Purpose

This document is intended to show how to view and understand detection criteria for supported patches within Shavlik Protect.

Description

Viewing the reason that a patch is found missing within a Scan Result

If you want to see the specific detection criteria that Protect used to determine a patch was found missing, you can do so following these steps.

There are two methods of getting to point where you can view the scan result.

1) Within Operations Monitor, when a scan is complete - click on '6.View complete results' to open the scan result.

OR

2) Click the main drop-down menu for Protect (in the upper left corner), then choose 'Results'.

Click on the specific scan result you wish to view.

Either option will bring you to a the scan result screen, such as seen below.

To view the reason a patch was found missing:

1) Open the scan result with the steps above.

2) In the 'Patches' section of the scan result, click and highlight the patch you wish to view.

3) Ensure the 'Patch Information' tab is selected in the bottom section of the scan result.

4) There is a section that will display the reason Protect found the patch as missing.

Generally you will see one of the two following types of reasons:

• "File version is less than expected: PathToFile\file.dll 1.0 < 2.0" indicating the file is found but not at the required version for the patch to be considered installed.
• "File not found PathToFile\file.dll 2.0" indicating Protect detected the product to which the patch applies existing on the system, but a file that needs to be updated was not found on the system.
• "The registry key 'xxx' does not exist. It is required for this patch to be considered installed." indicating Protect found the product to which the patch applies existing on the system, but the registry key indicating this patch is installed does not currently exist on the system as expected.
• "The registry key 'xxx' should have a value of '1.1' It has a value of '1.0'." indicating Protect found the expeccted registry key, but the value of the registry key is not at the required value for the patch to be considered installed.
• If no reason is shown for the missing patch - This indicates that Protect is using what we refer to as a "patch script" to determine if the patch is missing. When using a patch script Protect is unable to provide the reason within the scan results.
  

Viewing Detection Criteria by Looking Up patches in Patch View

You can also look up individual patches and see the basic detection criteria for a patch using Patch View in Protect.

1) Go to View > Patches.

2) Search for the patch you want to find. In the example below I just searched "Firefox", then scrolled to FireFox 33.1 and expanded the view. You can also type a bulletin ID or KB number into the search box to be more specific.

3) Click and highlight the patch, and then ensure the bottom section is on the 'Patch Information' tab.

4) Within the Patch Information tab you will see the detection criteria listed at the bottom. This may display one or all of the following:

• Registry Key - The registry key required to determine the patch is installed
  • Registry Value - The corresponding value of the registry required for the patch to be considered installed. (Not always needed)
• File Name - The name of a file required for the patch to be considered installed.
  • Version - The corresponding version number of the file for the patch to be considered installed.
  • File Location - The path where Protect is attempting to find the file. Generally listed using a variable path.

Additional Information

It is worth noting that Protect's detection logic is not the same as other patch scanners or even Windows Update. You should not expect the exact same results.

Refer to these documents for more information:

Explanation of how patch scanning detection works with Shavlik Protect

Why Shavlik Protect Patch Scan results differ from Windows Update

Affected Product(s)

Shavlik Protect, All Versions

Purpose

An explanation of why Shavlik Protect patch scan results may show different patches needed than when running a Windows Update.

Solution

Shavlik Protect uses different detection logic to scan for patches than Windows Update and other patch vendors.A Windows Update scan has the ability to show missing Security Patches, Non-Security Patches, Security Tools, driver updates, and sometimes patches that aren't publicly downloadable.

Depending on what Scan Template you are using in Protect, the results will vary. The built-in security patch scan will only show missing security patches. The built-in WU scan will show missing security patches and non-security patches. And please note - we don't always include all non-security patches in our XML data right away either, as security patches take precedence.

You can always create a Custom Scan Template, and check security patches, non-security patches, and security tools for the most robust scan with Protect.

Shavlik uses a variety of methods to see if a target machine needs a patch.  The process is detailed in the document "Explanation of how patch scanning detection works with Shavlik Protect" which can be found here:http://community.shavlik.com/docs/DOC-2259.

Administrators can view files and registry entry criteria by searching for the patch in View > Patchesof the Shavlik Protect Console main menu.

See this online help file for more information on using Patch View:

http://www.shavlik.com/onlinehelp/Protect90HTMLHelp/Viewing_Patch_Details_(Patch_View).htm

There is also a difference in how Protect displays criticality and vendor severity. See this document for further information concerning this:
Understanding patch severity in a Shavlik Protect patch scan and why it may differ from Windows Update

Affected Product(s)

Shavlik Protect 9.x

Purpose

This document shows how to obtain the download links for any prerequisite software so you can download and install it manually in case you don't want Protect to automatically install or in case your system does not have access to the internet.

