Purpose

This document covers how to interrupt/cancel a current patch deployment.

Description

It may become necessary to interrupt/cancel/stop a deployment once it has begun. In this event the following steps can be taken to interrupt the current deployment.

Warning: Though this can interrupt a deployment, partial patch installments may occur.  We suggest only attempting this in emergencies.

Delete the Batch Files on the target machine.

On the target go to C:\Windows\ProPatches\Install.
Inside will be the batch files from any deployments to this machine. The Batch file contains the information on how to run a specific deployment. (New Batch files are created for every deployment.)
Select all files within the Install directory and delete them.

Delete the Patch File(s)

On the target go to C:\Windows\ProPatches\Patches.
Inside this directory are the deployed patch executable.
Select all files within the Patches directory, and delete them.
By deleting these files, you remove the ability for the machine to run them and continue patching.

Should you receive error - Unable to Delete - Patch is Currently in Use

This suggests the patch may be currently executing.
To resolve, open the list of running processes, enable the option to 'View processes for all users', and look for a Process name that matches the Patch name.
If found, end the process and the patch should be able to be deleted.

Note: Not all patches will list themselves in the list of Processes.

Remove Stagnant Deployment Record

Note: This step is optional.

From here the deployment should not be able to continue (it has no batch file for instructions, and no patch file for execution).
In the Deployment Tracker, the Deployment will show interrupted patches as executing. You may wish to remove this record.

Steps to remove the record

• Open Protect Console.
• ClickManage>Items>Deployments

• Locate the item that corresponds to the stagnant record, select it, and click Delete Selected.

Affected Product(s)

Protect 9.x

Purpose

When updating VMware Tools with Protect there may be a couple quirks you will come across. Below is a FAQ list to help address questions you may have.

Description

Frequently Asked Questions

Q: Does the version of VMware Tools need to match a specific version of ESXi or vCenter host?

A: No. The VMware Tools versions should be backward compatible with all product supported versions. VMware has to make it backward compatible since there may be mixed hypervisor versions on the same vCenter and DRS can move VMs from one host to another. See the excerpt below from the VMware 5.0 upgrade guide: http://www.vmware.com/files/pdf/techpaper/vSphere-5-Upgrade-Best-Practices-Guide.pdf

"The first step in upgrading virtual machines is to upgrade VMware Tools. vSphere 5.0 supports virtual machines running both VMware Tools version 4.x and 5.0. Running virtual machines with VMware Tools version 5.0 on older ESX/ESXi 4.x hosts is also supported. Therefore, virtual machines running VMware Tools 4.x or higher do not require upgrading following the ESXi host upgrade. However, only the upgraded virtual machines will benefit from the new features and latest performance benefits associated with the most recent version of VMware Tools."

Q: Why does my VMware host show VMware Tools version out of date or missing when Protect shows it is now up-to-date, or Why does Protect show VMware Tools missing when the VMware host shows the version is already up-to-date?

A: VMware Tools assessment in vSphere is comparing against the local version on the hypervisor the VM resides on. The ESXi host or vCenter may need to be updated. Often, it will help if you perform a Hypervisor bulletin scan and deployment to correct these inconsistencies. As long as your patch definitions in Shavlik Protect are up to date the scan information from Protect should be correct in this regard.

More information on how to scan and deploy to ESXi hosts can be found in the following Help articles:

Scanning VMware hosts for bulletins:

http://www.shavlik.com/onlinehelp/Protect90HTMLHelp/How_to_Initiate_a_Scan_of_an_ESXi_Hypervisor.htm

Deploying bulletins to VMware hosts:

http://www.shavlik.com/onlinehelp/Protect90HTMLHelp/Initiating_a_Bulletin_Deployment_to_an_ESXi_Hypervisor.htm

Q: After updating Vmware Tools with Protect I no longer have access to the VMware Tools UI and Settings within a patched VM. Why is this happening?

A: This is a change put into place by VMware. The behavior is intentional. Additional information on this is provided by VMware in a KB article, here:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2046615

Q: Originally VMware Tools support was added to Protect as a Non-Security Patch. Why was this changed to a Security Patch type?

