovery model to Full.
Right-click the ShavlikScans database again and click Tasks.
Click Shrink> Database and click OK.
Wait for the shrink operation to complete. In case of large databases, it may take a long time to complete.
Additional Information
If you are using SQL Express you may need to install the SQL Management Studio for express editions before you can perform the actions described above. The links for SQL Express Management Studio downloads can be found here.
I am looking for a doc that gives a fairly technical explanation of the data flow when scanning endpoints and deploying patches. Looking for port information during the data flow. Working with online and off-line Protect console using distribution servers. Good graphics are also welcome.
I need to provide a doc to a client and do not want to reinvent the wheel if not needed.
If you know of a good dataflow doc or graphic, please send me or provide a link.
I followed the steps to remove the deployed patches from C:\Windows\ProPatches but the machine still rebooted itself. Is there a way to cancel any reboot that has been scheuled?
I came across something I did not expect. Our users are allowed to download to their machine. It seems some users hve downloaded, I believe by accident, the AVG virus toolbar for Chrome. Not a big deal, but the toolbar disabled th Shavlik Threat protection. This is not good. On another PC, the Threat protection was disabled but I could not determine why. The user does not have rights to disabled the protection.
My question is, is there a way to see if the client threat protection is enabled or disabled from the console? Or is there a way to prevent something from turning the protection off?
Some users may find that all credentials are shared despite never setting the credentials to be shared in Protect.
Attempting to edit these credentials to not be shared is not possible as the option "Share this with background tasks, Agents, and other features" is greyed out. In this same window, users should see the following warning message:
"Warning: The console service is running under your account. All credentials are implicitly shared."
Cause
This issue is caused by the Shavlik Protect Console Service being set to log on as the specific account in which the user is currently logged in and not under the local system account. This can be verified by going to the Windows services, right-clicking the Shavlik Protect Console Service, and selecting properties. Under properties, under the Log On tab, affected users should see something resembling the following screenshot:
While users with settings like these enabled may not notice other problems in the functionality, as long as the service is set to run under "this account" this issue will persist.
Solution
In order to solve this issue, users must set the Shavlik Protect Console Service to run under local system account. This can be done by simply opening up the same window in the previous section (Services >Right-click "Shavlik Protect Console Service" > Select Properties > Log On tab) , and changing the setting under "Log on as:" from "This account" to "Local System account". After changing the setting, the window should look like this:
Click apply, and you will be required to restart the service, this can be done by right-clicking the service again and selecting restart.
After completing these steps and launching protect, users should once again be able to choose to share or not to share their credentials.
This document is meant to provide steps on how to enable client/target side verbose logging for troubleshooting agentless deployment issues.
Description
How to enable Client (Target) Side Logging via ITscript:
These logs are automatically generated on the client (target) system during an agentless patch deployment under the folder C:\Windows\Propatches and its subfolders. However, you can enable verbose logging of these logs for a system by doing the following:
1. In the Protect console, go to Manage > ITScripts.
2. Under the 'Configuration' section, locate and select the script named "Set Target Machine Verbose Logging".
3. Click the 'Approve' button at the top, or right click on the script and choose 'Approve'.
4. Go to the machine group containing the system(s) you wish to enable this for, and click Run Operation.
5. For "4. Select/confirm operation:", choose ITScript from the dropdown, and then select "Set Target Machine Verbose Logging" from the second dropdown.
6. Click Run.
7. When the operation is complete you should see the status change to "Complete: Verbose logging was successfully enabled."
Alternate Method - Manually adding config files
You can enable target-side logging by adding the config files into the correct directories on the target system. See the attached zip "Logging.Config.zip" to obtain the files.
The files should be placed into the following folders (on the client/target system) accordingly:
C:\Windows\Propatches
cl5.exe.config
SafeReboot.exe.config
SafeReboot64.exe.config
C:\Windows\Propatches\Scheduler
stschedex.exe.config
stSched.exe.config
Additional Information
See the following document for more information about the above mentioned ITScript:
If you are at a company that is running Shavlik Protect on a full SQL environment and have a DBA on staff with SQL maintenance and backup policies already running against our databases, great! If you are running SQL Express or full SQL but don’t have a maintenance and backup plan in place, please keep reading.