Description

During the installation process of Protect you will reach the 'Shavlik Protect Setup' screen. If you need to manually download any of the listed prerequisite software, just click on "View release notes", and a text file titled 'InstallReadMe.txt' will pop up.

Within the InstallReadMe.txt scroll down to the section titled "MANUAL INSTALLATION OF PREREQUISITES". The download URLs are listed in this section.

Additional Information

It's worth noting that the prerequisite software often changes with newer versions of Protect. The InstallReadMe from an older version may no longer have the valid prerequisite software listed for the latest version of Protect.

Affected Product(s)

Shavlik Protect, All Versions

Purpose

This document shows how to bypass the prerequisite download or "Shavlik Protect Setup" screen during the installation of Shavlik Protect.

Description

If necessary you can bypass the prerequisite download or "Shavlik Protect Setup" screen by simultaneously pressing CTRL + S on the keyboard.

Notes:

Generally this may only be useful if something in the list that is not mandatory has failed to download or install. Note that if you skip this screen and fail to manually install the prerequisite software the Protect installation will get to a point where it cannot continue.

Additional Information

Manually Downloading and Installing the Prerequisite Software for Shavlik Protect

Affected Product(s)

Shavlik Protect, All Versions

I was patching 20 servers this friday that all was missing about 120+ patches.

Most of the servers installed the patches fast, but 10 hours later, 2 servers where not half way done.

The server where not under a heavy load. I stopped the updates and did the rest of the updates with normal Windows Update. After about an hour they where done installing.

This was 2008 R2 2,4 Ghz 16 GB ram.

Anyone got tips for what I can look for that might cause the Shavlik patch to act slower then normal Microsoft patching?

Symptoms

You do not see the re-release of MS14-066 (KB3018238) shown as missing on systems with the following operating systems:

Windows Server 2003

Windows Vista

Windows Server 2008

Windows 7

Windows 8

Windows 8.1

Windows Server 2012 R2

Cause

The re-release patch (KB3018238) does not apply to the above listed operating systems.

Resolution

The re-release patch (KB3018238) only applies to Windows Server 2008 R2 and Windows Server 2012.

According to the revision listed in: Microsoft Security Bulletin MS14-066 - Critical

"V2.0 (November 18, 2014): Bulletin revised to announce the reoffering of the 2992611 update to systems running Windows Server 2008 R2 and Windows Server 2012. The reoffering addresses known issues that a small number of customers experienced with the new TLS cipher suites that were included in the original release. Customers running Windows Server 2008 R2 or Windows Server 2012 who installed the 2992611 update prior to the November 18 reoffering should reapply the update. See Microsoft Knowledge Base Article 2992611 for more information."

Affected Product(s)

Shavlik Protect 9.x

I want to know if Shavlik will continueto distributesecurity patchesfor Windows 2003(server)in 2015, followingthe endof the official distribution by Microsoft?

Hello Forum,

I have a PC that will not apply updates. It is a newly deployed PC and I discovered the problem when I deployed updates during the last patch cycle. Shavlik's tracker stated all patches were successfully deployed. However on a subsequent scans the same patches show as missing. Re-deployed, same results. Ran Windows update and received the error message code(s) 8024200D and 80070308. Researched the net on these codes and I have tried numerous possible fixes, including the fixes (FIXIT and manual) outlined in MS KB971058. None of them have worked. Additionally, I am not able to install any other programs. I have spent almost 8 hours on this problem. My next step is format and re-load. Has anyone else experienced this problem? Any suggestions are greatly appreciated!

I work for a bank and we are having issues with one of our branches.  Workstations will scan and show missing patches, however, when we push them out not all machines will get them.  We are using Shavlik Protect 9.  We are an all Windows 7 shop as well.  Patches seem to push out well to our other 3 offsite locations, but this one particular location seems to give us trouble.

Purpose

This document explains how to locate the name of the patch install file for a particular patch in the Shavlik Protect Database. This is useful in troubleshooting when you are trying to determine if the patch was downloaded to the patches directory as part of a patch deployment. It is also useful to know the patch name when you are trying to run the patch manually from the target machine.

Procedure

Add the Vendor File Name to list  in the Patch View and/or Scanning Results using the Column Chooser. 

You can view the filename when right click on the pach and select download

Affected Product(s)

Protect 9.X

In machine view, the patches pane does not remember changes to column order or which columns are displayed when the GUI is restarted.

In results view, the patches pane jump-scrolls right if you click on any column other than the first one.

I think both of these were previously reported and fixed and have now returned.