A: More than anything the decision to change VMware Tools to a 'Security Patch' in Protect's scans is based on the fact that it is a requirement to have the latest version of VMware Tools installed on guest operating systems to be able to use the full functionality of patching hosted VM's using Protect, especially offline VMs or templates. Since this is a requirement for Protect's features to work - we consider these updates important enough to be included in Security patches.

If you do not wish for this to be scanned along with other security patches you can create a custom scan template, and set the Product Filter to 'Skip Selected' for VMware, or you can use other filtering options to exclude VMware Tools updates from the scan.

Q: How can I make a request for a change or addition to any features around patching VMware Tools?

A: Please feel free to submit any feature or change requests at our Shavlik Feature Requests site.

Affected Product(s)

Shavlik Protect 9.x

Purpose

This document is intended to provide information about the expected behavior for active protection concerning files or folders listed in the exceptions list within an agent policy, and how to address possible performance issues with active protection.

Symptoms

You see that STThreat.exe is using memory or processor in Task Manager, and you notice that files listed within the exceptions list of your agent policy are being scanned by the Shavlik Protect Agent active protection.

Cause

This is working as designed. Whenever a file meets the active protection requirements to be checked (based on 'File access' settings in the agent policy > Threat > Active Protection), it must determine if further analysis needs to take place. STThreat.exe will always run when the File access requirement is met on the system.

Images for reference:

     Example of a file exception set up in the agent policy for "test.exe".

     Example of Active Protection File access settings within the agent policy.

So even though the files are excluded based on policy settings, the active protection process still needs to run something to determine if further action needs to take place. If the files are excluded, no further action beyond a preliminary check by active protect will take place.

Note: A Threat Scan (Set up via Threat Tasks tab of agent policy) will not scan exceptions at all.

Resolution

If you feel that this is for some reason causing a performance hit on your machine(s), you can modify the active protection settings so that files are only seen by active protection when executed, rather than on access. This will reduce the number of files active protection will scan and provide an increase in performance.

     Example of setting active protection to 'On execute' access.

Before making this change you should consider the level of active protection that you want vs. how much performance hit is actually taking place. Refer to the following information from the Shavlik Protect Help documentation:

File Access Levels

• On access, all file types (lower performance): Active Protection will perform a scan whenever a file is touched (executed, moved, copied, loaded, etc.) on the agent machine. If the file is infected the user will be alerted before the infected file has a chance to do damage to the computer. This option applies to preset files, including EXE, INI, HLP, BAT, and others. While this provides the most complete form of protection, the trade-off is it may slow the agent machine's performance. To counteract this, enable the Limit AP scanning option.
• Limit AP scanning to only high risk file types (higher performance): You can improve the performance of Active Protection by scanning only those file types that present the highest risk. This is a good compromise solution for those companies seeking a fairly high level of security while maintaining a reasonable level of performance. The list of high risk file types includes the following:

• On execute: Active Protection will perform a scan only when a file is executed or a .dll file is loaded.

Additional Information

Shavlik Protect Help: Configuring Active Protection

Affected Product(s)

Shavlik Protect 9.x

Purpose

This document describes how to use database views within SQL Server database queries to generate custom reports for Shavlik Protect.

When you install Shavlik Protect it creates a number of defined views in the Protect SQL Server database. You can reference these views within custom queries that you write to extract exactly the information you want. By executing the custom queries and exporting the results to the format of your choice you effectively create your own customized reports for Shavlik Protect.

The benefits of writing your own database queries are:

     • You can mine the Protect database for the exact information you want.

     You can go beyond the predefined reports provided within Shavlik Protect. While the predefined reports are sufficient for many organizations, you may have the need to      produce one or more custom reports that provide more specific information about the status of your machines.

     • You can export the query results and present the information in the format of your choosing.

     You can, of course, opt to write custom queries without using the Protect views. When you add the use of Protect views to your custom queries, however, you gain a number           of other benefits:

     • The view schemas will not change in future versions of Shavlik Protect.

Future versions of Shavlik Protect may modify the tables in the database. By referencing Protect views in your queries rather than the tables, you will be guaranteed that your custom queries will not break when upgrading to future versions.

     • The queries are not as complex and are easier to write.

