Symptoms

When attempting to patch clustered SQL Servers with Protect you see that updates never apply or do not appear to update SQL.

Cause

Currently, Protect does not natively provide a solution to deploy patches to SQL servers in clustered configurations. Patching SQL clusters with Protect is unsupported. However, with manual intervention Protect can be used to both assess and deploy patches to SQL servers in a cluster.

Resolution

If you wish to patch clustered instances of SQL, we recommend you break the cluster and apply patches individually, then re-join the cluster. This is currently the only known method or workaround to properly update clustered SQL servers with Protect.

Please refer to the following Microsoft Document SQL Server failover cluster rolling patch and service pack process to ensure succesful patching of Microsoft SQL Server.

Additional Information

More information about SQL Server failover clustering can be found in a Microsoft article, here.

If you would like to submit a feature/change request for Shavlik Protect, you can do so here.

Affected Product(s)

Shavlik Protect 9.x

Purpose

This document outlines how to run a DPDTrace. This may be necessary when troubleshooting detection issues.

Steps

DPD stands for Dynamic Product Detection.  It’s the method our scan engine uses to determine what supported products are installed on the machine.This tool was created for troubleshooting patch scan issues where we need to know what is going on during the DPD process.

.Net Framework v4.0.30319 or newer needs to be installed for this to work

1. Download DPDTrace.zip and extract the file into a folder on the root of C:\
2. Read Disclaimer.txt.
3. Open Command Prompt and change directory to C:\DPDTrace

4. Enter the following command, replacing {MACHINE_NAME} {ADMIN_USER_NAME} {PASSWORD} and {PATCHTYPE} with corresponding values. ({MACHINE_NAME} has to be the Target machine that is having the detection problem

          DPDTrace.bat {MACHINE_NAME} {ADMIN_USER_NAME} {PASSWORD} {PATCHTYPE}

5.      When the command line is run, a window titled 'Rename HF.1 Log' will appear with an OK button. Do not close this window as the scan continues.

6.    When the scan has completed the command prompt window will say 'Test Complete  Please zip up HFCLi folder and send it back to us'. Please verify that an XML document has been created in the HFCLI folder. If it has, please zip up the directory "C:\DPDTrace\HFCLI" and send it back for analysis.

Symptoms

The Protect patch installer fails with the error  "There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor."

Or

"Another version of this product is already installed. Installation of this version cannot continue"

In the ST.DatabaseConfiguration.log you can see the following errors

2014-10-28T20:43:25.5457040Z 0004 E DatabaseState.cs:77|System.Data.SqlClient.SqlException (0x80131904): Database state cannot be changed while other users are using the database 'ShavlikScans'
ALTER DATABASE statement failed.

2014-10-28T20:43:25.5525745Z 0004 E UnattendedInstaller.cs:95|Database installation failed: Unable to lock the database because there are existing connections.
2014-10-28T20:43:25.5535560Z 0004 E DatabaseInstallerController.cs:378|Database 'Update' error: Unable to lock the database because there are existing connections..
2014-10-28T20:43:25.5535560Z 0004 S DatabaseInstallerController.cs:238|ExecuteInstall|Leaving.
2014-10-28T20:43:25.5918345Z 0004 E UnattendedInstaller.cs:149|ST.Data.SchemaInstaller.DbLockFailedException: Unable to lock the database because there are existing connections. ---> System.Data.SqlClient.SqlException: Database state cannot be changed while other users are using the database 'ShavlikScans'
ALTER DATABASE statement failed.

Cause

The database is locked and cannot be altered.

Solution

Using Studio Management express you can detach and reattach the Protect Database, or the SQL server can be rebooted.

Run the patch again to attempt the upgrade.

Related Article

Database Connection Error Caused by Missing SQL Server

Database Connection Error Caused by Missing SQL Server

Symptoms

• Cannot perform an asset scan from Shavlik Protect
• Performing an asset scan fails with Error 452
• In the ST.Protect.native.log file, you see this error:
  
  class STWin32::CWin32Exception at nsSecurity.cpp:1090: Not all privileges referenced are assigned to the caller.