Symptoms

To diagnose this issue, there are many symptoms that may need to be considered:

• Agent is failing to register and stops at 50%.
• RegistrationLog.txt will show:
  Registering agent with host 'https://Host:3121/ST/Console/AgentRegistration/Registration'.
  Unable to register agent with host 'https://Host:3121/ST/Console/AgentRegistration/Registration'.
  All attempts at registration failed. Cannot register agent.
• STAgentManagement.log may show:
  Attempting to register with 'https://Host.fqdn:3121/ST/Console/AgentRegistration/Registration'.
  2014-10-23T20:52:32.2820836Z 0408 E RegistrationServiceClient.cpp:411 Unable to register agent with host 'https://Host.fqdn:3121/ST/Console/AgentRegistration/Registration'. Error: 'class STServiceModel::Wws::CWebServiceException at RegistrationServiceClient.cpp:401: Unable to register the agent with the provided registration key.
  Error detail:
  There was an error communicating with the endpoint at 'https://Host.fqdn:3121/ST/Console/AgentRegistration/Registration'.
  The connection with the server was terminated abnormally
• Results from running the Agent Diagnostic may show the following:
  • Unable to register agent with host 'https://Host.fqdn:3121/ST/Console/AgentRegistration/Registration'. Error: 'class STServiceModel::Wws::CWebServiceException at RegistrationServiceClient.cpp:401: Unable to register the agent with the provided registration key.

  • Agent To Console CommunicationTest test
    FAILED - No consoleUri in environment. Unable to complete test.

Cause

There are many reasons the registration could fail, but generally the above symptoms indicate some sort of communication issue with the agent being able to reach the Protect console for registration.

Resolution

Start by first checking that some simple connection tests work from the agent system to the console system:

• Ensure you can ping the console system.
  • If you can't ping the console system, either you have no connection from the agent to the console system, or (rarely) you may have ICMP disabled.
• Ensure you are able to successfully resolve the console system by nslookup.
  • Make sure the results of both forward and reverse nslookup match. Ensure there is no problem with machine name resolution.
• Can you telnet to the console system over port 3121 successfully?
  • Port 3121 is used for agent communication back to the console. This is a port requirement and is not configurable.

If the above tests are all successful, continue to the next steps in troubleshooting:

• Ensure that the name, FQDN, or IP the agent is attempting to resolve exists in the Console Alias Editor within the Protect console.
• In many of the log snippets above you can see that the agent attempts to register with https://Host.fqdn:3121/ST/Console/AgentRegistration/Registration
  • Test putting the URL from your log into an Internet Explorer window to see if you can successfully navigate to it. (On the agent system)
    • If the test is successful you would see a screen displayed stating something along the lines of, "A service was created".
      • If this test works the agent should by all means be able to successfully register successfully.
      • Follow the steps in this document: Agent - Complete Uninstall then attempt installation again.
      • Contact support if it still fails.
    • If the test fails with an "Internet Explorer cannot display the webpage" message, continue to the next step.

• Run a test on the agent system to see what security protocols are enabled.
  • Qualys SSL Labs - Projects / SSL Client Test is a good site to test with.
  • You may not have a security protocol enabled or something is incorrect in the configuration.
  • If no protocols are enabled, a secure web connection cannot truly be established, thus causing the agent registration to fail.
    • The Microsoft article TLS/SSL Tools and Settings: Logon and Authentication covers how to ensure protocols are enabled or disabled.
    • Generally you may need to investigate settings in the following registry key:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
      
      

Additional Information

If the agent is failing to install at a different percentage mark or when manually installing, you may want to consider reviewing the following documents:

Agent Failing at 67% (Registration Failure)

Manual installation of agent fails on registration.

Affected Product(s)

Shavlik Protect 9.x

Purpose

Guide to create a custom scan template to scan only for Windows Operating Systems.

Steps

1. Create a "Patch Scan Template" by selecting New and Patch Scan Template.

2. Use the "Product filter" to "Scan selected" and select OS.

3. Depending on what type of patches you would like to scan for you will select the corresponding options for Security, Non-Security and Security tool updates.

4. Save template.

5. Once saved you can start a scan and use the custom template you just created for OS scanning only.

Additional Information

It is always recommended to review the scan results to ensure that the patches shown as missing is what you expect to see as missing.

Affected Products

Shavlik Protect 9.x

Purpose

This document outlines how to gather logs for troubleshooting issues with the Console, Agent, or Target systems.

Description

Here are some basic instructions on how to gather console, client (target) side logs, agent logs, and install logs for Protect.  These should work for most console and agent type issues.

