How to update the Certifcate Revocation List (CRL) on a disconnected Protect console server

August 15, 2014, 8:40 am

≪ Previous: Download scriptcatalog.zip failed

Symptoms

An out of date Certificate Revocation List (CRL) on the Protect console server can cause many issues, among these issues are:

Content data fails to download automatically or through a Help - Refresh Files. The Scriptcatalog.zip is the most common data file affected by this.
Patches fail to download with a digital signature error.
Miscellaneous other issues as noted with certificate errors in the logs.

Cause

The Certificate Revocation List (CRL) is out of date.

Resolution

1) Update the Root Certificate on the Protect console server by performing a scan against it using a Security Tools enabled Scan Template. The missing patch will be MSRC-001 or MSRC-002. Deploy the patch with reboot.

2) Manually update the Certificate Revocation List (CRL) by following these instructions:

Navigate to the Protect installation folder

Right click on ST.Protect.exe

Select Digital Signature

Select the Signature in the Signature list

Click Details

Click View Certificate

Select Details

Select CRL Distribution Points from the list

Use the URL= value to download the first CRL. (http://csc3-2010-crl.verisign.com/CSC3-2010.crl)

Click Certification Path

Select the certificate above Shavlik Technologies (VeriSign Class 3 Code Signing 2010 CA)

Click View Certificate

Select Details

Select CRL Distribution Points from the list

Use the URL= value to download the first CRL. (http://crl.verisign.com/pca3-g5.crl)

From the information collected above, you would download and install the following CRL files:

http://csc3-2010-crl.verisign.com/CSC3-2010.crl

http://crl.verisign.com/pca3-g5.crl

Copy these files to the console machine

Right Click on the file --> Install CRL

Click Next

Select Automatically select the certificate store based on the type of certificate

Click Next

Click Finish

You should see The import was Successful

Affected Products

Shavlik Protect 9.0.1182.0

Shavlik Protect 9.1.4334.0

↧

Uninstall MS update 2982791

August 18, 2014, 5:54 am

≫ Next: Transparent manual agent installs

≪ Previous: How to update the Certifcate Revocation List (CRL) on a disconnected Protect console server

Microsoft recommends uninstalling this update. Is there any way to do this through Shavlik?

↧

Transparent manual agent installs

August 18, 2014, 7:28 am

≫ Next: Console service crashes when starting Protect 9.0 on Win7

≪ Previous: Uninstall MS update 2982791

Apologies if this has been asked before, I did search but didn't come up with an answer. We're using Shavlik Protect 9 in our environment for patching and I am just taking over the project. I identified a number of computers that are missing the agent and while most of the installs went off without a hitch, a substantial percentage of them failed.

What I would like to do is use GPO to deploy and run the installer silently at login, and then rather than registering the agent manually , I was wondering if I would be able to do that by "waking up" the agent from the server end using Agents > Install/Reinstall with Policy > xxxx? Barring that is there any other way to do this without interrupting the affected users that I am overlooking?

An example of the failure messages (all on pingable machines):

_The deployment has failed

_Run Remote Task failed to create the remote command service. Error code - 0x[431]

Thanks,

Matt.

↧

Console service crashes when starting Protect 9.0 on Win7

August 18, 2014, 4:36 pm

≫ Next: Should I convert machines already in inventory to virtual machines?

≪ Previous: Transparent manual agent installs

When starting Protect, I am notified that I have renamed the computer (I haven't but I did migrate the database from another machine). After clicking OK, Protect loads but the I get a message that the console service is not running. Checking Services reveals that it has crashed and it cannot be restarted until Protect is closed.

↧

Should I convert machines already in inventory to virtual machines?

August 20, 2014, 9:35 am

≫ Next: Overlooked Patches....

≪ Previous: Console service crashes when starting Protect 9.0 on Win7

Currently I have about 23 virtual servers that are protected with Shavlik. They have agents installed on them as we also use the threat protection. When we originally added them to the inventory, we added them as if they were physical machines. I recently learned that with virtual machines, you can add them differently and use or create virtual machine templates and groups and all seems to be working fine. My question is, are there any advantages to re-adding them as virtual machines, and if there are, do I have to remove the machines from inventory and re-add them as a VM?