Cause

This issue occurs if:

• You do not have the required permission(s) to perform the asset scan.
• There is a problem with Windows Management Instrumentation on the target machine.

Resolution

To resolve this issue, verify these information and complete the appropriate steps:

1. Verify whether a Security Patch Scan is able to run successfully to the target machine that is currently unable to run an asset scan.
   1. If a Security Patch Scan does not run to the target machine, you must refer to the system scanning prerequisites. For more information, see the Help documentation in Protect before continuing.
2. Asset scans require port 135, while patch scans do not.
   1. Verify if Port 135 is listening on the Target Machine.
   2. Verify if you are able to successfully Telnet to port 135. For example, Telnet MachineName 135. You can use the IP address instead of the machine name for this test.
   3. Check if you receive a Connection Refused error or see a blank screen with a flashing cursor. The blank screen with a flashing cursor indicates success.
   4. If firewalls are enabled, - port 135 and other required scanning ports must have an exception.
3. Specify credentials on a machine group for the asset scan(s) to work.
   1. Check if you have you tried to reset credentials for the machine group.
4. When performing an asset scan, Windows Management Instrumentation (WMI) service must be enabled on the target machine and the protocol allowed to the machine (TCP port 135).
   
   Note: In Windows Firewall (on Windows XP/Windows 2003 machines), the service is called Remote Administration. On Windows Vista/Windows Server 2008 machines, the service is called Windows Management Instrumentation (WMI)/Remote Administration.
5. Go to Computer Configuration>Windows Settings> Security Settings> Local Policies>User Rights Assignment under Local Security Settings to verify that the user attempting to run an asset scan has the appropriate user rights on the target machine.
   1. Verify that the user has the following rights on the Protect Console Machine:
      • Debug programs
      • Take ownership of files or other objects
      • Manage auditing and security log
      • Back up files and directories
      • Restore files and directories
6. Run sysinfo ( msinfo32.exe) on the target machine. If it populates without errors, WMI is working on the target machine. If WMI is not working on the target machine, it generates the error "Can't Collect Information".
7. Attempt a complete WMI flush on target machine by completing these steps:
   1. Stop the WMI service.
   2. Delete the contents of <%WINDIR%>\System32\wbem\Repository.
   3. Reboot the system.

Additional Information

For more information on asset scanning requirements see the Asset Scan Requirements.  

Affected Product(s)

Shavlik Protect 9.x

I need to be able to determine, for each Product Name in Shavilk Protect, whether the product will be patched as much as possible while keeping the major version the same, or if the product will be upgraded to the next version.  For instance, I'm sure Shavlik will upgrade Flash 15 to Flash 16, but will not attempt to upgrade SQL 2008 to SQL 2012.  Is there a published list of rules that details Shavlik's behaviour in this regard?

Thanks in Advance!

Symptoms

After adding a vCenter server or an ESXi server into your Machine Group, you attempt a scan and it causes the console to crash. Then a pop up window displays ""Sorry, an unexpected error has occoured and SHavlik Protect Standard must close to recover (...)".

The console logs will record an error message as the following:

2014-12-01T17:24:42.5523558Z 0002 C Launcher.cs:351|System.AggregateException: A Task's exception(s) were not observed either by Waiting on the Task or accessing its Exception property. As a result, the unobserved exception was rethrown by the finalizer thread. ---> System.AggregateException: One or more errors occurred. ---> System.ArgumentException: IP address must be specified when specifying a machine

Parameter name: address

at ST.Engines.MachineResolver.ResolvableMachine..ctor(IPAddress address, String machineName, String domainName, String fullyQualifiedDomainName, Credential credential, PropertyBag extendedProperties)

at ST.Engines.MachineResolver.VMware.ResolvableVMwareServer.<ResolveOnlineVirtualMachineAsync>d__10.MoveNext()

--- End of inner exception stack trace ---

Cause

The problem is one or more of the guest virtual machines hosted on the hypervisor has an IP address of 0.0.0.0 or 255.255.255.255.

It is most likely 0.0.0.0. The console crashes because Protect is looking for a valid IP Address.

