After Patching my first group of servers with Shavlik, I've noticed that the C:\Windows\Temp folder is filling up Cab_xxxx_x.cab files. These file are created every 30 minutes. I did some googling and a lot of people are seeing it on Windows 2008 R2 server. They are also saying that it might be related to the C:\Windows\Logs\CBS CbsPersist files.

The only machines it is happening on are ones that were patched with Shavlik and the first issues starting show up after the machines were patched.

Windows update on these machines is set to check and notify but not download. most of these machines were reporting that they needed windows updates before they were patched with Shavlik. After the patching Windows update is still reporting this. Normally to remove that message, I stop the Windows update service and delete the C:\Windows\Softwaredistribution folder but that doesn't resolve the problem with C:\windows\temp being created.

Thoughts?

Hello everyone,

I am attempting to remove the downloaded patches from several client pc's and I seem to have hit a road block. I am scanning the pc, than deploying the 'null patch' and using a deployment template with the following in the 'custom actions'

-After All Patches- is selected and I have this under specify the command to execute: rm dir /s /q %pathtofixes%

The pc gets scanned, the null patch is deployed with the deployment template but the files within the 'propatches' folder never get deleted.

Any ideas???

Thanks,

Paul

Sometimes when patching servers it looks like the patching process has hung. Is there a way (without using the agent) to see if Shavlik is still polling the machine for it's update on the patch process (does it log these attempts somewhere)? or is it's just waiting for the Windows machine to respond? (is something logged on the client side?)

I know that some patches can take a long time to install so I was looking for a different way to confirm it's still working instead of just waiting, waiting, then deleting the deployment task and starting over again.

Thanks,

Purpose

The purpose of this document is to provide a resolution to an issue where the Protect 9 installer is unable to complete the attempted installation.

Symptoms

You are unable to install Shavlik Protect and within the ProtectSetup.log in the %temp% directory you see the following:

ExecuteInstallConsoleCerts: Error 0x80090016: class STWin32::CWin32Exception at CryptoServiceProvider.cpp:58: Error 2148073494: Keyset does not exist.

Cause

The cause of this issue is the user attempting to install Protect does not have full control rights to the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder on the system.

Resolution

The user account will need to have explicit access to the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder on the system. You may provide these explicit rights by following the process outlined below.

1. Navigate to the C:\ProgramData\Microsoft\Crypto\RSA\ directory on the machine you are attempting to install Protect on.

2. Right-click on the 'MachineKeys' folder and select 'Properties'.

3. Within the 'MachineKey Properties' select the 'Security' tab. Ensure the user has 'Full control' rights to this folder.

Note: If these permissions need to be altered, you may do so by selecting the 'Edit' button.

Additional Information

Please note we have had an instance of this issue being associated with malware. If you are still receiving this error message after providing the install user with full control rights to the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder on the system we suggest scanning for possible malware.

Affected Product(s)

Shavlik Protect 9.x

Has anyone had issues where the Patch Data for agents isn't getting the latest definitions from the server? This is happening to a good number of my agents ,even though they all have the same policy applied. If I go to the machine in the console and choose Agents-update patch data it updates without problem, otherwise they will perform their weekly scan with old definitions and patches aren't being applied.

I am running Shavlik 9.0 1304 in an isolated network. I have scanned a group of workstations. The scan goes fine. I get results from all workstations scanned. When I try to deploy the software package, I get an error on all workstations in the group that says "Deployment Failed. Cannot connect to "workstation Name". In the ST.Protect.Native log I get an error "Deploy.CPP:1958 DeployMachine Exception - class STCore ::Cinvalidoperationexception at Deploy.CPP :1401 Cannot connect to "workstation name". ANyone see this before?

Purpose

The purpose of this document is to help resolve an error found when you add Virtual Machines to a Machine Group through the Directory after clicking on Workstation Virtual Machines tab in the new Machine Group.

Symptoms

In the Operations Monitor when the process gets to Step 3: "Resolve machines to scan" outputs Attempted: 0; Resolved: 0; Failed: 0 and a hyperlink to "View errors" appears.

When you click on the "View errors" hyperlink, you see a message of "'driveletter:\ (Offline VM Directory) in Machine Group 'machine group name' failed because: 'Access is denied'" error.

Cause

The issue may come up due to not having permission rights to the drive or directory where the Virtual Machine files reside. An additional cause to the issue may be from trying to specify just a drive to act as the directory to where all the Virtual Machine files reside.

Resolution

1. Navigate to the drive where your Virtual Machine files reside.

2. Double-click on the drive where all of your Virtual Machine files. Right click anywhere in the white space under your Virtual Machine file folders and go to New and then click on Folder. Name your new folder by an appropriate name.