     The views do some of the work for you. Your custom queries will not need to reference as many Protect database tables. The views join multiple tables to gather relevant           information and they pull different columns from multiple tables.

     • Shavlik will continue to build out the Protect views in future versions, providing greater capabilities.

     • Custom queries can be shared by trusted members of the Shavlik community.

The process for creating a custom report is as follows:

1. Familiarize yourself with the SQL Server database views that are provided with Shavlik Protect.

2. Write a database query that references the Shavlik Protect views and that generates the information you want.

3. Export the query results into the user-friendly format of your choosing.

Affected Products

Protect Version 9.1 and later

When I scan an IP Address range, the results are missing several machines. I have tried manually entering the machine name or IP Address and the Status in Operations Manager says " Network Connection error. Verify you can remotely log on to the specified machine."

I can manually install the agent and register using the console connection. Once doing this I can "Update patch data" and run "Weekly Patching" but it still doesn't show up when I scan the network from the Shavlik Protect server.

The server is starting to run out of space, so not sure if that would cause these kind of issues. Can I delete old versions of updates? Not sure if we need 3GB worth of iTunes installers in the Shavlik DataFiles.

These are all domain computers, no firewalls are enabled and other, older machines on the same subnet are showing up in the scan.

Any troubleshooting help would be greatly appreciated.

Thank you.

Symptoms

After configuring your Authenticated HTTP Distribution server you are unable to download some of the files in the Distribution Server. You are able to view the files in your browser but when you attempt to download then you get the error.  404 - File or directory not found.

Cause

This is issue is caused by not having the correct MIME Type configured in IIS.

Resolution

1.  In IIS browse to your web site

2.  Click on MIME Types, then under Extensions right click and choose add. Then add the file extension and MIME Type. In this example I am adding .msu as the MIME Type application/octet-stream.

3.  Now you should be able to download any files with the extension .msu

Product Versions

Protect 9.0 and later

Purpose

This is a step by step guide on how to configure authenticated HTTP Distribution Servers.  The guide will help you install and setup IIS and configure Distribution Servers in Protect 9.x.

Please Note: This document is based on Windows Server 2008 with IIS7.5. 

Resolution

1.  Create a folder on the IIS server and share it. This folder will be the Distribution Server share where the patches and data files with be stored.

Install IIS and enable authentication by performing the following:

• 1.  Open the Server Manager, right-click on Roles and select Add Role.

2.  Use the wizard to add the Web Server (IIS) role.

• 3.  Once the Web Server (IIS) role is created, go to the Role Services section under the new role and click Add Role Services.
• 4.  Select Windows Authentication under Security and go through wizard to add it.  Continue with the default settings unless you need a specific configuration.

• 5.  Go to Programs -> Administrative Tools -> Internet Information Services.
• 6.  Right click on Default Web Site and click Add Application.

7.  Add the share folder that was created in the beginning.

8.  Select the new Application and double-click on Authentication.

• 9.  Select Windows Authentication and click on Enable.
• 10.  Select Anonymous Authentication and click on Disable.

11.  Create a Virtual Directory in the Application.

    a.  Right-click on Application and choose Add Virtual Directory.

    b.  Enter and Alias and set the Physical path to the share folder.

12.  Enable Directory Browsing on the Application.

1. Double-click Directory Browsing.

Click the Enable button

13.  You should test the connection to the URL.  You can do this manually through a web browser or use the Browse Virtual Directory located on the right side of the Internet Information Services (IIS) Manager when you have the Virtual Directory selected.

If you are not able to download the files refer to this document

HTTP Distribution Server, Not Able To Download Files

Configuring the HTTP authenticated Distribution Server in Protect 9.X:

• 1.  Open Protect and navigate to Tools -> Operations.

2.  Go into Distribution Servers and click New.

3.  Create the Distribution Server:

1. Give it a Name.
2. Select Authenticated HTTP.
3. Enter the URL.
4. Choose Credentials used to authenticate to the URL.  Click New to create credentials.
5. Enter the UNC path to the share folder.
6. Choose Credentials used to authenticate to the UNC path.  Click New to create credentials.
7. Test the connections for the URL and the UNC to make ensure proper connectivity.
8. Save.