Resolution

As a workaround you will have to determine which machines have 0.0.0.0 or 255.255.255.255 on the vCenter's summary section and assign it an IP adress.

Please note that in a next release, this behavior will not cause the console to crash anymore

Affected Product(s)

Shavlik Protect 9.x

I've been trying to use the null patch to call a .bat file that I have used successfully in the past, but the deployment fails.  I then tried to use it just to remove the scheduler, which had also been set up previously and was working.  Neither operation will work.  Following are the errors I receive:

Error: File not downloaded: nullpatch.exe

Error reason: The remote server returned an error: (404) Not Found.: http://xml.shavlik.com/noop.exe

Zero patches are available and properly signed.

No patches were deployed. Please review the program logs to determine the cause.

Patch deployment canceled due to failure building deployment instructions.

Error on machine 'mypc': Failed

I don't use this often, so I may well be missing something stupid, but as I've used two previously successful deployment templates, I am confident that they are ok.  Thanks, in advance, for any thoughts!

Purpose

This document is meant to be a guide of some good documents and links specific to Shavlik Protect version 9.1. This is not a comprehensive list of documents.

Description

General Information

• Protect 9.1 Online Help
• Online Documentation
• Training Videos
• Release Notes

Installation & Configuration

• Download Site
• Protect 9.1 Installation Guide
• Protect 9.1 System Requirements
• Shavlik Protect Requirements Guide
• Firewall & Proxy Exception White-List
• Installing Prerequisite Software
• How to Activate Shavlik Protect

Upgrade Information

• Protect 9.1 Upgrade Guide
• Preparing for Upgrade of Protect and Resolving Common Upgrade Issues

9.1.4334.0 New Features and Bug Fixes

Released 4/17/2014

• Major New Features

  • Localized Console Experience
    • Shavlik Protect is now localized for the following languages: Chinese (Standard), Chinese (Traditional), French, German, Italian, Japanese, Korean, Portuguese (Brazil), Russian, and Spanish.
  • Localized SafeReboot
    • The SafeReboot dialog has been localized to support the same language set as above. The language of the client machine’s operating system will determine which language is displayed. The SafeReboot dialog will default to English if the operating system language is not supported.
  • Online Help
    • Localized versions of the Help system are now available on the Web. The help text will be localized according to the language specified on the Display Options dialog. An Internet connection is required in order to access localized help text from the console. For environments that do not have direct Internet access, an English-only version of the Help system is still shipped with the product and is available locally on the console.
  • IPv6 Support
    • Shavlik Protect now supports IPv6. IPv4 is still the preferred IP scheme that will be displayed in the UI, so for environments that happen to have IPv6 turned on but are not utilizing it yet, the IPv4 address will be the default address shown for machines.
  • Report Views
    • In conjunction with this release, Shavlik is providing a Report Views Guide that describes how to use database views within SQL Server database queries to generate custom reports for Shavlik Protect. This also allows for third-party tools such as SQL Reporting Services, Crystal Reports, Splunk, and others to be used to create reports for Shavlik Protect.
• Minor New Features and Enhancements
  • Improved Machine Resolution in FQDN and IP-only Environments
    • For customers who have environments that require FQDN or IP to resolve machines, Shavlik has made significant improvements to our machine resolver so that Shavlik Protect will retain multiple resolution methods for each machine. FQDN, Hostname, and IP can all be attempted to ensure the machine is resolved correctly.
  • Scan by Vendor Severity
    • The patch scan templates and the assessment engine have been updated to include filters that enable you to scan by vendor severity. You can now scan specifically for Critical, Important, Moderate, Low, or Unassigned security or non-security patches.
  • Deployment Workflow Enhancements
    • The deployment workflow has been consolidated to reduce the many branches that existed in the deployment experience. When you perform a deployment now you will see the same level of detail as a scheduled deployment. The deployment results are also available for viewing after the deployment is complete.
  • Machine-Level Status in Operations Monitor and in Deployment Tracker
    • A machine-level status has been added to the deployment flows. This gives you better visibility into the current state of your deployments.
  • Deployment Return Codes
    • Deployment return codes are now available within Deployment Tracker and within the deployment reports. Making the return codes available within the Shavlik Protect UI eliminates the need to comb through target machine logs for the return codes.
  • Active Directory (AD) Enhancements
    • Shavlik Protect is now able to discover any Active Directory Forests and Domains that are broadcasting themselves to the console machine’s domain. In addition, you can now add additional Forests and Domains and save credentials for these items. This allows you to browse these items without having to reconnect each time.
• Deprecated Features