3. Select all the Virtual Machine file folders that you want to be included into the new parent folder and then click and drag them into the new folder to move all the files.

   (Note: files in use by other programs cannot be moved. They must first be closed out of by applications using the Virtual Machines before their location can be moved.)

4. Once the files have been moved into the parent folder, go back into Shavlik Protect and in the New Machine Group window, select the 'Workstation Virtual Machines' tab and then enter the path to the directory of VMs with the new parent folder added

5. Check the 'Include all VM's in all sub-directories' check-box.

6. Click on the 'Add Directory' button.

7. Set Admin credentials and other options as necessary. Click the 'Save' button.

8. Run a new scan. Machines should be able to resolve now.

Affected Product(s)

Shavlik Protect 9.x

Description

Installing MS15-027 (KB3002657) 'basically' disables NTLM authentication to mitigate the vulnerability described in the Microsoft Security Bulletin.  Installing this patch may cause authentication failures on network machines where Kerberos authentication is disabled and NTLM is used to authenticate Active Directory users.  Shavlik Support has seen evidence of this on the community where a customer installed the patch in his Windows 2003 Servers and was no longer able to scan them after installing the patch.

According to theMicrosoft Security Bulletin, this patch is only required on Domain Controllers.  The following was information was taken directly from the bulletin:  "This update is applicable on server machines running as domain controllers. It is suggested, however, that the update be applied to all affected platforms so that machines are protected if they are promoted to domain controller role in the future."

More information about the patch can be found here: https://support.microsoft.com/en-us/kb/3002657

Resolution

The following will allow you to scan the target machines:

• Defining a local security policy on the console machine.  Go to Local Security Policy > Local Policies > Security Options > Network Security: LAN Manager authentication level, if set to "Not Defined", change to the second level "Send LM & NTLM - use NTLMv2 session security if negotiated".
• Uninstall MS15-027 (KB3002657) from the target machines.
  • Please note:  Uninstall the patch a Domain Controller that requires this patch could leave the server vulnerable.
• The Microsoft workaround is to use the Kerberos protocol to authenticate Active Directory domain users.

Affected Products

Shavlik Protect All Versions

Shavlik Patch All Versions

I saw a post from a couple years ago with the same issue that didn't have any resolution so I thought I'd revisit this. I have a machine group that has a couple OU's in it and some single machines that are apart of those OU's, but I have them set to exclude when scanning. All of my results when scanning this machine group show that it's still trying to scan these machines though.

Here you can see where I have them listed to be excluded from the scans.

Here are the results of a scan from that machine group that shows the machines as trying to be scanned.

Symptoms

Patch Deployment fails on some machine.  Patch Install Return Code 1058  is seen within the CL5.log on the target machine. The CL5log file can be found by navigating to C:\Windows\ProPatches on the client machine.

Example:

1955-11-05T06:15:00.7034616Z 1104 I CommandLine.cpp:2638 Patch Install returned 1058: Windows6.0-KB960859-x64.msu

Cause

This status code is caused by a failure to reach the Windows Update service.

Resolution

When deploying patches on Windows Vista or later operating systems, the Windows Update service's Startup type must be set to ManualorAutomatic. Please follow the steps below to set or verify the settings.

1) Click on the Start/Windows button and type in 'services.msc' within the search box and press Enter.

2) Locate the service entitled 'Windows Update' and double-click on it.

3) Within the dialog box for the service, you will be able to alter the startup type to Manual or Automatic.

Affected Product(s)

Shavlik Protect 9.x

Purpose

The purpose of the document outlines how to install an agent using a manual installation script.

The Agent installer file is the STPlatformupdater.exe and can be found in the following location on your console machine

C:\ProgramData\LANDesk\Shavlik Protect\Console\DataFiles\ STPlatformupdater.exe

Or downloaded from here

9.0 version

http://xml.shavlik.com/data/Protect/v9/90/Protect/1182/STPlatformUpdater.exe

9.1 version

http://xml.shavlik.com/data/protect/v9/91/protect/4334/stplatformupdater.exe

Note: The following scripts are provided only as examples. Do not attempt to use these scripts in your organization without modifying the input values and performing adequate testing.

Authentication Types

• Shared passphrase
• Windows authentication
• Current Credentials

Note: To enable passphrase verification for manual agent installations, in Protect go to Tools > Options > Agents and enable the feature and create your passphrase.

