Purpose

The purpose of this document is to show some useful commands you can use to finish getting an out of the box core server ready to test agentless scanning/deployment with Protect.

Description

Ports/Firewall

You will need to create exceptions in Windows Firewall to meet the Port requirements for Shavlik Protect.

An easy way to test is with the firewall disabled.

To disable Windows firewall:

netsh advfirewall set allprofiles state off

Best practice is to create port exceptions, which you should be able to accomplish with some of the other firewall commands:

Netsh Commands for Windows Firewall with Advanced Security

If you have any other 3rd party or hardware firewalls work with your network team to ensure the port requirements are met.

Services

A few services are required to perform agentless scan and deployment tasks, including:

• Remote Registry
• Windows Update (Cannot be disabled, but can be set to Manual start-up)
• Server
• Workstation

By default the Server and Workstation services should be running, but Remote Registry and Windows Update services may need to be enabled and set to a different start-up type.

Below are some examples to show how you can do this:

-Note that there are other ways to perform this as well, including via GPO.

Turn on Remote Registry service:

sc start remoteregistry

Set the Remote Registry service to Automatic (Optional):

sc config remoteregistry start=auto

Set Windows Update service to Manual start-up:

sc config wuauserv start=demand

Other service controller commands:

Sc Commands

Ensure you've checked the full prerequisites list for scanning or deployment below, and you should be all set as long as Windows is activated. Protect will scan and deploy to a core server just as it would any other system. It's not seen as a different version of Windows in Protect. The only difference is that there's no Windows UI besides command line. These commands will obviously work on a regular Windows OS as well.

Additional Information

Full Patch Scanning Prerequisites

Full Patch Deployment Prerequisites

Affected Product(s)

Shavlik Protect, All Versions

Overview

There have been an incredibly large number of vulnerabilities this year, which unfortunately is going to cause asyntax change in MITRE CVE-ID.   The current syntax will max out at 9,999 vulnerabilities, so the change is to start adding additional digits.  When the CVE count breaks 10,000, MITRE will be adding an extra digit onto the end of their CVE-IDs.  The resulting CVE change will drive a change in how we import content for Shavlik Protect 9.1 and 9.0.

The deadline for the change is January 15, 2015, but due to the high volume of vulnerabilities releasing this year the change in format may be forced upon us early.  We have released an update for Protect 9.1 and are working on the Protect 9.0 update to prevent the format change from causing issues.  The patch will prevent import of new content from failing, avoiding an inconvenience to our customers.  Protect 9.1 Patch 2 is available now and the Protect 9.0 Patch 2 will be coming in the next couple of weeks. Although the updates do not include a security fix, this is a critical bug fix to avoid a customer outage. 

To upgrade you can follow the instructions below based on version of Protect. 

Upgrade Protect 9.1 to Patch 2:

• Download Protect v9.1 Patch 2 fromhttp://www.shavlik.com/downloads/protect/. Patch 2 includes fixes from Patch 1 as well, so customers on Protect 9.1.4446 or 9.1.4334 can upgrade with the same patch. 

Upgrade Protect 9.0 to 9.1 Patch 2 or 9.0 Patch 2:

• (Recommended) For 9.0 customers you will now see that auto update to 9.1 Patch 2 is enabled in product.  You can click the auto update link in the bottom right corner of Protect when you open it and it will download the full installer upgrading you to Protect 9.1 Patch 2.

  You must be on a Windows 7 or 2008 r2 x64 or later OS to upgrade to Protect 9.1. 

• If you are unable to upgrade to Protect 9.1 Patch 2 at this time we are in the process of releasing a similar fix for Protect 9.0.  This update will be released before the CVE count becomes and issue and can be applied very easily to Protect 9.0.  The change is entirely database schema related so no binaries are updated on Protect 9.0 console. 

  If you have not applied Patch 2 for either version, there will be a point in the not too distant future where you may not be able to import new content.  We would like to avoid this as much as you would, so plan for this patch update as soon as possible. 

