Symptoms

When attempting to add machines to a machine group in Protect via the Organizational Unit tab when clicking 'Browse Active Directory' you experience any of the followng:

You see the message "The list of servers for this workgroup are currently unavailable".

The OU list is missing machines that you expect to show up.

Cause

For any number of reasons the Protect application is unable to either connect to or browse active directory.

Resolution

Here are troubleshooting steps that should help:

1) Check that the "Browse Credentials" are set correctly and have access to active directory.

2) Make sure NetBIOS is enabled.

- Go into Computer Management > Device Manager.

- Click View > Show hidden devices.

- Under Non-Plug and Play Drivers locate NETBT.

- Right click on NETBT and go to Properties.

- Ensure the General tab lists this device as working properly.

- Ensure the Driver tab lists this device with a current status of Started.

3) On your Protect console system, open command prompt, and run NBTSTAT -R

This command purges the contents of the NetBIOS name cache and then reloads the #PRE-tagged entries from the Lmhosts file. The #Pre section is where domain controllers may be listed.  For more information on nbtstat commands see this Microsoft Technet article: http://technet.microsoft.com/en-us/library/bb490938.aspx

4) If you are having problems enumerating Organizational Units across domains, ensure that the Protect console has access to a DNS server that provides lookups to all involved domains.

You can edit the host file (C:\WINDOWS\system32\drivers\etc)

Add an entry for:

[Net Bios Name of Domain Controller] [IP Address]

or

[DomainName] [IP Address of primary DC]

5) Enable the Computer Browser service. The computer browser service is disabled by default on Server 2008 R2, but it should start without error.

See this document: http://community.shavlik.com/docs/DOC-22966

-Is there an error in the event log? This can help narrow down what is going wrong.

-The computer browser service will automatically stop if your registry settings are not configured to maintain the browse list. To verify your settings do the following:

-Go to Start> Run

-Type regedit

-Press enter

-Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters

-The MaintainServerList value should be set to Yes or Auto. If this Value is No then the computer browser service will not start.

6) Check to make sure netbios ports are open. (139 & 445)

7) A couple other things that may help troubleshoot:

-Check if the "Browse Network" button in the Machine Group configuration dialog on the Machine Name tab functions as expected.

-Make sure you can browse your network (Network Places) using Windows Explorer.

Additional Information

The following Microsoft articles may also prove helpful:

Troubleshooting Active Directory (2003):

http://technet.microsoft.com/en-us/library/cc776795(v=ws.10).aspxhttp://technet.microsoft.com/en-us/library/cc737561(v=WS.10).aspx

Troubleshooting Active Directory Domains & Trusts (2008 R2):

http://technet.microsoft.com/en-us/library/cc770264.aspx#BKMK_1

Affected Product(s)

Shavlik Protect 9.x

I have a machine group with some machines in it, 2 of which have assigned credentials:

I ran a scan on this one machine, and the scan summary shows up with a different credential, and when I try to deploy to it, it fails (because the credential is bad).  (The other box worked)   Any ideas???

Purpose

This document lists all current Software Distribution Patches as of : 11/18/2013

Related Document: Distributing software with vCenter Protect Essentials using a patch group

Information

I just install Shavlik Protect 9.1 in my organization  where we have 120 Windows 7 and few windows servers.

What I want,

1) I want selected patch to be deployed like only windows 7 security patches, Adobe Flash player\Reader\Air patches, and Java updates and patches.

I created a patch scan template,  patch group with  selected patches( with whatever I wanted). now it's scanning my local machine( on which Shavlik in installed) but other machines getting failed. I have common credentials for all workstations which I have stored in credential manager.

PS: I don't have domain system here.

Symptoms

Test Connection attempt from a Machine Group fails.

The affected client report one of the following errors when a Test Connection is run:

• Registry reports: The network path was not found(53)
• Perfmon reports: Unable to connect to specified machine or machine is offline (-2147481648)

Possible Solutions

This can happen if the Remote Registry is not running, not responding, or if the IPC pipe is blocked by a policy or registry change.

To troubleshoot this issue:

1. Click Start > Control Panel > Administrative Tools > Services.
2. Find the "Remote Registry" service. Ensure the Startup Type is set to Automatic and the Status is set to Started. Start the service or change the startup type to match these values.
3. If the connection still fails, restart the "Remote Registry" service and try again.
4. Check the Active Directory or domains for a policy blocking access to the Remote Registry service.
5. Open the Registry Editor (regedit.exe ) and check the key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
   • If the key is missing, restore it by exporting a known good key from another server running the same operating system and service pack level. Restart the server.
6. If the connection still fails, reboot any Active Directory domain controllers.