More information on Distribution Servers

Why use a Distribution Server?

Configuring A New Or Existing Distribution Server.

Synchronizing Servers.

Deployment Template: Distribution Servers Tab.

Assigning IP Addresses To Servers.

Affected Product(s)

Protect 9.x

Purpose

This document shows how to use features within Shavlik Protect Machine Groups to dynamically manage systems found within Active Directory or a Domain.

Description

Within Protect it is possible to dynamically perform scan and deployment on machines managed via Active Directory or within a domain. To set up a Machine Group that can be used for this, follow the below steps:

Adding an Active Directory OU to a group

1) Create a new machine group by going to the 'New' Menu > Machine Group...

2) Name the group, click the 'Organization Unit' tab, then type in the specific OU name if you know it, or the easier method is generally to click 'Browse Active Directory'.

3) Expand the containers as necessary, then check the box next to 'Computers' for any domain computers you want to be included in your scans. If you want only machines in the root of the OUs to be scanned, unselect the "Include child OUs" checkbox on the bottom left hand corner of the "Select Organizational Units or Machines" screen.

4) Click 'Add checked items'.

5) You will see the OU listed in the machine group.

     Set credentials that will have admin access to all the machines.

     To do this, right click on the OU listed, then choose Set Credentials > Set admin credentials.

6) Choose the proper credential to use, then click 'Assign'.

7) You should now see the OU listed with Admin Credentials set. Click 'Save' to save your machine group.

8) Try running a scan on the group to test. As you can see in the example below, it should automatically pick up any machines that are part of the OU selected.

This function is dynamic when you check the box to include all computers of a domain. If you later add or remove machines from the OU in active directory, the machine group will automatically pick up on this when being used to run new scans in Protect.

Adding an entire Domain to the machine group

1) In the machine group, go to the 'Domain Name' tab.

2) Type in the domain name, then click 'Add'.

3) Ensure to set admin credentials.

This feature will work dynamically as well. Whenever you use a machine group with a domain specified the scan will only discover machines currently part of the domain records.

Additional Information

1) If you set up a group as shown as the example above (containing a domain name and OU that would contain the same machines), Protect will be able to determine the same machine is being discovered/scanned twice and will only display one scan result for the machine.

2) You can add multiple domains and active directory OUs within a single machine group.

3) When first setting this up, it's likely you will run into some scanning errors (machines not scanned). Generally these happen due to some configuration or environmental problem. Refer to this document on how to fix such scan errors: Troubleshooting Shavlik Protect patch scan error messages

Affected Product(s)

Shavlik Protect, All Versions

Symptoms

You see a large amount of 'SBS_STDRL_xxx' files within the C:\Windows\Temp directory.

Cause

The Shavlik Protect Agent uses the Vipre engine and definition files, managed by ThreatTrack. They stated that these files are used internally for debugging the definitions. When they are testing new definitions they enable the debug flag and these files get left so they can be checked. When they release the definitions they disable the debug flag. If you are seeing these files in your temp directory, it means that someone [at ThreatTrack/Vipre] forgot to switch the debug flag off before releasing the production definitions.

  Please Note:

• These files will not harm your computer.
• This has happened very rarely and should not be a commonly seen issue.

Resolution

The files can be deleted.

However, there isn't any built-in mechanism that will automatically clean them out. There are a couple methods in Protect that can help to automate the deletion of these files:

1) You can use a built-in ITScript in Protect to clean up temp folders:

Shavlik Script Catalog: Remove Temp Files

How to Execute a Script

2) You could use a custom action to handle deletion of the files. Here are a couple helpful documents:

Custom Action - Delete Specific File

Custom Action - How to work with Batch Files

Additional Information

This document was generated from the following discussion: Vipre creating thousands of SBS_STDRL temp files

Affected Product(s)

Shavlik Protect 9.x

Purpose

If you are at a company that is running Shavlik Protect on a full SQL environment and have a DBA on staff with SQL maintenance and backup policies already running against our databases, great!  If you are running SQL Express or full SQL but don’t have a maintenance and backup plan in place, please keep reading.