Additional Information

Release notes for Patch 2 for Protect 9.1: Shavlik Protect Standard/Advanced 9.1 Patch 2 Release Notes

Release notes for Patch 2 for Protect 9.0: This will be update once the patch is released.

Products

Protect 9.x

Purpose

This document is to provide a linkable article for Salesforce when providing customers with migration information.

Shavlik Protect  Migration Tool User’s Guide
Download Shavlik Console Migration Tool 9.0.1280 – 486 KB (.zip)

Product(s)

Shavlik Protect 9.x

Is there a report I can run which tells me what EOL products have been found? I have run a recent scan after upgrading to Shavlik Protect 9 and found some of my servers have EOL Products.

Is anyone programatically accessing shavlik to kick off scans or otherwise manipulate the scheduler?  We are working on automating our patching process to interface with our CMDB and ticketing system and are having trouble finding any reference material about manipulating the scheduler or extracting schedule information from the protect db.  Is anyone doing this?

We have the scan part down pretty well - we export from our cmdb to txt files which shavlik uses to scan, but we would like more control of the actual depoloyment process.  Our CMDB is the source for truth on which maintenance window each server is patched in (many hundreds of servers).  We are basically looking for a way to control the deployment phase of the process externally.  The only command line, powershell, api, etc i've found documented is just the scheduler service command line utility, which i take to primarily be intended to be run from the client side.

Any help would be appreciated.

Hello

Can anyone confirm when the latest Adobe Digital Editions will be available through Shavlik Patch?

It appears the latest available through Shavlik is 1.7.2 - however Digital Editions 4.0.1 was released in October.

Thanks

Sarah

Purpose

This article provides steps to purge a large database in Shavlik Protect for maintenance purposes.  

Resolution

To purge the database of old data (clean up):

Using Database Maintenance tool built into Protect:

1. Launch Protect.  
2. Navigate to Tools > Operations > Database Maintenance.
   (Note): In older versions this was under Tools > Database Maintenance.
3. Change the Delete results older than (days) or max results to keep to the desired amount.
4. (Optional): Enable the 'Rebuild Indexes' options and the option to 'Backup database and transaction log'.
   
5. Click Run Now. You will be prompted to confirm you want to run the maintenance task.
   
   After clicking to run the maintenance task you should see a pop up in the lower right of your screen stating the database maintenance task has started and will run in the background.
   
6. Wait approximately 15 minutes to allow time deletion of old results to take place. The operation runs as a background task and may take more or less time than this based on how many records are being deleted during the maintenance.

Alternate method of deleting results using Manage > Items

1. In Protect, go into Manage > Items from the menu.
2. You can select specific results to delete, then click 'Delete selected', or you can click 'Delete All'. This needs to be repeated for each type of results that you want to delete from your database (Patch Scans, Patch Deployments, etc.).
   
3. You will be prompted to confirm when you click a delete option.
   
4. You will then see a progress bar showing the status of the deletion of results. If you have a large amount of results to be deteted, this can take some time to run.
   

Additional optional steps to be performed within SQL Management Studio:

1. Launch the SQL Management Studio. 
2. Expand Databases. 
3. Right-click your ShavlikScans database and click Properties. 
4. Click Options. 
5. Change the Recovery Model from Full to Simple. 
6. Click OK. 
7. Right-click the ShavlikScans database again and click Tasks. 
8. Click Shrink> Files. 
9. Change the File type to log. 
10. Under Shrink Action, click Reorganize pages before releasing unused space and set the Shrink file to field to 0.
11. Click OK. This truncates the transaction log to 0 bytes.
12. (Optional) Repeat Steps 8 through 10 and reset the Recovery model to Full. 
13. Right-click the ShavlikScans database again and click Tasks. 
14. Click Shrink> Database and click OK. 
15. Wait for the shrink operation to complete. In case of large databases, it may take a long time to complete.  