  • Features That Have Been Removed in Shavlik Protect 9.1

  • The following platforms are no longer supported for use as a console:
    • Windows XP
    • Windows Server 2003
    • Windows Vista
    • Windows Server 2008 (prior to R2)
    • Windows 8 (Windows 8.1 is supported)
    • 32-bit architecture operating systems
    •   In response to Microsoft’s strategic direction and recent end-of-life announcements, Shavlik has removed support for the above platforms as a Shavlik Protect console. Shavlik Protect 9.0 is the last version to support these platforms as a Protect console. All of these platforms are still supported as agentless and agent-based targets.

    • To help ease the migration to newer platforms, Shavlik has developed a migration tool that will help administrators to transition a console from one machine to another. Microsoft has announced an end-of-life for Windows XP in April 2014 and for Windows Server 2003 in April 2016. We are recommending that customers on these platforms migrate to newer operating systems as soon as possible. Shavlik will not be supporting Windows 8 as a console due to an incompatibility issue with Powershell 4.0, which is a new prerequisite in Protect 9.1. Windows 8.1 support is being added with Protect 9.1.

  • The following VMware ESX Hypervisors are no longer supported:
    • ESX 4.0
    • ESX 4.1 (ESXi 4.1 Hypervisors are still supported)
  •   Shavlik is removing support for hypervisor patching and offline VM, template, and snapshot features for these versions, as VMware is ending support for these platforms in 2014. Shavlik Protect 9.0 is the last version to support these versions.
  • Export to TIF, TXT, and RTF formats

  • Shavlik has removed support for these formats as they are little used and provide little value to the majority of customers. Future versions of Shavlik Protect will still support export to PDF, XLS, TSV, CSV, and XML formats.

  • Features That are Targeted for Removal After Shavlik Protect 9.1

  • Windows Server 2000 support for agentless scan and remediation will be removed after 9.1
  •   Shavlik is announcing that Protect 9.1 will be the last version to support Windows Server 2000 as an agentless target. Protect 9.1 will support this version of Windows until it reaches its end-of-life, which has not yet been announced.
  • SQL Server 2005 support will be removed after Protect 9.1

  • Shavlik is announcing that Protect 9.1 will be the last version to support SQL Server 2005 (all editions). Customers should work towards moving to newer editions of SQL Server as soon as possible.

  • User Criticality Filter will be removed after Protect 9.1
  •   With the introduction of the Vendor Severity filter, the User Criticality Filter’s primary function is now obsolete and will be removed in a later release. The feature has a high maintenance cost and low value for most customers.