A database that has no maintenance procedures being run against it is likely the single biggest cause of an upgrade issue that is encountered, the root cause of many GUI performance issues that can be mitigated, and in many cases, resolved by proactive maintenance on the database.  Below are our recommendations for good regular maintenance on your DB so you keep it running slim and clean for good performance and to reduce issues.

Description

Keep in mind this is a starting point.  If you have regulatory needs that require more data kept live you should adjust to keep more data live.  If that is the case you may want to analyze how frequently you are scanning.  1000 agents scanning 8 times a day will grow your DB at a much more rapid rate than once per day or once per week.  And in most cases, you don’t really need all of that data.

Recommendations

Recommendation for regular Database maintenance:

Data Retention: Determine the amount of data that needs be kept on hand for operational purposes.  Typically 60-90 days is acceptable for operational purposes. The following document provides steps on how to perform deletion of old results in Protect:

Shavlik Protect Database Maintenance - Purging or cleaning up a large database

Reporting: Determine what report data is required for audit regulatory requirements.  Run monthly reports fulfilling these needs and keep on file as far back as policy requires.  Typically 13 months is acceptable.

Database Backups: It is recommended to run weekly incremental and monthly full backups.  The backup should be run just before your scheduled purge.  Keep backups as far back as the reporting data. See the following document on how to create backups using Protect's database maintenance function:

How to create a backup of the database with Protect

This Microsoft Technet article covers how to create a database backup using Management Studio:

(SQL 2012) http://technet.microsoft.com/en-us/library/ms187510.aspx

Recommended Database Maintenance Schedule:

Backups: full monthly, just after patch maintenance for that month.  Incremental weekly, end of each week (after weekend patch windows preferably).

Purge Data: After Full Monthly backup is run

Reindex: After Purge Data is run

Integrity: After Reindex is run

Full SQL Maintenance Guidance:

If you are using full SQL it may be easiest to setup maintenance plans using the maintenance wizard. If you have a DBA, they have most likely set maintenance tasks up already and you should check with them first. See the following Microsoft Technet articles on how to use the SQL Wizard to setup and maintenance plan:

(SQL 2012) http://technet.microsoft.com/en-us/library/ms191002.aspxhttp://www.networkworld.com/subnets/microsoft/110107-ch8-sql-server.html?page=2

(SQL 2008R2) http://technet.microsoft.com/en-us/library/ms189036(v=SQL.105).aspx

Additional Information

Additional information can be found in Microsoft Technet articles, here: http://technet.microsoft.com/en-US/sqlserver/

These Shavlik Community articles may also be relevant:

Limitations when using SQL Express editions as backend for Protect

How to shrink a database

Restore Shavlik database from backup using SQL Server Management Studio

Affected Product(s)

Shavlik Protect 9.x

Symptoms

When attempting to view or manage scheduled tasks via the Shavlik Scheduled Task Manager (Manage > Scheduled Tasks) you see the following message(s):

The scheduler on machine '<Machine Name>' is not available. (Error: 1244)

The list of jobs currently scheduled on the remote machine is unreadable.

Upgrading the scheduler will allow you to view scheduled jobs.

Attempting to 'Upgrade scheduler now' results in the following error message:

The scheduler on machine <Machine Name> is not available. (Error: -2080374779)

The list of jobs currently scheduled on the remote machine is unreadable.

Upgrading the scheduler will allow you to view scheduled jobs.

Cause

Error 1244 means the Scheduled Task Manager does not have any of the correct information about the target machine's Shavlik Scheduler, specifically the private key information. The private key does not exist on the target yet so it needs to be created. When a Shavlik Scheduler is installed on a machine, we store information about that machine and create private key for console to and from scheduler communication. If the machine is cloned or renamed it is basically a new machine that the console knows nothing about and the private key does not exist or is invalid. Currently Shavlik is unable to do anything to fix this because this is a process run by the Windows OS, but there's no feedback being given from Windows OS during this process.

Additionally, both errors seen above may also occur if scheduler components on the Protect console system are at a newer version than those of the target system, or if the encryption key is out of date or incorrect on the target machine.