Additional Information

If you are using SQL Express you may need to install the SQL Management Studio for express editions before you can perform the actions described above. The links for SQL Express Management Studio downloads can be found here.

Product(s)

Shavlik Protect 9.x

Overview

These release notes support Patch 2 for Shavlik Protect 9.0. The patch can be downloaded from this link:

http://www.shavlik.com/downloads.aspx

The patch can be applied to Shavlik Protect build 9.0.1182.0 (Protect 9.0 Patch 1) or to build 9.0.1106.0 (Protect 9.0 Gold).

If you have any questions, please contact our Technical Support Team by creating a Support Portal Case or call toll free at 1-866-407-5279.

Resolved Issues

Update to the database schema and the content importer to support upcoming changes in the CVE-ID syntax. Prior to this patch, CVE-ID numbers using the new syntax would have prevented content from being updated and may have resulted in a console crash.

Symptoms

In Machine View, multiple machine records are showing incorrect credentials in their Machine Properties (Right click > Machine Properties).

Cause

A credential has been set previously that is no longer in use, or is outdated.

Solution           

Change multiple machine property credentials at once/simultaneously.

• ClickView>Machines.
• Select all machines that need the credentials changed by holdingCTRLand clicking on the machine.
• Right click one of the selected machines and chooseMachineProperties.
• InMachine Propertiesselect 'Assign credential for the selected machines' then choose the desired credential.

Product(s)          

Protect Version: All

Symptoms

After performing a Help > Refresh Files, the Shavlik Protect console crashes with an unhandled exception error prompt.

Cause

Although there are numerous possible causes, it is likely one or more Protect data files are corrupt, missing or out of date.

Resolution

Option 1:

1.  Locate and delete the corrupted *.xml, *.cab, *.exe, *.msi or*.zip from C:\ProgramData\LANDesk\Shavlik Protect\Console\DataFiles.

2.  Perform a Help > Refresh Files to download the latest data files.

Option 2:

1.  It may be difficult or time consuming to pinpoint which file is causing the issue so it may be faster to delete all the files from C:\ProgramData\LANDesk\Shavlik Protect\Console\DataFiles excluding the subfolders.

2.  Perform a Help > Refresh Files to download the latest content files.

3.  Restart Protect.

Option 3:

1.  If updating Protect data files manually, please re-download the files and verify they are not corrupt or being blocked by the OS. How To: Manually updating patch data files for Shavlik Protect

2.  Place the files in the C:\ProgramData\LANDesk\Shavlik Protect\Console\DataFiles folder

3.  Restart Protect.

Product(s)

Shavlik Protect All Versions.

For my machines that use the Shavlik Protect Cloud agent, when a new machine is added it does not load the latest version of the agent. The latest agent is v9.1.4334.0 (according to my console). The agent getting installed on fresh builds is v9.0.1182.0.

What am I missing? My Shavlik is v 9.1.0 build 4472.

Thanks!

-Dharmatma

I have several users that have long running tests/processes on their machines and would like to give them the ability to patch their machine with Shavlik (as it encompasses more products that WSUS).  However, everytime I deselect all the days on a new patch task schedule, it says I have to select one or more days of the week.

The problem is I do not want to schedule a patch task, just make a manual patch task available to the user.  Shavlik does such a nice job of patching so many applications, would be nice to let users patch those on their schedules.

Any help would be greatly appreciated.

Doug

Hello,

In order to further extend our use of Shavlik, we are looking to see if we can report based on the which machines have patches outstanding and what was the date those machines in question were last patched.  This would enable us to confirm automatic patching is taking place within a given number of days and also

I can see the database which holds information when a basic report is run, but i do not know how I would find the last patched date for a machine and how to connect with this whether its in our automatic patched group or our manual patched group. We would therefore want to get a list of servers from the manual group where the patches had not been applied in the last 30-60 days for example.