A database that has no maintenance procedures being run against it is likely the single biggest cause of an upgrade issue that is encountered, the root cause of many GUI performance issues that can be mitigated, and in many cases, resolved by proactive maintenance on the database. Below are our recommendations for good regular maintenance on your DB so you keep it running slim and clean for good performance and to reduce issues.
Description
Keep in mind this is a starting point. If you have regulatory needs that require more data kept live you should adjust to keep more data live. If that is the case you may want to analyze how frequently you are scanning. 1000 agents scanning 8 times a day will grow your DB at a much more rapid rate than once per day or once per week. And in most cases, you don’t really need all of that data.
Recommendations
Recommendation for regular Database maintenance:
Data Retention: Determine the amount of data that needs be kept on hand for operational purposes. Typically 60-90 days is acceptable for operational purposes. The following document provides steps on how to perform deletion of old results in Protect:
Reporting: Determine what report data is required for audit regulatory requirements. Run monthly reports fulfilling these needs and keep on file as far back as policy requires. Typically 13 months is acceptable.
Database Backups: It is recommended to run weekly incremental and monthly full backups. The backup should be run just before your scheduled purge. Keep backups as far back as the reporting data. See the following document on how to create backups using Protect's database maintenance function:
Backups: full monthly, just after patch maintenance for that month. Incremental weekly, end of each week (after weekend patch windows preferably).
Purge Data: After Full Monthly backup is run
Reindex: After Purge Data is run
Integrity: After Reindex is run
Full SQL Maintenance Guidance:
If you are using full SQL it may be easiest to setup maintenance plans using the maintenance wizard. If you have a DBA, they have most likely set maintenance tasks up already and you should check with them first. See the following Microsoft Technet articles on how to use the SQL Wizard to setup and maintenance plan:
4- Reboot both target and console machine - what is the result after a scan ?
5- Can you complete a nslookup IP Address, NETBios Name, FQDN both forward and reverse for target and console. Ensure results are consistent.
6- Is this the only machine you are getting this error ?
7- Do you have credentials assigned to this machine in the machine group ?
8- What credentials are set in the Machine Properties? Go to the Machine View, right-click on the device and click "Machine Properties". Verify that the correct credentials are listed there.
9- Try disabling your anti-virus and firewall and seeing if it makes a difference to your error ? If it does, re-check the port list to ensure all necessary ports are enabled. http://community.shavlik.com/docs/DOC-22939
10- Is User Account Control Enabled on the Machine?
For machines using Windows operating systems that employ the use of User Account Control (this includes Windows Vista or later and Windows Server 2008 or later), you must either:
Join the machines to a domain and then perform the scan using domain administrator credentials, or
If you are not using the built-in Administrator account on the remote machines (and using that account is NOT recommended), you must disable User Account Control (UAC) remote restrictions on the machines. To do this:
Click Start, click Run, type regedit, and then press Enter.
Locate and then click the following registry subkey:
Detected patch continues to show as missing after successfully deploying.
Patch that shows missing ends with 'U' every other deployment.
Cause
Certain patches exist as an installer and an uninstaller; these patches can cause a loop when scanning and deploying. When the installation patch is deployed it makes the uninstallation patch considered to be missing. These patches are designed by their vendor in this manner to facilitate adding/removing the patch according to environmental needs. If scanning/deploying these types of patches it may appear that the patch continually is missing as it continues to add/remove per deployment. The uninstallation patch will end with 'U'. These patches tend to belong to the 'Security Tools' patch type.
Example: Missing the Installation Patch
Example: After Installed, Now Missing Uninstall Patch
Resolution
Exclude the specific patch utilizing a patch group, or choose not to deploy the patches installer/uninstaller after scanning.