Resolution

Workarounds are available:

If the issue is only taking place on one or two systems, you can use the steps in this document to uninstall and re-install the Shavlik Scheduler, which should clear up the issue:

How To: Uninstall & Reinstall The Shavlik (ST) Remote Scheduler Service On A Single Machine

If the issue is taking place with many systems, you can use a custom action to remove the scheduler on multiple systems. Refer to this document:

Custom Action - Remove the Remote Scheduler for Protect version 9

These documents contain extra troubleshooting information that may prove helpful in this scenario:

Scheduled Task Manager pops Error: -2080374779 - Upgrade scheduler now

Scheduled Deployment Fails To Run - AcquireCreds failed: 0x8009030d

Additionally, because the Shavlik Scheduler may use the SYSTEM account, it may help to ensure that the SYSTEM account has full rights to this folder on the client machines:

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

Affected Product(s)

Shavlik Protect 9.x

Purpose

This document provides information about how patch deployment works with hosted virtual machines and templates.

Description

Shavlik Protect has the ability to deploy patches to hosted virtual machines (VMs) in either an online or offline state, as long as they have been added to a machine group via the 'Hosted Virtual Machines' tab. Additionally, VM templates can be patched using this method.

Assuming you have already performed a scan, below is the expected behavior and steps taken for deploying patches:

Deploy Immediately

• Online Hosted VM
  • Push files and initiate deployment immediately. The process is the same as a physical machine except that snapshots will be taken as directed by the deployment template.
• Offline Hosted VM

1. (Optional) Take a snapshot if the deployment template is configured to take a pre-deployment snapshot and delete old snapshots if one of the snapshot thresholds defined on the patch deployment template is exceeded.
2. Copy the patches to the offline virtual machine.
3. Reconfigure the following on the offline virtual machine:
   1. Disable the network adapter's Connect at power on option. This is done so that the machine is isolated from the network when the patch process is run.
   2. Disable Sysprep so it will not automatically configure the machine's operating system when the machine is first powered on.
4. Power on the virtual machine.
5. Install the patches.
6. Power down the virtual machine.
7. Reset the machine configuration to its original network connection and Sysprep settings.
8. (Optional) Take a snapshot if the deployment template is configured to take a post-deployment snapshot and delete old snapshots if one of the snapshot thresholds defined on the patch deployment template is exceeded.

• VM Template

1. Convert the virtual machine template to an offline virtual machine.
2. (Optional) Take a snapshot if the deployment template is configured to take a pre-deployment snapshot and delete old snapshots if one of the snapshot thresholds defined on the patch deployment template is exceeded.
3. Copy the patches to the offline virtual machine.
4. Reconfigure the following on the offline virtual machine:
   1. Disable the network adapter's Connect at power on option. This is done so that the machine is isolated from the network when the patch process is run.
   2. Disable Sysprep so it will not automatically configure the machine's operating system when the machine is first powered on.
5. Power on the virtual machine.
6. Install the patches.
7. Power down the virtual machine.
8. Reset the machine configuration to its original network connection and Sysprep settings.
9. (Optional) Take a snapshot if the deployment template is configured to take a post-deployment snapshot and delete old snapshots if one of the snapshot thresholds defined on the patch deployment template is exceeded.
10. Convert the offline virtual machine back to a virtual machine template.

Scheduled Deployment

• For all instances when deploying to a hosted virtual machine, whether it be online, offline, or a template; Protect will set up the scheduled deployment on the Protect console.
• At the scheduled time (or, for 'Install at next reboot' deployments, when the machine is restarted), the scheduled deployment will be initiated.
• At the time of the deployment, it will use the same steps as listed above for patching of the hosted VM. (Treat as an immediate deployment at time of schedule)
• This is designed as a fail-safe in case the state of the VM is changed prior to the scheduled deployment taking place so that the scheduled deployment will not fail.

Additional Information

Please refer to these Help documents for further/related information:

Shavlik Protect Help: Deploying Patches to Virtual Machines and to Virtual Machine Templates

Virtual Machine Template Patching Requirements & Informational Document

Affected Product(s)

Shavlik Protect 9.x

Deployment seems to go OK but never updates the machine. Anyone else having this issue?

Purpose

This document outlines how to use the Nullpatch.exe patch for Custom Actions.