• Bug Fixes

  • Resolved an issue where duplicate agent results could conflict, causing import to fail.
  • Resolved an issue where duplicate agent results cause a loop on import, blocking up the import queue.
  • Resolved an issue where custom patch could allow a .bat file to be used which would cause agents to fail deployment. The .bat extension has been pulled from the custom patch file options.
  • Resolved an issue where LDAP over SSL connections would attempt to use the Shavlik Certificate. The Shavlik Certificate on upgrade will be moved into a custom store.
  • Resolved an issue where the 'Is Policy Current' value for Threat Protection Agents could incorrectly show as No when they really are up to date.
  • Updated the Help System to include descriptions for agent icons that were not documented.
  • Updated the Help System with an outbound port 443 requirement for the Protect Cloud Sync feature.
  • Resolved an issue where a result could not be imported if the service pack of the product could not be determined.
  • Resolved an issue where attempts to delete a partial scan result could result in a console crash.
  • Resolved an issue where an agent result missing the EndTime attribute would fail to import.
  • Resolved an issue where the Patch Status Detail Report could end up with PatchBulletinTitle on multiple lines due to a carriage return.
  • Updated the community link for data conversion errors on upgrade to point to the proper community article.
  • Resolved an issue where the Executive Summary Report could reflect the Effectively Installed Patches count incorrectly.
  • Resolved an issue where scan results could fail to import do to a 'Arithmetic overflow error' on the primary key in the ScanItems table.
  • Updated the Administration Guide to place the 'What's New?' section in the correct location in the document.
  • Resolved an issue where using the Microsoft Scheduler could cause scans to add five minutes to the specified scheduled time.
  • Resolved an upgrade issue where an unassociated event subscription could cause the database upgrade to fail from 8.0.2 to 9.0.1182.
  • Resolved an import issue where Agent Deployment Results could cause the importer to loop backing up the import queue.
  • Resolved an issue where the console could crash when you start many scans simultaneously on a resource constrained machine.
  • Changed from using MD5 hash to SHA1 in asset value normalization to be compliant on a FIPS enabled machine.
  • Resolved an issue where HFCLI.exe was not using the Protect License Key, causing certain licensed features of HFCLI to not work.
  • Resolved an issue where using the Browse Active Directory feature would not allow you to select a forest.
  • Resolved an issue where the console service could crash on foreign key exceptions.
  • Resolved an issue where the console service could crash when encountering an unknown service pack item type.
  • Resolved an issue where 2003 R2 SP2 systems could reboot unexpectedly when upgrading the agent from 8.0.2 to 9.0.1106.
  • Resolved an issue where an unnecessary horizontal scroll bar would appear in the Machine View.
  • Resolved an issue where the console service could crash when it is unable to decrypt credentials.

Affected Product(s)

Shavlik Protect 9.1.x

Purpose

This document provides information about how Protect's detection logic uses many variables to be able to scan all possible locations and should be able to pick up on changes to a system's Windows directory or other main directories.

Description

To help ensure that detection of all necessary files takes place, Protect uses variables to find items within many of the system directories such as Windows or Program Files. Some of them should always be recognized by Windows, and a few of the variables used in Protect's detection logic are just set within the logic.

When viewing patch information for a patch within Protect, you may see some of these variables listed in the 'File Location' column.

Example using the Windows Directory:

The location of C:\Windows is %windir% - specifically it's set from the reg key Key="SOFTWARE\Microsoft\Windows NT\CurrentVersion" Value="SystemRoot". Protect will use a few different variations to locate the proper Windows directory on a target system.

If someone changes the location of their windows directory Protect should automatically pick up on it based on the use of the %windir% variable. So, as long as the %windir% variable was working correctly Protect's detection logic should work as well for anything in the Windows directory, even if it was changed. The same applies in the case of Program Files and possibly a couple other system recognized variables.

List of some common variables used:

%windir%

%windir%

%windirsystem64%

%ProgramFiles%

%programfilesx64%

%CommonProgramFiles%

%commonprogramfilesx64%

Variables only used by Protect Detection Logic

For many applications, Shavlik's content team defines variables to use common paths. One example is the variable used for Chrome detection - %chromepath%. This variable is not recognized by Windows without being defined - it is only for use within Protect's detection logic to locate a Google Chrome installation.

Affected Product(s)

Shavlik Protect, All Versions

I am trying to scan a remote vm.

The vm is hosted by ESX 4.1 and has been added to the hosts in Protect.

I have supplied admin credentials.

I have confirmed that server and workstation services are running.

I can connect to the registry remotely.

I have previously allowed the needed ports.

File & Print sharing is on.

I don' t see any blocks on our firewalls.

I'm not sure where to proceed.

Symptoms

You attempt to install an agent (manually or from the console) and it fails after the registration process, you open the Agent GUI but no policy is applied.

Error found in STDispatch.log on the agent machine:  C:\ProgramData\LANDesk\Shavlik Protect\Logs

CryptDigestUtils.cpp:158 The certificate chain is not complete.

AuthenticodeVerifier.cpp:178 The Authenticode(r) digital signature could not be verified.