↧

Overlooked Patches....

July 11, 2014, 12:18 am

≫ Next: Agent Registration for reimage/reloaded systems?

≪ Previous: Should I convert machines already in inventory to virtual machines?

Hi there,

I am using Shavlik Protect Standard 9.1.0 Build: 4334 on a W7, 64-bit with MS-Office 2010 installed.

I scan 'My Machine' and it lists 11 patches as missing (see Pic1 - below).

A reboot is scheduled and completes (normal countdown timer, etc).

Once the machine reboots I do a further scan of my machine but find it has no installed any of the 11 patches (see Pic2 - below).

Running Windows Update I am told that 'Windows is up to date'.

Any assistance would be appreciated.

Thanks,

Kim.

Pic1:

Pic2:

↧

Agent Registration for reimage/reloaded systems?

July 15, 2014, 5:26 am

≫ Next: Anyone using Cloud Agents?

≪ Previous: Overlooked Patches....

How does Shavlik handle agent registrations for systems that have been wiped and reloaded for one reason or another?

For example, PC01 was active in the domain and had active agent on it. Issue occurred and PC01 was reloaded with fresh install of the OS and joined to domain as PC01 again. The Shavlik install script appeared to work normally, but the agent window showed "No Policy" and agent check-ins were failing.

The registration log appeared normal as well. There were no errors or warnings that a machine named PC01 was already registered with the console.

It wasn't until we deleted PC01 from the machines view and reran registration from the client that everything started working again.

↧

Anyone using Cloud Agents?

August 21, 2014, 11:34 am

≫ Next: Error in updating Shavlik definitions offline

≪ Previous: Agent Registration for reimage/reloaded systems?

We have the majority of our laptops users moved over to an agent template that is using the Shavlik Cloud sync.

I've noticed that when viewing the machines in the Shavlik console, several of them show "check-in" times much older than the "latest scan" time. If the agent initiated a scan, wouldn't it have to "check-in" with either the cloud account or the console to update that information?

Brian

↧

Error in updating Shavlik definitions offline

August 21, 2014, 9:33 pm

≫ Next: Protect 9.1 Patch 1 download location and release notes

≪ Previous: Anyone using Cloud Agents?

HI,

I have two systems with Shavlik Protect console, one is connected to internet and other is not (air-gap).

I copy latest Shavlik Protect definitions from the internet connected system to air-gap system.

I have recently observed that the air-gap system is throwing the following errors while refreshing definitions through Help-->Refresh files, attached screenshot of the same.

Error: File not downloaded: AssetInstaller.msi

Error reason: File 'C:\ProgramData\LANDesk\Shavlik Protect\Console\DataFiles\AssetInstaller.msi' failed signature check: file:///D:/Shavlik/Definitions/AssetInstaller.msi

Error: File not downloaded: scriptcatalog.zip

Error reason: File 'C:\ProgramData\LANDesk\Shavlik Protect\Console\DataFiles\scriptcatalog.zip' failed signature check: file:///D:/Shavlik/Definitions/scriptcatalog.zip

Error: File not downloaded: PatchInstaller.msi

Error reason: File 'C:\ProgramData\LANDesk\Shavlik Protect\Console\DataFiles\PatchInstaller.msi' failed signature check: file:///D:/Shavlik/Definitions/PatchInstaller.msi

Error: File not downloaded: ThreatInstaller.msi

Error reason: File 'C:\ProgramData\LANDesk\Shavlik Protect\Console\DataFiles\ThreatInstaller.msi' failed signature check: file:///D:/Shavlik/Definitions/ThreatInstaller.msi

Anybody has any idea why Protect console is throwing these errors?

Thanks

Srikanth

↧

Protect 9.1 Patch 1 download location and release notes

August 21, 2014, 7:26 am

≫ Next: Hyper v and virus scan

≪ Previous: Error in updating Shavlik definitions offline

Purpose

This article provides a link to the Protect 9.1 Patch 1 download location and release notes.