Looks like old machines are filling up our database and taking up valid machine licenses. I see these machines in the agent manager so suspect that they are causing this false error. How can I completely remove the old machines from the database so that my system reports license usage correctly?
I am looking for a doc that gives a fairly technical explanation of the data flow when scanning endpoints and deploying patches. Looking for port information during the data flow. Working with online and off-line Protect console using distribution servers. Good graphics are also welcome.
I need to provide a doc to a client and do not want to reinvent the wheel if not needed.
If you know of a good dataflow doc or graphic, please send me or provide a link.
I have two Shavlik servers with one running 8.0.0 on SQL Express and one 8.0.2 on SQL 2005. We want to upgrade to v9.0.x and consolidate these two servers into a single Windows Server 2008 R2 connected to a SQL 2012 cluster.
Patch Scans stalls or freezes between step '4. Scan for Patches' and step '5. Wait for Results.'
Scans go from '1 of 1 machine complete. 0 machines not scanned' to '0 of 0 machine complete. 0 machines not scanned'.
Protect's ST.ServiceHost.Managed.Log contains an error such as:
Failed to determine service pack name for product 'xxx'
The required attribute 'Ordinal' was not found
Example of error found in the ST.ServiceHost.Managed.Log:
2013-09-20T16:52:08.7528184Z 0011 W PatchResultXmlSerializer.cs:225|Failed to determine service pack name for product 'Microsoft Report Viewer Redistributable 2008'.
Cause
This issue is caused because Protect's product detection is finding a version of an application that needs a repair/reinstall or is not supported, such as a beta or RC version of a product. The scan failing out due to this is a known defect that should be fixed in a future version of Protect.
Resolution
First, ensure that you have the latest patch definitions by going to Help > About. Outdated patch definitions can cause this issue to occur. Running Help > Refresh Files should update your patch definitions.
If you continue to have the issue, it will be best to open a case directly with support. You can open a case at, http://support.shavlik.com/
If you can provide the following information at the time you open a case it will help to expedite support's ability to provide a resolution:
Protect Console side Logs as noted in this document:
This document is meant to help understand why a threat may not have been detected by the Shavlik Protect agent and what actions to take in such a scenario as well as best practices for using/configuring threat protection with Shavlik Protect agents.
While this sounds like a straight-forward question, the reality is there are so many variables that come into play when you try to protect a machine against malware that it is almost impossible to give any one reason.
The most likely cause is improper configuration or outdated threat definitions being used. We will go into how to ensure you've configured everything correctly and how to check the threat definitions version later. First, some background.
The Shavlik Protect agent's Threat Protection engine is based on the Vipre SDK engine and uses threat definitions created by GFI's ThreatTrack Security (formerly Sunbelt Software). At this point there are over 13 million detections in the Vipre signature files. There are hundreds of generic detections that can catch some new malcode before the Vipre analysts even see it. Also the Vipre threat engine has the ability to detect and stop a great deal of virus-like behavior. However, it is worth noting that there may be as many as 50,000 new pieces of malcode arriving somewhere on the Internet EVERY day. The Vipre team see cases in which new malcode does make it through the threat protection defenses, but it is not a common occurrence.
Is there a place I can check if a certain threat should be detected?
Since the Shavlik Protect agent uses Vipre (ThreatTrack) threat definitions you can search the database, here:
How to verify your threat definitions are up-to-date
There are a few places you may need to check to verify the threat definitions in-use by Shavlik Protect agents in your environment are up-to-date.
1. Ensure that the threat definitions downloaded on the Protect console system are current. (This is especially important if you are using distribution servers.)
-Go to Help > About within Protect. If your definitions are current you should see a green check under 'Data versions' next to Threat definitions.
-If the threat definitions displays a red x you should run Help > Refresh Files to perform the update of definitions.
-When running Help > Refresh Files you will see that the 'Threat Definitions download will complete in the background.'
-Make sure to give it a few minutes to update. Then you should see a green check next to Threat definitions in Help > About.