Related Articles

• Scanning a remote machine with Protect fails with Error 501 - Remote registry access denied
• http://www.shavlik.com/uploadedFiles/Support/Online_Documentation/Shavlik_Protect_90/administration-guide.pdf

Affected Product(s)

Protect Version: All

Symptoms

The Protect Console does not show in the list of machines under the Scheduled Task Manager.

  This issue is most commonly seen after an upgrade to version 9 build 1182.

Cause

With the release of Version 9 Patch 1 (Version 9 build 1182), the Protect Console will not be listed in the Scheduled Task Manager.

Resolution

Run a successful patch scan against the Console using the built-in "My Machine" group. (Any patch scan will work).

The scheduled jobs should then re-appear in the Scheduled Task Manager.

Affected Product(s)

Shavlik Protect 9.0.1182

If I set the User Criticality to ignore on a patch and the patch scan template is set to scan all BUT ignore, the patches are still shown as missing.  Basically I can't ignore patches.

We had an issue with 2 servers that with the scan, said they needed 20 on one server and 26 patches on another.  When looking at the server locally, the servers said that they had 40 patches applied during the same time frame.  Shavlik reported that there were no pending patches to be installed.

Is there something that I'm missing as far as what I should be looking at?

Yesterday evening we had a patch maintenance window where I patched a group of 50 servers. This example bases on one randomly selected system out of the 50 servers:

Machine: S1150          Patch Count: 12          Patch progress: Executed 12 of 12          Status: (green) Finished          Started 20:38          Finished: 21:49

Machine: S1150          Patch Count: 2            Patch Progress: Executed 2 of 2             Status: (green) Finished          Started 22:26          Finished: 22:53

Machine: S1150          Patch Count: 1            Patch Progress: Executed 1 of 1             Status: (green) Finished          Started:23:01          Finished: 23:10

Machine: S1150          Patch Count: 1            Patch Progress: Executed 1 of 1             Status: (green) Finished          Started:23.20          Finished: 23:29

After the 4th scan and patch round no additional patch was found.

Today, less than 12 hours after the last patch round of last night, a new scan shows that 7 patches are missed!!

Logged in to the server S1150 and directly "Checked for Updates" with the Windows Update tool says (green) Your system is up to date.

The update history shows 11 (!!) installed patches of yesterday:

Security Update for Windows (KB3034196)

Security Update for Windows (KB3029944) 

Security Update for Windows (KB3031432)

Security Update for Windows (KB3004361)

Security Update for Windows (KB3000438)

Security Update for Windows (KB3023562)

Security Update for Windows (KB3013455)

Security Update for Windows (KB3021952)

Security Update for Windows (KB3003475)

Update for Windows (KB3020338)

Update for Windows (KB3004394)

Shavlik installed 12 patches, rebooted the system, rescanned the system and reported it as (green) Finished, Why does Shavlik detect another 2 patches half an hour later - then 1 patch 10 minutes later, followed by a last one, another 10 minutes later?

The same happened with almost each of the 50 servers I had to patch yesterday. I don't know why Shavlik iteratively reported (green) Finished - everything is fine- what was not correct as each rescan found more Patches to install. Finally Shavlik installed 16 patches while the server self is reporting only 11 of them.

...and the patch deployment with Shavlik takes often ways, ways more time than doing it manually. Deploying 12 patches on one of our standard Windows 2008 Server took more than 3 hours with Shavlik while manually installing the same 12 patches on a similar Windows 2008 Server was done in less than 30 Minutes.

As I still don't think that Shavlik is as bad I guess I'm doing something wrong but unfortunately I have no clue what.

What is the easiest way to cancel a deployment that is scheduled when there are 50 pc's involved within the same deployment job?  Trying to avoid refreshing 50 pc's in the Scheduled Tasks and clicking on each pc.

Hello

I've just begun to work with Shavlik and wanted to throw a few questions out to ya'll and see what people had to say.

I'm trying to figure out a way to reliably scan laptops which are on/off at random times of the day and physically scattered wherever people decide to take them. It'd be nice to do this scanning in a way without having to coordinate times with everyone who has a laptop so I can figure out when I can scan/deploy patches. The current strategy I have is to install an agent on each particular laptop that ideally would automate scanning and patching whenever the laptop is turned on. I'm also encountering errors 261 and 235 often when I scan laptops, and I think the error 235 alert is trivial as the machine is probably just turned off, and that the error 261 is due to the machine being connected wirelessly or through a VPN, and not through ethernet. I have checked the inbound port rules on several machines and they have all been configured to allow ports 139/445. Just curious if anyone else has encountered or has experience with this and if there are any tools in Shavlik I can take advantage of to make this easier.