The Shavlik Download Center provides links to:

Product downloads
Upgrade Guide
Release Notes
System Requirements
Version History Log

Affected Product(s)

Shavlik Protect 9.1

↧

Hyper v and virus scan

August 25, 2014, 10:13 am

≫ Next: How to increase the download timeout in Protect 9.1 Patch 1 and higher.

≪ Previous: Protect 9.1 Patch 1 download location and release notes

I need to know which folders and/or files to exclude in Shavlik virus scans on a Hyper-v VM? When Shavlik does a virus scan, the replica file grows very fast and very big. This would be ok if you just had a VM which replicated locally, but we have Extended Replication going over a WAN link and it is taking a very long time. Do I "Always Allow" or "Never Allow"? Thanks

↧

How to increase the download timeout in Protect 9.1 Patch 1 and higher.

August 25, 2014, 10:15 am

≫ Next: console vs distribution server

≪ Previous: Hyper v and virus scan

Symptoms

You encounter download timeout failures when performing a Help - Refresh Files, Patch Download from vendor, Distribution Server or customer URL location.

You would see this in the GUI:

"Error reason: The request was aborted: The request was canceled.:"

You would see this in the ST.Protect.Managed*.log:

"Download did not complete. No activity took place in 25 seconds. Number of retries available is 0."

Cause

The inactivity timeout of 1 minute has been reached due to a slow connection.

Resolution

Increase the download inactivity by following these instructions.

1. Navigate to the install folder for Protect. The default location is: C:\Program Files\LANDesk\Shavlik Protect

2. Make a backup the STEnvironment.config files. Creating a zip of the file in the same folder is usually the easiest method.

3. Edit the STEnvironment.config file using NotePad.

You will be inserting downloadInactivityTimeout="00:01:00" into the config file. We suggest inserting it after the 'dataFilesDirectory' information and before 'helpRUIFormat' as depicted below:

dataFilesDirectory="C:\ProgramData\LANDESK\Shavlik Protect\Console\DataFiles"downloadInactivityTimeout="00:01:00"helpUriFormat="http://xmldev.shavlik.com/protect/92/{0}/{1}"

4. Increase the inactivity timeout by modifying "00:01:00" (HH:MM:SS format)

5. Save the STEnvironment.config file and restart the Shavlik Protect Console service.

You can test again once these steps are complete. Revert back to your backup STEnvironment.config if you wish to undo these settings.

Affected Products

Shavlik Protect 9.1.4446

↧

console vs distribution server

August 26, 2014, 6:10 am

≫ Next: Rerelease of MS14-045: Method to uninstall 2982791 before installing 2993651

≪ Previous: How to increase the download timeout in Protect 9.1 Patch 1 and higher.

How do I make the Protect Agents pull updates from the Server Console? I assume the agents pull directly from the internet unless I'm misunderstanding?

↧

Rerelease of MS14-045: Method to uninstall 2982791 before installing 2993651

August 27, 2014, 2:28 pm

≫ Next: What do others do with there windows update settings while using Protect?

≪ Previous: console vs distribution server

Purpose

The purpose of this article is provide customers a method to uninstall MS14-045 (2982791) before installing 2993651. Guidance on whether you need to uninstall 2982791 before installing 2993651 can be found in the Update FAQ on the Microsoft website.

Resolution

The Custom Action feature will allow you to uninstall 2982791 on your target machines. A restart is required to fully uninstall the patch therefore we suggest allowing a restart before installing 2993651.

Follow this guide:Custom Action - How to perform a custom action complete tutorial and use the following uninstall batch files. You will need to create 4 separate Custom Action Deployment Templates if you have to uninstall the patch from all supported OSs.

Windows 2003:

Use W2003.zip attached to this document.

Vista and Windows 2008:

Use Vista200864bit.zip or Vista200832bit.zip attached to this document.

Windows 7 - Windows 8 - Windows 8.1 - Windows 2008R2 - Server 2012 - Server 2012R2:

Use the W7W8W12.zip attached to this document.

Additional Information:

Included is a screenshot with a typical Deployment Template configuration:

↧

What do others do with there windows update settings while using Protect?