Protect 9.X console logging:

1. Please open the Protect GUI and then go to Tools > Options > Logging and change logging to “All” for both user interface and services.

a. If you are unable to set logging via the GUI see this doc: http://community.shavlik.com/docs/DOC-22938

2. Close the Protect GUI.

3. Stop the following services

     a.Shavlik Protect Console Service

      b. ST Remote Scheduler Service

4. Delete all the logs from

     a.  Windows 7, 8, 2008, 2012 & Vista: C:\ProgramData\LANDesk\Shavlik Protect\Logs

     b.  Earlier OS’s:  C:\Documents and Settings\All Users\Application Data\LANDesk\Shavlik Protect\Logs

5.  Start the console service and open the Protect GUI.

6. Attempt to reproduce the issue. Please document steps to reproduce.

a. Collect the logs from the Logs folder mentioned earlier in step 4 (please zip if possible)

b. [Deployment issues only] On the target system please zip and send a copy of the entire C:\Windows\Propatches folder and its contents (you can leave out the Patches sub-folder).

7. Zip and send all the logs.

You can also obtain the "ST.FileVersions.log" which contains all file versions relevant to Protect by going to Help > About Shavlik Protect > Export Info.

Protect 9.x agent logging:

1. Open the agent policy assigned to the machine we are gathering logs from.

2. Change the logging level to ‘All’ and Save and update Agents.  Choose to update agents if prompted.

3. Go to the target machine, close the agent GUI and stop the services:

     o The services start with Shavlik or ST.

4. Delete all the logs from:

     o Vista & Later: C:\ProgramData\LANDesk\Shavlik Protect\Logs

     o Earlier OS’s:  C:\Documents and Settings\All Users\Application Data\ LANDesk\Shavlik Protect\Logs

5. Start services.

6. Attempt to reproduce the issue. Please note the steps to reproduce.

7. Take applicable screenshots.

8. Zip and send all the logs and screenshots. (from the previous specified folders above)

Deployment Logs (All current supported versions)

(For agentless deployment)

It is best to enable target side verbose logging before obtaining these logs. See the following document on how to do so:
http://community.shavlik.com/docs/DOC-23048

1. On the machine you are deploying to navigate to C:\Windows\ProPatches
2. Locate the CL5.log, dplyevts.log, and Safereboot.log and copy to a new folder on the desktop.
3. Navigate to C:\Windows\ProPatches\Scheduler.
4. Locate the Scheduler.log and add it to the folder created in step 2 so all logs are together.
5. Zip and send all the logs.

Additional Logging for Threat Protection/Antivirus Issues:

There is additional logging that can be obtained for Threat Protection/Antivirus related issues, such as detection of false positives. See the following document for the steps to obtain this addtional logging:

http://community.shavlik.com/docs/DOC-23066

Installation Logs

Refer to; Obtaining Protect console and Agent installation logs

Product(s)

Shavlik Protect 9.x

Purpose

This article provides steps to perform a manual uninstall and re-install of the Shavlik (ST) Remote Scheduler service on a single machine.

Description

1. On the target machine:
   1. Open a command prompt as an administrator.
   2. Run this command:

           c. CD C:\Windows\ProPatches\scheduler

           d. Run this command:  stschedex.exe /remove

   2.  Open Windows Explorer and delete the C:\Windows\ProPatches folder and its contents.

   3.  Open Windows Registry Editor and verify that the following registry keys have been deleted:

• 9.x key for 32bit: HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\Shavlik Protect\Scheduler
• 9.x key for 64bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\LANDesk\Shavlik Protect\Scheduler

Further steps to ensure successful re-installation of the scheduler service:

1. On the Protect console:
   • In Shavlik Protect 9.x:
     • Go to Manage> Credentials.
     • Add credentials that you want to use as default or edit existing credentials to ensure that the password is up-to-date.
     • Ensure to set the proper credentials as the default credentials.
     • Go to Tools > Options > Scheduling and ensure the Shavlik Scheduler is selected.

Alternatively, to uninstall the Scheduler from a target machine on the Protect console:

1. Click Manage> Scheduled Tasks.
2. Right-click the target machine name in the list on the left, and click Scheduler Service> Uninstall.

Installation of the scheduler service:

During next deployment to the target system, the scheduler is automatically reinstalled. If you prefer to force the install of the scheduler service prior to the next deployment you can do so in the Protect console by going to Manage > Scheduled Tasks, then right click on a target system name in the list on the left and choose Scheduler Service > Install.

If this issue exists on multiple systems:

If you are experiencing this problem on multiple systems and would like a way to resolve the issue for all machines affected, please refer to this document on how to set up a custom action to delete the scheduler service from target systems:

http://community.shavlik.com/docs/DOC-23009

Product(s)

Shavlik Protect 9.x

Purpose

The purpose of this document is to outline how to obtain Shavlik XML definitions using a custom share or URL.