Symptoms

A Custom Action may include executing a specific command or invoking a custom batch file at specified time(s) during the deployment process. You can specify custom files and actions that occur during every deployment that uses the template, or only for those deployments that install a specific patch or service pack.

Note: A Custom Action will only run if a deployment occurs. If there are no missing patches selected to deploy to a target machine, the Custom Action will NOT occur.

Because a Custom Action will only run when there is a 'missing' patch to deploy with, Shavlik has created a patch called 'Nullpatch.exe'.

This item will allow you to perform 'custom actions' on selected machines.  Create a deployment template with a custom action, then deploy this 'patch' to execute the custom action on the remote machine.  (the patch associated with this item does not install anything on the target systems).

Steps

1. Create a NewDeployment Template;enter a Name for theTemplate, andSaveit.
   1. Alternatively - open an existingDeployment Templateyou wish to modify.
2. Click theCustomActionstab.
3. Click theNewoption.

4. The Custom Actions window will now be open

1. Specify what patch deployment action will trigger the command.
2. If in Step 1 you indicate that only the deployment of specific patches or service packs will trigger the command, specify those files here.
3. Specify when during the patch deployment process the command will be triggered. The choices will depend on the selection made in Step 1.
   • If the action is to be applied to all deployments that use this template, then the choices are:
     • Before any patches are installed
     • Before each patch is installed
     • After each patch is installed
     • After all patches are installed (but before reboot)
     • After reboot

This allows you to perform actions such as custom logging.

• If the action is to be applied to a specific patch or service pack, then the choices are:
• Before any patches are installed
• Before the patch/service pack file selected in Step 2 is installed
• After the patch/service pack file selected in Step 2 is installed
• After all patches are installed (but before reboot)
• After reboot

This allows you to perform actions only when pushing a specific patch or service pack to a target machine using this deployment template.

• You can also choose to push a custom file (such as a custom batch file or custom executable file) to the target machines as part of the deployment by selecting Push File.

4. Specify the file to push or the command to execute. The command will be inserted into the patch installation batch file at the point(s) specified in Step 3. If Step 3 specifies Push Filethen the specified file will be copied to the target machines and put in the ProPatches\Installdirectory. You can reference the file in other custom actions by specifying %PATHTOFIXES%Install\file_name.

Example 1: If you push the file myFile.exe, you can execute that file with the following custom command: %PATHTOFIXES%Install\myFile.exe.

Example 2: If you push the batch file myCommands.batto the target machines, you can invoke the batch file at the appropriate point in the deployment with the following custom command:
call%PATHTOFIXES%Install\myCommands.bat.

Related Documents

• NullPatch.exe/Noop.exe Information
• Null.exe or Noop.exe False-Positive
• Custom Action - Remove the Remote Scheduler for Protect version 9
• Custom Action - Delete Specific File
• Custom Action - Uninstall a Program
• Delete Patches from Target After Deployment

Affected Product(s)

Protect Version: All

This is a list of highly recommended documents for improving general knowledge of the Shavlik Protect product. This article is not a comprehensive list of documents.

For the Shavik Protect 9.1 specific landing page, please see document DOC-23514.

• Download Site
• Protect 9.1 Installation Guide
• Protect 9.1 Upgrade Guide
• Protect 9.1 Online Help
• Shavlik Protect Requirements Guide
• Firewall & Proxy Exception White-List
• Installing Prerequisite Software

• How to Activate Shavlik Protect
• Managing License Seat Usage
• Offline Activation Process
• Sales/Licensing Contact Information

• Best Practices Guide (9.1)
• Best Practices: Java Deployment
• Best Practices: Software Distribution
• Best Practices: Agentless Scanning & Deployment of Service Packs
• Best Practices: Using Security Tools
• Best Practices and FAQ on using Threat protection with Shavlik Protect agents
• How To Configure Windows Firewall for Protect
• How to Create a Custom Patch
• How to manage Shavlik in an Offline network
  • Offline Environment: How To Manually Update patch data files
  • Offline Environment: How to Manually Update threat definitions

Installation & Upgrade

• Preparing for Upgrade of Protect and Resolving Common Upgrade Issues
• Data Conversion error during Upgrade
• Cleaning up broken installs of Protect
• Resolving database upgrade timeout failures