AuthenticodeVerifier.cpp:201 File not signed by any expected issuer or subject.

CommandLineTask.cpp:214 Invalid executable 'C:\Program Files\LANDESK\Shavlik Protect Agent\STAgentUpdater.exe'. Application is not trusted.

Dispatcher.cpp:197 Duplicate call to complete task: 5c19a2c9-1f90-4015-b3e6-455f1fb7b435

Dispatcher.cpp:237 DispatchTaskById: b443f8a1-8af5-4f43-8537-467648fecc4c 9d77c15b-2685-4223-8c50-17e989367eb0 tasks/3B71457B-43E3-41F9-ABED-C7D44435DC0E.txt

CryptDigestUtils.cpp:158 The certificate chain is not complete.

AuthenticodeVerifier.cpp:178 The Authenticode(r) digital signature could not be verified.

AuthenticodeVerifier.cpp:201 File not signed by any expected issuer or subject.

CommandLineTask.cpp:214 Invalid executable 'C:\Program Files\LANDESK\Shavlik Protect Agent\STAgentUpdater.exe'. Application is not trusted.

Cause

This error can be caused if the machine's root certificate are outdated or if during a manual installation, the account is use does not have the permissions on the MachineKeys folder : C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

Resolution

• To resolve this issue the root certificates of the client (agent) machine must be updated. You can apply the updates using Protect.

To Apply the Updates:

1. Create a custom patch scan template that includes the patch type filter Security Tools.
2. Run a scan on the target machine and then look for the bulletins MSRC-001 or MSRC-002.

Related Document:How to Find/Exclude Specific Patches in Scan Results.

MSRC-001 is for Windows XP and 2003. For newer operating systems, such as Vista, 2008, and Windows 7, the root certificates are automatically updated if the machine is connected to the Internet. However, if you have to apply the update manually, you should be able to deploy MSRC-002 from Protect.

You cannot update root certificates on operating systems that are not within the Microsoft support lifecycle. Ensure that you are using a supported operating system and service pack level.

In the event the computer is not connected to the internet to automatically update these files they must be downloaded/distributed manually. Though Protect designates 2 different Bulletin Id's for root certificates (MSRC-001 & MSRC-002), they both use the same patch from Microsoft. If root certificates need to be installed, but protect is unable to do so, download the patch directly from Microsoft and run.

Download Here

When you run the exe, it will run and vanish. It will not give a completion message.

Patch states it is for XP, but if you read the article below under the section "Root update package installation on disconnected environments" it states it works on other OS's as well.

Microsoft Article:Windows Root Certificate Program members

• To resolve the issue in regards to the MachineKeys folder, navigate to that folder and from the Properties > Security, give the permission associated to your user.

Affected Products

Shavlik Protect 9.x

Symptoms

Protect is detecting a Patch that should not be detected as missing.

Resolution

Before performing the following, please update to the latest XML data by going to Help > Refresh Files and them perform another scan against the machine(s). This issue might be fixed in a later XML release than you are currently using.

From The Protect Console:

1. Click on Results tab.

2. Choose the most recent scancontaining the specific patch.

3. Click on the machine containing the specific patch.

4. Click on the specific patch.

5. View why Protect detects the patch as missing.

6. Click on the linked Qnumber to be taking to documentation regarding this patch. Most of the time this will include the detection logic.

7. Browse to the location referenced in step 5 to verify the information found in step 5 and 6.

See below for more information.

Also note the Downloaded File name.

On the Target:

Browse to C:Windows\ProPatches\Patches and find the specific patch. If you have previously deployed this patch and it failed, manually try to run the patch.

Take any screenshots of any errors such as the one below.

Information to Send to Support

If you experience these errors, please create a support case at support.shavlik.com or by calling into support. If you choose to call into support, please gather this information before calling in.

Gather the following information:

Before doing the following, please download the latest XML data by going to Help-Refresh Files.

• The Bulletin ID & Qnumber of the patch in question. This information can be found in Step 4 above.

• Clear your logs, and do a rescan and/or deployment.then gather the log. Please do this by following this guide for console logs:community.shavlik.com/docs/DOC-22921

• A DPD Trace gives more information on how Protect detects certain patches.