2. You can use Machine View to see some threat definition information from your agents.
-Go to View > Machines.
-You can use the columns 'Threat Definition', 'Threat Definition Age', and 'Latest Threat Scan Date' to help in determining if your agents are current.
-Keep in mind that these columns only update when the agent reports back results of a threat scan. That's why 'Latest Threat Scan Date' is important.
-It is also worth noting that if the agent uses vendor-over-internet download settings the definition number may be slightly off from the console definition version from Help > About. It's nothing to worry about - just a difference in Major vs Minor versions.
-Some of these columns are not shown by default - you can add them by right-clicking on a column title and clicking 'Column Chooser'.
3. If necessary, you can check the definition version on the agent itself.
-Open the agent by double clicking the taskbar tray icon, or by going to Start > All Programs > Shavlik Protect > Shavlik Protect Agent.
-Go to the Overview tab if you are not brought there by default. Here you can see the threat definition version used during the last threat scan.
-If you have not recently run a threat scan this can be misleading. You can run a threat scan via the Threat tab, if configured.
-To update the threat definitions from the agent GUI or run a threat scan, use the tasks in the upper left when on the Threat tab.
-Note: Depending on the settings in the agent policy you may not be able to access the agent or access certain tabs. To change these settings go to the Protect console, and edit the agent policy. The settings are under General Settings > 'Allow the user to'.
*Note: For offline or disconnected environments refer to this document for instructions on manually updating threat definition files:
Why does the console (Help > About) threat definition version differ from the latest threat definition version on an agent?
There can be a slight variation in the version numbers due to a minor and major version number system that the Vipre threat engine uses. The major, or 'Package Version' in the examples above is 27274 where the Minor or 'MinVersion' is 27270. Both versions are the current definition versions. These can be manually found by looking at the latest entry in the ThreatManifest.xml on the console sytem. Before checking this make sure the console threat definitions are up-to-date (step one above).
The ThreatManifest.xml can be found in the Datafiles folder, most commonly:
Generally the latest will be the last entry, but it's best to base it on highest version number found or newest date. The entry in the xml will look something like this:
Notice the MinVersion and PackageVersion numbers. Note the ReleaseDate value - this will help determine the latest entry in the ThreatManifest.xml.
Ensuring the Agent Policy, Distribution Server(s), and other settings are configured correctly
Here are the best practices for ensuring the threat protection is configured correctly. You may need to verify agent policy settings in each agent policy you are using.
1. Open the agent policy.
2. Go to the General Settings tab.
-Check on how your agent policy is set for the agent to obtain its definitions under 'Engines, data, and patch download location'.
-If this is set to vendor over internet the agent will attempt to obtain definitions directly from the vendor site, so you may need to ensure that the internet connection is working properly and that the vendor site(s) are not blocked.
-Additionally if the agent policy is set to use vendor over internet and you use a proxy in your environment, it is pertinent that you verify your proxy settins and provide any required proxy credentials to authenticate. This can be done under the 'Network' section of the General Settings tab.
3. Go to the Threat Tab
-In the tabs above go to 'Threat Tasks'
-Ensure that you have at least one threat task set up. There are options of quick or full scan.
-Note: Quick scan covers common locations and runs within a few minutes. Full scan will scan all files on the system and may take up to an hour.
4. Once you have your Threat Task(s) set up, go to the Active Protection tab.
-Ensure to have a check next to 'Enable Active Protect'
-Set the file access level that you would like active protection to use. Using the 'limit to high risk file types' or 'on execute' settings will increase performance but not all things will be checked by active protection.
5. Check your settings on all other Threat tabs - Threat Actions, Allowed Threats, Exceptions to ensure they are set correctly.
6. Save the changes to your policy.
Ensuring Distribution Servers are configured correctly and synchronizing
This section only applies if your agent policy is currently set to use a distribution server under 'Engine, data, and patch download location'.