I was wondering if anyone has any experience in reporting on this? The excel exports from Shavlik do not not include last patched date, only number of patches outstanding on a machine.

Thanks in advance for your trouble taken to look at this.

Regards,

Aaron

Symptoms            

Left navigation panel in Protect is missing/hidden.

Cause 

The left navigation panel in Protect can be collapsed on demand.

Solution

Click the thin bar that borders the right side of the navigation panel to expand/unhide it.

Product(s)

Shavlik Protect 9.x

Purpose

Since patch KB3004394 was released, administrators have noted a number of issues resulting from applying the patch. Some administrators may be concerned to know why patch KB3004394 is not in our definitions- or may be concerned that they inadvertently deployed this patch.

Description

We at Shavlik are working to make patch management as convenient and manageable as possible. Accordingly, because of the many reported issues with this patch, we have opted to exclude it from our definitions until Microsoft addresses the issues in the patch/releases a replacement. Because of this, administrators need not worry that the patch was unintentionally deployed using Shavlik.

Please check back as we will update this document when we are able to support this patch or its replacement and a recommended course of action.

Product(s)

Shavlik Protect 9.x

Purpose

This document is meant to help administrators stay up to date with the current download links for install and upgrade files for all currently supported versions of Shavlik Protect.

Description

With each release of a new patch for Shavlik Protect, we release two installer files for our administrators: an patch upgrade and a full installer. The upgrade version is a lighter version of the installer, containing only the files needed to take the previously current version of Protect and upgrade it to the current patch. The full installer is meant for new administrators or for users who are seeking to do a full install on a machine that does not currently have Protect installed and includes other required components like SQL Express.

Customers can obtain all download files at our downloads page which is always up-to-date:

http://www.shavlik.com/downloads/protect/

Links are provided below, for each current version for 9.0 and 9.1, with the full installer and patch upgrade versions designated:

Shavlik Protect 9.1.0 + Patch 2

Installation Notes: The Shavlik Protect Console must be installed on a 64 bit operating system that is Windows 7\2008 R2 or later. Shavlik Protect requires access to a Microsoft SQL Server database (SQL Server 2005 (Full or Express Edition) or later). If you do not have a SQL Server database, the option to install SQL Server 2012 Express Edition SP1 will be provided during the installation process.

Full installer:

New customers should download and install build 9.1.4472. All of the Patch 1 and Patch 2 changes are contained in this build.

• Download Version 9.1.4472 - 84 MB (.exe)

Patch upgrade:

Customers currently running build 9.1.4446 (Protect 9.1 Patch 1) or 9.1.4334 (Protect 9.1 Gold) should download and install this file:

• Download Protect v9.1 Patch 2 - 18 MB (.exe)

Shavlik Protect v9.0.0 + Patch 2

Installation Notes: We recommend that new users install 9.1, and not 9.0. Shavlik Protect 9.0 is our oldest supported version, but is the only version of Protect that currently supports 32-bit OS, as well as Windows XP, Server 2003, and Vista. We recommend that new users install 9.1, and not 9.0. Shavlik has released a patch for Shavlik Protect 9.0. This patch is mandatory for all Protect 9.0 customers and adds support for an upcoming change in CVE-ID Syntax.

Full installer:

• Download Version 9.0.1304 - 165 MB (.exe) 

Patch upgrade:

Customers currently running build 9.0.1106 or 9.0.1182 should download and install the following:

• Download Protect v9.0 Patch 2 - 85 MB (.exe) 

Additional Information

Preparing for Upgrade of Protect and Resolving Common Upgrade Issues

Protect 9.1 Install Guide

Shavlik Protect Requirements Guide

Product(s)

Shavlik Protect 9.x

I have several workstations with Adobe Acrobat Pro that will not patch.  Just seems to not be taking the patches for some reason.

I'm running 9.1 latest build, BTW...