      Please gather a DPD trace on the target machine by following this guide:Gathering a DPD Trace

• Screenshots from Step 5 from the console, Step 7 from the target and if applicable, the error when the patch is manually installed.

• (optional, but helpful) An Export of the following registry keys from the target system:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products
    • NOTE: Also obtain the corresponding keys under WOW6432node if on a 64bit system.

Affected Product(s)

Shavlik Protect 9.x

Symptoms

In Version 9 When performing a scan, a machine is skipped with theError Code: 4andStatus: Machine resolved multiple times; skipping this one.

In version 9.1 the error will show: Machine filtered in its Machine Group.

Cause

When scanning a Machine Group, an option is selected in theScan Onlysection that one or more machines in the group does not qualify for.

Example: When adding workstations, the optionScan Only Serversis selected.

Resolution

Uncheck all options in theScan Onlyfield, or ensure options selected match the machines that are in the list.

Example: SelectScan Only Workstationsif workstations are the only machine types in the list.

When I run a patch scan on our entire network or domain, not all of our computers are being recognized.

More detail: When scanning, I watch the Shavlik Protect Operations Monitor, and on Step 3 (Resolve machines to scan), it shows Attempted: 160; Resolved: 95, Failed: 65. When I look at the results and sort them by Machine, I can see some obvious exclusions.

Why are some machines completely unreachable and unlisted in the results, while some are unreachable, but provide error codes?

Purpose

This document is meant to be a guide to link you to all requirements or pre-requisite information you may need for Shavlik Protect.

Description

Below is a list of links to the different requirements you may need to use Protect or certain features within Protect.

Affected Product(s)

Shavlik Protect 9.x

For my machines that use the Shavlik Protect Cloud agent, when a new machine is added it does not load the latest version of the agent. The latest agent is v9.1.4334.0 (according to my console). The agent getting installed on fresh builds is v9.0.1182.0.

What am I missing? My Shavlik is v 9.1.0 build 4472.

Thanks!

-Dharmatma

Purpose

An explanation of why Shavlik Protect patch scan results may show different patches needed than when running a Windows Update.

Solution

Shavlik Protect uses different detection logic to scan for patches than Windows Update and other patch vendors.A Windows Update scan has the ability to show missing Security Patches, Non-Security Patches, Security Tools, driver updates, and sometimes patches that aren't publicly downloadable.

Depending on what Scan Template you are using in Protect, the results will vary. The built-in security patch scan will only show missing security patches. The built-in WU scan will show missing security patches and non-security patches. And please note - we don't always include all non-security patches in our XML data right away either, as security patches take precedence.

You can always create a Custom Scan Template, and check security patches, non-security patches, and security tools for the most robust scan with Protect.

Shavlik uses a variety of methods to see if a target machine needs a patch.  The process is detailed in the document "Explanation of how patch scanning detection works with Shavlik Protect" which can be found here:http://community.shavlik.com/docs/DOC-2259.

Administrators can view files and registry entry criteria by searching for the patch in View > Patchesof the Shavlik Protect Console main menu.

See this online help file for more information on using Patch View:

http://www.shavlik.com/onlinehelp/Protect90HTMLHelp/Viewing_Patch_Details_(Patch_View).htm

There is also a difference in how Protect displays criticality and vendor severity. See this document for further information concerning this:
Understanding patch severity in a Shavlik Protect patch scan and why it may differ from Windows Update

Affected Product(s)

Shavlik Protect 9.x

Hi, has anyone else come across KB3008923 (MS14-080) breaking IE9 after install;

http://answers.microsoft.com/en-us/ie/forum/ie9-windows_7/ie9-iframe-crashing-after-applying-kb3008923-ms14/41620b02-fde6-4601-bd37-180025052bf7

Ideally I would like to remove this from Shavlik Protect but am not too sure how, any ideas?