1. Verify the distribution server settings in-use by your agent policy or policies. If you have multiple distribution servers in-use you may need to perform the following steps for each distribution server. If your agent systems have internet connectivity available it's recommended to allow the 'Use vendor as backup source' setting.
2. Go to Tools > Operations > Distribution Servers to verify the setup and sync of your distribution server(s).
3. Make sure to verify the paths to each distribution server is still valid, and verify there are valid credentials set on each distribution server.
4. Make sure that automatic synchronization is set up for each distribution server.
-You can add a scheduled sync by highlighting the distribution server, choose 'Threat engines/definitions' from the drop-down above, then click on the '+ Add scheduled sync' button.
-You will see the scheduled sync added to the list of 'Scheduled automatic synchronization' below.
5. Manually run the synchronization to make sure it completes successfully.
-To do this, highlight the scheduled sync for threat data, then click 'Run now' above it.
6. If you want to manually verify the files are synchronizing properly you can compare the files in your share to what exists on your Protect console.
-The ThreatData directory of the console is: C:\ProgramData\LANDesk\Shavlik Protect\Console\ThreatData
-If the sync has worked correctly you should have a ThreatData folder on your distribution server share with the same files in it as the above directory.
Setting up automatic recurring download of threat definitions
Follow these steps if you would like to set up the automatic download of threat definitions. This will help to ensure your definitions are always at the latest.
1. Go to Tools > Operations > Downloads.
2. Under the 'Schedule automatic downloads' section choose 'Threat engines/definitions' from the drop-down, then click '+Add'.
3. You'll be brought to the Schedule Download screen where you can set up a recurring schedule to automatically download new definitions.
4. Once you have this set up how you like, click 'Save.'
5. You should now see a task for 'Download threat data' showing the next run time and recurrence. You can also highlight this and click 'Run now'.
Other Considerations
1. Use of Protect Cloud Agents
-If you are using the Protect Cloud agent functionality you may need to ensure that your Protect cloud account is set up correctly.
-Go to Tools > Operations > Protect Cloud Sync for these settings.
-Make sure the Protect Cloud account credentials are correct, and you may need to run a 'Forc full update now'.
-You may also need to go into your agent policy or policies and ensure the policy is set to sync with Protect Cloud if using this feature.
-This setting is a checkbox found in agent policy > General Settings > Network > Sync with the Protect Cloud.
For more information about Protect Cloud Sync see the following Protect Help articles:
What do I do if I have verified everything appears to be working properly and threat definitions are current, but a threat is still not detected by the Shavlik Protect Agent?
Here is what to do:
1. Obtain as much of the following information as possible to provide to support:
-Threat definition version currently used. (See above on how to find this)
-
-Any applicable screenshots, a link to threat download if from a website, or a zipped copy of files that are suspected to be infected.
-Logs from the agent. Make sure logging is set to 'All' in your agent policy. Follow steps for agent logging in DOC-22921.
Hello Shavlik. Quick question, users with Shavlik Cloud agents get a Safe Reboot message that says, "When you log off, your system will restart per your IT Department's action to finalize patch installation." My question: when the user is finished working, should she LOG OFF or RESTART or does it matter? Thanks.
I am currently performing a scan on my entire network. In my network I have between 12-150 machines but the scans in Shavlik for some reason try to scan 645 machines, most of which are no longer on the network and havent been for months or some for years.
The machines I want to remove are not in any machine groups so I can't remove them that way. Even the ones that I have removes from machine groups still show up in scans.
The machines that I want to remove show up in Entire Network scans and in Domain scans. All the machines in my network are agentless. The machines that are no loner in my network are not in DNS, DHCP or AD so I do not know where they are coming from.
Most of the machines I want to remove are coming back with Error 201: Network connection error(364 machines). I also get a lot of machines that return Error 235: system not found(93 machines). If possible I would like to remove these machines. Even if I have to remove ALL of the machines from Shavlik I can create the machine groups again as long as the old machines that are no longer on the network dissapear I won't mind.