August 28, 2014, 5:59 am

≫ Next: E-mail service is currently not available after installing Patch 1

≪ Previous: Rerelease of MS14-045: Method to uninstall 2982791 before installing 2993651

I am wondering what others do with there Window 7 windows update settings. Right now we are using WSUS and have a GPO that configures when and how to install the updates. I am thinking of setting the windows update service to manual, and removing the GPO. This looks to set the windows update settings back to default and they want to install updates everyday at 3AM. I also question what others do for the action center because once you set the service to manual it puts a red x on the flag and I know my users will be calling me saying " why do I have a red x now?"

Any help would be appreciated.

Thanks,

Ryan

↧

E-mail service is currently not available after installing Patch 1

August 28, 2014, 11:50 am

≫ Next: Virus Definitions

≪ Previous: What do others do with there windows update settings while using Protect?

I have Shavlik configured to send me emails after a scan and deployment. After installing Patch 1 for Protect 9, it is no longer able to send emails after a scan or deployment. It can send a test email from within operations but not within the scan or deployment. Here's what pops up:

I'm not finding anything useful on Internet or Shavlik Knowledgebase. Anybody run into this?

↧

Virus Definitions

August 28, 2014, 11:55 am

≫ Next: Console crash due to invalid patch download directory

≪ Previous: E-mail service is currently not available after installing Patch 1

Where are the virus definitions stored on the workstation?

↧

Console crash due to invalid patch download directory

September 2, 2014, 11:49 am

≫ Next: the following KBs Still not included in xml

≪ Previous: Virus Definitions

Purpose

The purpose of this document is to resolve an issue where a previously input patch download directory is no longer accessible resulting in a Console crash at start up.

Symptoms

The following error is seen upon accessing the Console.

An error similar to the one below will be seen within the ST.Protect.managed log file:

2014-09-02T18:29:05.5119974Z 0001 E EnsureFolderExists|Failed to create directory: Y:\: System.IO.DirectoryNotFoundException: Could not find a part of the path 'Y:\'.

at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)

at System.IO.Directory.InternalCreateDirectory(String fullPath, String path, Object dirSecurityObj, Boolean checkHost)

at System.IO.Directory.InternalCreateDirectoryHelper(String path, Boolean checkHost)

at ST.UI.FileAndFolderUtilities.EnsureFolderExists(String rawPath)

Cause

The cause of this issue is due to the mapped drive or path of the patch download directory no longer being accessible.

Resolution

Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\Shavlik Protect\Console\Options registry key on the Console and change the 'DownloadPath' value data field to an accessible drive or folder. Once this change has been made, please restart the 'Shavlik Protect Console Service' from within the Console machine's Windows services and relaunch the Console.

Additional Information

Once the issue has been resolved, the patch download directory can be changed by navigating to Tools>Operations within the Console.

Affected Product(s)

Shavlik Protect 9.x

↧

the following KBs Still not included in xml

September 2, 2014, 4:01 pm

≫ Next: 9.0.0 - 1182 bug?

≪ Previous: Console crash due to invalid patch download directory

the following windows updates / KBS are not being detected by shavlik protect 9

KB2825635

KB2961149

KB2952664

KB2834140

am I missing something ?

thanks

↧

9.0.0 - 1182 bug?

September 4, 2014, 10:31 am

≫ Next: Action Center "This program will not run" "Windows did not trust this program"

≪ Previous: the following KBs Still not included in xml

I've been meaning to post this to see if anyone else encountered it or if I'm missing something. Under version 9.0.0 - 1182

if you View / Machines It shows the machine groups in the left column and Machines in the top right pane.

Notice in the left column I have a machine group 'Workstations CRC'. It has some computers in the actual Machine group. Now note the upper right hand pane, you do not see the 'Workstations CRC' Machine group. Also note that the upper right hand pane you have "Workstation Patch", but you do not see that in the left pane under machine groups.

I've tried moving the items that just show under (19) into "Workstation CRC" and they will show if I open up the machine group, but under the machine view they will stay under the (19) and "Workstation CRC" never shows up.

ideas?

↧