Symptoms

KB2899518 does not show as missing or installed for any systems within your Shavlik Protect scan results, and it is not available when searching View > Patches.

Cause

Shavlik will not be adding support for this patch within Protect because this patch only applies in very specific configurations.

Refer to the bulletin page: Microsoft Security Bulletin MS14-081 - Critical

Under 'Update FAQ' it states:

'I have Microsoft Word 2010 installed. Why am I not being offered the 2899518 update? The 2899518 update only applies to systems running specific configurations of Microsoft Office 2010. Other systems will not be offered the update.'

Resolution

Refer to the Microsoft article above for information on when you would need this update.

If necessary, you can try using a Custom Patch or Custom Action to push the update via Protect.

Affected Product(s)

Shavlik Protect, All Versions

Purpose

This document is intended to provide information about support for Google Chrome within Shavlik Protect.

Description

Shavlik Protect supports patching with the system-level installation of Chrome (.MSI installer). This is also sometimes referred to as the enterprise version.

Shavlik Protect will detect per user (.exe) and system-level (.msi) installations of Chrome, however, but will only deploy the system-level (MSI) installer.

Per User vs System-Level:

Google Chrome can be installed in two ways.  The first way to install Chrome (and probably the most popular) is to install it on a per-user basis.  If Chrome is installed in this manner, the browser will be available only to the user that has installed it on the machine.  Other users on the machine will not have Chrome installed.  To patch Chrome, it will require the user that installed Chrome to update it.  To do this, Google has written an auto-updater that will automatically patch Chrome for the user.

The second way to install Chrome is to install it on a system-level (aka per-machine in Windows terms) basis. This is also known as the enterprise version of Chrome.  This means that Chrome will be installed for all users, and can be updated for all users at once.  In these system-level installs, there is no auto-update mechanism.

.exe vs .msi:

Google Chrome has multiple installers that will install on a system-level basis.  They have a .exe and a .msi.  Installing from the .exe will install Chrome on a system-level basis (given the proper switches), unless there is a per-user install already on the machine.  In this instance, the .exe will fail to install Chrome.  Installing the .msi on a system will install Chrome on a system-level basis, even if a per-user install already exists.  The problem with the .msi install, is that if you want to upgrade (patch) Chrome, you need to uninstall the previous version first.  You cannot install a newer .msi install on top of an older .msi install.

If you have not yet installed Chrome in your environment, please consider the above information if you plan to patch using Shavlik Protect.

With Shavlik Protect, you can push out the latest Chrome .msi by using Software Distribution.

Additional Information

Other Considerations when switching to Chrome via MSI (system level install)

What happens to bookmarks and user data when we install the .msi on top of a per-user install?  During our testing, all user data is retained, so that the system-level install will use all of the user data that existed in the per-user installation.

A possible problem is that the .msi installation requires that a previous .msi Chrome installation be uninstalled before installing the newer version.  To compensate for this, before installation of Chrome, Protect will uninstall the previous version of Chrome, and then install the new version of Chrome on the machine.  During our tests, all user-data is retained on the machine and is used by the new version of Chrome.

Additionally, it is important to note that there will be no auto-updating of Chrome once you switch to a system-level install.  You will, however, have an honest assessment of the use of Chrome on your network, as well as an accurate assessment of the patch level of Chrome on your network.

If you would like to see changes to how Shavlik supports Chrome please feel free to submit a feature/change request.

Product(s)

Shavlik Protect, All Versions

Purpose

The purpose of this document is to provide a work around for emails sent from within the report creation tool.

Symptoms

After creating a report you use the "File", "Send to" to email the report and it is never sent.

Resolution

To work around this issue:

1) Create the report, export the report as a PDF and manually email the report.

2) Depending on the report you may also be able to automatically send the report using either the scan template or the deployment template.

Additional Information

This defect will be corrected in a future version of Protect.

Affected Product(s)

Protect 9.1