Thanks

Symptoms

• Protect is running in an environment with FIPS.
• The Protect Console Service crashes as soon as you open Protect.
• You receive the error: "The service responsible for importing scan and Agent Results is not running", and restarting the service does not resolve the problem.
• In the ST.ServiceHost.managed.log file you see the following error:
  Parameter name: culture
  2048 (0x0800) is an invalid culture identifier.
  2013-10-09T17:48:41.8020307Z 0033 C Program.cs:26|System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
  at System.Security.Cryptography.MD5CryptoServiceProvider..ctor()
• You may also see the below message in the ST.Protect.Managed.log:
  2013-10-09T17:48:43.2528307Z 0004 E CredentialServiceController.FindCredentialOwner|ST.UI.UserViewableException: The console service cannot be reached. Credentials previously shared with the service will be reported as not shared. ---> System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at net.pipe://localhost/ST/Console/Deployment/Credentials/CredentialsService that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. ---> System.IO.PipeException: The pipe endpoint 'net.pipe://localhost/ST/Console/Deployment/Credentials/CredentialsService' could not be found on your local machine.

Cause

Protect uses MD5 hash for faster sort lookups, but it currently isn't working correctly with FIPS. This is a known issue and will be fixed in a future release of Protect.

Resolution

This issue was resolved in the initial build of Protect 9.1. Please upgrade to the latest version of Protect to resolve this issue properly.

A possible workaround to resolve this issue in Protect 9.0:

1. Shut down Protect.
2. Stop the console service.
3. Navigate to the protect installation folder under Program Files: Default for v.9 is C:\Program Files\LANDesk\Shavlik Protect
4. Backup the ST.ServiceHost.exe.config and ST.Protect.exe.config
5. Edit both of those files and add the following between the </st> and <system.diagnostics> tags:
   <runtime>
   <enforceFIPSPolicy enabled="false"/>
   </runtime>
   
   Example (ST.ServiceHost.exe.config):
   Before:
   </components>
   </host>
   </st>
   <system.diagnostics>
   <trace autoflush="true" useGlobalLock="false" />
   <sources>
   
   After:
   </components>
   </host>
   </st>
   <runtime>
   <enforceFIPSPolicy enabled="false"/>
   </runtime>
   <system.diagnostics>
   <trace autoflush="true" useGlobalLock="false" />
   <sources>
   
   
6. Save both files.
7. Clear the log files in the main logs directory (Default is C:\ProgramData\LANDesk\Shavlik Protect\Logs)
8. Start the console service.
9. Start Protect.

Notes:

• You can also set this dword's value to 0 to disable FIPS (restart needed):
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\fipsalgorithmpolicy\Enabled
• FIPS could also be controlled by GPO, if the above does not work that would be an indication that a GPO is controlling FIPS and this would need to be resolved via GPO.

Risk of Workaround

This workaround will disable FIPS for the Protect console service and application.

Affected Product(s)

Shavlik Protect 9.0.1182

Shavlik Protect 9.0.1106

Purpose

This document provides an explanation of what file permissions need to be in place to successfully perform database backups through the database maintenance features of Shavlik Protect.

Description

In the Database Maintenance menu under Tools > Operations, Shavlik Protect allows administrators to perform database backups as part of their database maintenance process. In order to do so, administrators must provide a file path for the local database directory or a UNC path for the remote location.

When administrators configure this process to run as a part of their database maintenance, the console sends a command to the SQL service to perform a DB backup to that path. What this means is that in order to ensure that the SQL server can perform a backup of the SQL server when prompted by the console, the account the SQL server service runs under needs read/write access to the file directory designated in the above menu (in this example C:\dbbackup).

Administrators can either specifically provide the read/write rights to the directory for the SQL account, or they can grant the privileges to the authenticated users group which should include the default SQL service account.

Additional Information

To determine the account the SQL service runs under perform the following on the machine that hosts the database :

Click Start > Run and type services.msc and hit Enter.

Locate the SQL Server service and Right-click on it and select Properties.

Select the Log On tab, and next to "This account" there should be an account listed- this is the account the SQL service uses and which needs rights over the file directory of the backups.

In this case this account is "NT Service\MSSQL$SQLEXPRESS"

Affected Product(s)

Shavlik Protect 9.x