Obtaining Trace Logs

• Console, Client Side (agentless), and Agent log files
• Console Install and Setup Logs
• DPD Trace (for scan detection issues)
• Listing & Purpose of All Log Files

Scanning & Detection

• Troubleshooting Patch Scan Error Codes
• Scans running slow or taking long time to complete
• Scan Results fail to import (Incomplete results)
• Why Shavlik Protect scan results may differ from Windows Update
• Java patches not shown missing or installed
• How to include or exclude specific patches in scan
• Adobe & Mozilla Incremental Updating process
• Patch install/uninstall loops (patches that always show missing)

Patch Deployment & Shavlik Scheduler

• Deployed patches appear as missing
• Deployment Tracker Status Message Values
• How to Troubleshoot A Failed Patch Install
• Service Pack Deployment Guidelines
• Reinstalling the Shavlik Remote Scheduler Service

Database Related

• SQL Database Maintenance Recommendations for Protect
• Cleaning up (purging) a Protect Database
• Increasing database timeout period
• Moving/migrating Protect database

Agents

• Agent Diagnosis Commands
• Agent Install failing at 67% (registration failure)
• How to fully uninstall and reinstall an agent

Other

• Issues adding machines to a group via Active Directory/OU
• Verifying Proxy Settings for Download Issues
• Role Based Administration Lockout Fix
• Understanding the Machine Groups and the Machines View

• XML (Patch Definitions) Update Information
• List of Currently Supported Products
• Feature or Change Requests

Is this still the only way to export a patch group for use on another server?

Patch Group - Import/Export

I have 24 servers and I manually modify each patch group with new patches as we release them. Not the best way to manage as you are clicking through each patch to add each month. Wondering if there are plans to be able to import an actual patch group rather than use this workaround to use a file inside of the Scan Template.

Thanks

Purpose

This document provides links to the Migration Tool Guides and downloads.

Information

Shavlik Protect 9.1 Migration Tool User's Guide

Note: The Migration Tool is built into Protect 9.1, available from Start > All Programs > Shavlik Protect > Migration Tool.

Shavlik Protect 9.0 Migration Tool User’s Guide
Download Shavlik Console Migration Tool 9.0.1280 – 486 KB (.zip)

Product(s)

Shavlik Protect 9.x

Purpose

This document explains why you might not see any new Microsoft patches as missing on Server 2008 R2 or Windows 7 machines.

Symptoms

Microsoft patches released after April 2013 are not being detected as missing on 2008 R2 or Windows 7 machines.

Cause

This occurs when Service Pack 1 is not applied to Server 2008 R2 and Windows 7 machines.

Resolution

Apply Service Pack 1.

Re-scan and you should now be seeing patches released after April 2013 as missing.

Affected Product(s)

All

I'm trying to clean up our credentials library, but I am unable to delete credentials created by other users (predecessors, mainly). How can I remove credentials that were created by a no-longer active account?

Symptoms

• Detected patch continues to show as missing after successfully deploying.
• Patch that shows missing ends with 'U' every other deployment.

Cause

Certain patches exist as an installer and an uninstaller; these patches can cause a loop when scanning and deploying. When the installation patch is deployed it makes the uninstall patch considered to be missing. These patches are designed by their vendor in this manner to facilitate adding/removing the patch according to environmental needs. If scanning/deploying these types of patches it may appear that the patch continually is missing as it continues to add/remove per deployment. The uninstall patch will end with 'U'. These patches tend to belong to the 'Security Tools' patch type.

Example: Missing the Installation Patch

Example: After Installed, Now Missing Uninstall Patch

Resolution

Exclude the specific patch utilizing a patch group, or choose not to deploy the patches installer/uninstaller after scanning.

Refer to the following document:

How to Find/Exclude Specific Patches in Scan Results (DOC-22967).

These are known patches that offer an uninstaller.

• Q2719615(U) - MS12-A04
• Q2719662(U) - MS12-A06
• Q2794220(U) - MS12-A10
• Q2847140(U) - MS13-A02
• Q2887505(U) - MS13-A08
• Q2896666(U) - MS13-A09
• QIE9001(U) - MSIE-002

Affected Product(s)

Shavlik Protect 9.x