Thanks!

Hello all...

Spent the morning working on this issue but I cant seem to figure it out... I will do my best to explain...

I have been trying to patch a Template...  Currently I can view the ESXi Hosts and the VMs hosted on each...

I have started a scan using the Creds for an Admin on the VM... I made sure it had the proper permissions... but alas the scan failed with an Error 1300... Not all pribileges or groups referenced are assigned to the caller... (just what does that mean...)

so after ensuring that I had the correct permissions and passwords again It failed...

I am at a loss...

Suggestions?

Mat    

Purpose

Many of the common Shavlik Protect scan errors can be corrected by changes to configuration or environment. This article lists the most common scan error messages and provides some guidance on correcting the issue.

Cause

Scan errors can occur:

• If one or more of the Shavlik Protect Scanning Prerequisites have not been met 
• If one or more configuration issues are present in Shavlik Protect 
• Due to one or more environmental issues

Resolution

Affected Product(s)

Shavlik Protect, All Versions

Symptoms

When attempting to perform a patch scan, the scan fails with the following error:

Error 1300: Not all privileges or groups referenced are assigned to the caller

The hf.log may contain the following line:

ScanWorkItem.cpp:535 Error in scan thread func class STWin32::CWin32Exception at Privilege.cpp:81

Cause

The 535 Error mentioned in the log indicates an authentication problem.

The error message is a generic error stating you haven't provided an account with full privileges that may be required to perform some action.

Not all privileges referenced are assigned to the caller.

Often we see this error occur when attempting to scan a hosted VM template and the account used is incorrect or does not have all privileges required to perform the action.

Resolution

Verify the following:

1) First and foremost, ensure that the account(s) being used are valid Administrator accounts with all required privileges available. You may also need to refer to our Shavlik Protect Requirements Guide.

2) Is the target system part of a domain? If the administrator account being supplied as the "Admin Credentials" doesn't have the following user rights you may need to make changes to the account as these user right will be required:

Debug programs

Take ownership of files or other objects

Manage auditing and security log

Back up files and directories

Restore files and directories

3) If this is occurring when scanning a VM template make sure to check the above as well as this:

In your machine group, do you have both the "Admin Credentials" and "Browse Credentials" set for the vm template once added to the group?

(Browse credentials being the vCenter administrator and Admin credentials being an administrator within Windows on the template.)

For the "Browse Credentials" make sure you are supplying a vCenter admin, not just an ESXi admin - templates are managed by vCenter.

You may also need to refer to our Virtual Machine Quick Start Guide.

Additional Information

Minimal vSphere Permissions Required for operations in Protect

Virtual Machine Template Patching Requirements & Informational Document

Affected Product(s)

Shavlik Protect 9.x

Purpose

The purpose of this document is to provide the process for shrinking a database transaction log file.  

In order to shrink the Shavlik Protect database log file, please ensure SQL Server Management Studio is installed. You may install it by selecting the link corresponding with your Microsoft SQL Server version below:

    •    SQL Server 2005 Express

    •    SQL Server 2008 Express

    •    SQL Server 2008 R2 Express

    •    SQL Server 2012 Express

Symptoms

There are instances where the SQL server database transaction log file can grow exponentially causing the SQL Server's hard drive to become low on space.

Resolution

  We recommend performing database maintenance using the Database Maintenance Operations built into to Protect. 

1. Open Microsoft SQL Server Management Studio.

2. Connect to the appropriate SQL Server Instance and login with the appropriate credentials. This is [hostname]\SQLEXPRESS by default and uses Windows Authentication.

3. Expand the ‘Databases’ portion on the left hand side of the screen.

4. Right click on the ‘Protect’ or 'ShavlikScans' database. Select ‘Properties'.

5.Within the new window navigate to 'Options' and change the 'Recovery Model' to 'Simple' and click 'OK'.

6. Right click on the ‘Protect’ or 'ShavlikScans' database, navigate to Tasks>Shrink>Files

7. In the new window within the 'File type:' dropdown box select 'Log' and click 'OK'.

8. Once the 'Shrink File' window disappears the process is complete and your log file should be a fraction of the size it was when this operation began.

Affected Product(s)

Shavlik Protect 9.x

Purpose

This document provides a SQL query to find CVE numbers associated with Qnumbers.