Symptoms

This practice is useful in the event the Console is installed on a server without internet access, however can access a machine that can obtain data definitions via UNC path or URL.

Resolution

To alter where the Protect Console attempts to get XML data definitions navigate to Tools > Operations.

Within the 'Downloads' tab alter the 'Definition download source' to use a Custom share or URL as seen below.

Product(s)

Shavlik Protect 9.x

Purpose

The purpose of this document is to provide information on why threat definitions may appear out of date following the completion of a scheduled automatic download operation within the Console.

Symptoms

Within Tools > Operations within the Console you have a scheduled automatic download of threat data as seen below:

However when navigating to Help > About within the Console, the 'Threat definitions' show as being out of date as seen below:

Cause

This is occurring due to the fact that there is a major version of the threat definitions and minor version of the threat definitions. The check that is done when accessing Help > About is looking for the major version which can only be downloaded by running 'Refresh Files' by navigating to Help > Refresh Files within the Console. The scheduled automatic download or agent download that occurs is only performing a minor version update. Within both scenarios the threat definitions would be considered at a viable 'up-to-date' version as long as automatic downloads are working. You can check the Event History from within the Console by navigating to View > Event History to ensure the automatic downloads are occurring alternately, you can check to see if there are new files within the C:\ProgramData\LANDesk\Shavlik Protect\Console\ThreatData directory on the console system each day.

Additional Information

Best Practices and FAQ on using Threat protection with Shavlik Protect agents

Product(s)

Shavlik Protect 9.x

Looking at installed patches, Apple QuickTime 7.7.6 for Windows, AQ14-002/QAQ7760 says 10/27/2011 in the EOL column.  Given that the patch in question is about 6 weeks old, the EOL date doesn't make sense.

Visual C++ 2008 Redistributable is also flagged as EOL under the Informational heading.  Mainstream support has ended, but extended support lasts til April 2018.  Should this be flagged as EOL?

Hello Forum,

I have a PC that will not apply updates. It is a newly deployed PC and I discovered the problem when I deployed updates during the last patch cycle. Shavlik's tracker stated all patches were successfully deployed. However on a subsequent scans the same patches show as missing. Re-deployed, same results. Ran Windows update and received the error message code(s) 8024200D and 80070308. Researched the net on these codes and I have tried numerous possible fixes, including the fixes (FIXIT and manual) outlined in MS KB971058. None of them have worked. Additionally, I am not able to install any other programs. I have spent almost 8 hours on this problem. My next step is format and re-load. Has anyone else experienced this problem? Any suggestions are greatly appreciated!

Hypervisor scanning and deployment

Scanning and deployment operations are performed by the hypervisor. In order to scan for installed and missing Bulletins, the hypervisor needs the latest patching metadata files. The metadata files are available from VMware inside an archive 9ZIP0 file. There is a different metadata package for each supported version of ESX and ESXi. Protect supplies the target hypervisor with the URL to the proper metadata file, but in this release, the hypervisor must download the file from the internet.

Hypervisor deployment

When the user selects the Bulletins to install, Protect will analyze the request and determine the proper bundles to be install by using the same metadata that was used by the hypervisor during the scan.

Protect gets the URLs for the bundles and passes them to the hypervisor. The hypervisor will download the bundles from VMware and perform the installation. The scan and installation processes are initiated by the Protect Console Service. Once initiated, the Scan or Deployment operation will continue even if the Protect GUI is shut down.

Deploying patches to the Virtual Environment

1. The console instructs the hypervisor to download the pertinent bulletins and perform an installation.
2. The hypervisor downloads the pertinent bulletins from VMware servers.
3. The hypervisor performs an installation using the downloaded bulletins.
4. The hypervisor perfroms an assessment using the previously downloaded metadata
5. The hypervisor sends the assessment results to the console.

Operation details

Details of the deployment operation can be found in the following locations:

• Operation Monitor
• Event History log
• vCenter Event and Alert logs
• ST.ServiceHost.managed.log

ESX/ESXi Hypervisor deployment requirements

• The ESX or ESXi Hypervisor must be at one of the following versions :

            ESX - 4.0 or later

            ESXi - 4.1 or later

• The Shavlik Protect console must be internet connected.
• The ESX or ESXi Hypervisor must be internet connected.
• Port 443 must be open on the hypervisor.
• The latest version of VMware Tools must be installed and running on all virtual machines managed by the hypervisor.
• You must have previously performed a successful scan of the ESX or ESXi hypervisor.