Steps

Basic steps to use the attached SQL query:

1. Ensure Protect is closed.
2. Open SQL Server Management Studio
3. Connect to the database.
4. Backup the database.
   http://community.shavlik.com/docs/DOC-23037
5. Open QueryforCVE.sql into a query window.
   http://community.shavlik.com/docs/DOC-23137
6. Read disclaimer at the top.
7. Execute the script

You can also copy the below query and run it manually.

Disclaimer:                        

Executing these SQL Statements is at your own risk. Customers should understand */ these SQL Statements prior to executing them. Shavlik does not warrant that the */SQL Statements will be uninterrupted or error-free. The entire risk as to the results and performance of the SQL Statement is assumed by person executing the SQL Statements. Shavlik is not responsible for the damage caused by executing these SQL Statements.                                            

Select Distinct Reporting.Cve.Name as CVE
,Reporting.Patch.Id as PatchID
,Reporting.Patch.Bulletin
,Reporting.Patch.QNumber
,Reporting.Patch.BulletinTitle
,Reporting.Patch.ReleasedOn
FROM Reporting.Cve,Protect.Reporting.Patch,Reporting.PatchAppliesTo
WHERE Reporting.PatchAppliesTo.PatchId = Reporting.Patch.Id
AND Reporting.PatchAppliesTo.CveId = Reporting.Cve.Id

Please note: If you are searching for a specific CVE number add the following to the end of the above query to only show the specific CVE, leave the apostrophes and edit the CVE number.

And Name = 'CVE2014-0590'

Example of query to display specific CVE:

Select Distinct Reporting.Cve.Name as CVE

,Reporting.Patch.Id as PatchID

,Reporting.Patch.Bulletin

,Reporting.Patch.QNumber

,Reporting.Patch.BulletinTitle

,Reporting.Patch.ReleasedOn

FROM Reporting.Cve,Protect.Reporting.Patch,Reporting.PatchAppliesTo

WHERE Reporting.PatchAppliesTo.PatchId = Reporting.Patch.Id

AND Reporting.PatchAppliesTo.CveId = Reporting.Cve.Id

AND Name = 'CVE2014-0590'

Affected Products

Shavlik Protect 9.1 and newer

What is the best way to automate the staged deployment of patches to ~200 servers each month?

Our deployment consists of development and test servers one week after Patch Tuesday, then production servers the following week.  Ideally, we'd like both deployments to be scheduled/automated so that they can occur during a late night/early morning maintenance window without someone having to babysit.

We also want to make sure that the patches deployed to production servers are exactly the same as the ones that were deployed to development and test servers one week prior.  In other words, we want to ensure that if any new patches are released during that week between development/test patching and production patching, they don't get deployed to production servers since they haven't had a chance to be tested.

Finally, along these same lines, we also want to have an easy way to prevent or exclude a patch from being deployed to production servers if an issue is found on development/test servers.

Is anyone successfully doing anything along these lines?  Would love to hear some thoughts and ideas on your setup and how you're doing it.

Purpose

This document provides information about changes in how Protect will install Java 7 updates after recent changes to installation logic.

Description

Shavlik has adopted Oracle’s Java 8 installation patch pattern, where they statically install the patch and delete all previous versions after the patch has been installed. Currently, we have determined this is the most reliable way to install Java. This handles Java locked and not locked scenarios affecting customer’s environment.

Protect deployments of Java will now be using an install directory similar to how Java does with Java 8 (modified from Java 7 original install directory). Java 7 will be put installed with the same directory structure as Java 8, such as:

C:\Program Files\Java\jre1.8.0_31

C:\Program Files (x86)\Java\jre1.8.0_31

This is because deployment via Protect uses a dependent action that uses some additional steps to ensure Java is successfully installed.

Additional Information

Typically, applications use the environment in order to determine what version (latest version) Java to use. If you need a particular path, you can try creating a soft/symbolic link that points to the version of Java you want.

How to create symbolic links: Mklink.

Caveat: You will have to update the soft link with every Java 7 release.

Affected Product(s)

Shavlik Protect, All Versions

When reviewing the current status of machines in machine view, I regularly notice that I have machines which have a latest patch scan date/time that is newer than the last agent check-in date/time.  For example, right now I have a tablet with a last agent check-in of 2/17/2015 2:15:34 PM, but a latest patch scan date of 2/23/2015 6:27:03 PM.   The tablet (and other machines this has happened on) was not part of any other scheduled or ad-hoc scans initiated from the console, so it's not like it was scanned outside of the agent.   What would cause the last agent check in field to not get updated?

Thanks!

Hello,

Has anyone experienced Shavlik Protect flagging (Notepad ++\notepad++.exe) as a Trojan? It started happening this morning for us and we have had Notepad++ running on several computers previously with no issue.

Thanks,

Sanj