Example script for passphrase authentication

STPlatformUpdater.exe
/wi:"/qn /l*v install.log SERVERURI=https://consolename:3121 POLICY=policyname AUTHENTICATIONTYPE=PASSPHRASE PASSPHRASE=secret"

Example script for Windows authentication

STPlatformUpdater.exe /wi:"/qn /l*v install.log SERVERURI=https://consolename:3121 POLICY=policyname AUTHENTICATIONTYPE=WINDOWS SERVERUSERNAME=domainname\Your.Name PASSWORD=secret"

Example script for cloud-based agent installation

STPlatformUpdater.exe /wi:"/qn /l*v install.log ACTIVATIONKEY=12345abc-2abc-3abc-4abc-123456789abc"

Where:

• STPlatformUpdater.exe  is a bootstrap installer for the agent platform installatio
• /wi
       means pass this to Windows Installer
• /qn
       means no user interface activity from the installer
• /l*v
       means write a log for the installation attempt. It has one parameter that
       specifies the log file name
• SERVERURI
       is the address, port, and scheme (e.g. https://) used to connect to the
       console for registration and check-in
• POLICY
       is the name of the agent policy that will be assigned to the agent
• AUTHENTICATIONTYPE
       is either PASSPHRASE or WINDOWS (this is dictated by the Tools >
       Options >Agents dialog)
• PASSPHRASE
       is the passphrase used to authenticate the agent to the console (used only
       if AUTHENTICATIONTYPE=PASSPHRASE)
• SERVERUSERNAME
       is the name of a user who has rights to install an agent (used only if
       AUTHENTICATIONTYPE=WINDOWS)
• PASSWORD
       is the password used to authenticate the user to the console (used only if
       AUTHENTICATIONTYPE=WINDOWS)
• USECURRENTCREDENTIALS=1 can be used in place of SERVERUSERNAME and PASSWORD if
       you want to authenticate using the credentials of the person who logged on
       to run the script
• ACTIVATIONKEY
       is the activation key that was created using the Protect Cloud Service

Affected Product(s)

Shavlik Protect All Versions

Hey Everyone!

We have been running an Agentless deployment for a couple years now however we now have 40% of our machines on VPN, which is becoming a nightmare to scan and patch. Most users disconnect from VPN during the day, or shut down, etc - and since scanning takes so long we end up not catching these machines in time to patch them.

Does it make sense in this scenario to start using Agents? From what I understand, scanning time is almost instantaneous with Agents. Can anyone using Agents provide some better insight?

Thanks!

AC

I know that this has been discussed previously, but I wanted to bring the topic up again: is there any timeline/plans to create an api to allow for the automatic patching of new systems? This is a growing annoyance for us, in our efforts to automate all of our server provisioning. While our current build process is utilizing a patched template, the long-term goal is to switch away from templates entirely, and scratch build fully patched systems. Part of doing that is a desire to have Shavlik perform a scan/patch of the system, without our intervention.

I have a recurring issue where the clients (with agents) are not updating the Patch and Threat definitions and a manual update attempt on the client via the agent is often not successful.  My methods of resolving the problem are to either right click on a machine in the Shavlik Administration console and select (1) Update Patch Data and then (2) Update Threat Data.  If this does not work then I reinstall the agent.  One problem is that I cannot figure out how to accurately determine which version of the Patch and Threat definitions are on each client without walking to each client.  Does anyone know how to create a report or other procedure to do this within the console?

Even though the definitions on the console (Help->About->Shavlik Protect Advanced->Data Versions) might be up-to-date, I have found Shavlik Agents with Patch data that is weeks or months old. This leads to inaccurate patching information.  I would like to detect these issues sooner or resolve the issue in an automated manner.

I have had no  issues with  agentless  scanning and deployment. I am however having issues with agent deployment of patches.  In the agent  patch log I see deployment process failed and none of the computers  with the agent are patching they seem to be scanning fine.  I have  made sure all ports are opened in and out as detailed in the administration guide. I also have tried  without anti-virus, tried  to point it to vendor site for patch downloads as well as  specifying a distribution server (which I confirmed  the needed patches were in the  distribution share) as well as console download. Have removed and reinstalled the agent verbatim as in the complete uninstall document.   Tried different agent policies and tried using the default agent standard  deployment Template as well as custom ones nothing thus far  seems to work. I have also patiently waited several days for the patches to download and install   but nothing. The propatch patch folder is also empty. I have looked at logs etc. but thus far  have not been able to find the issue. If I do an agentless scan and deployment  all works fine. At the moment it is just a few test machines but in time will  need to deploy the agent at 50 + remote locations that have slow links (hence why I need agent).

Any suggestions  at what specific  logs to look at or what to check?

Thank you

Purpose

The purpose of this document is to provide a batch file to use with Shavlik's Custom Action to uninstall all versions of Java up to Java 7 update 75.

Description

You will need to set up a custom action scan template, this will scan for the Null Patch and allow you to deploy your custom action without actually deploying any patches.

You will then need to create a deployment template with custom actions that will push out the uninstall Java batch file to the target machine, and to run the batch file.

You will need to scan for the custom action patch, and deploy it. It is very important to use the deployment template that contains the uninstall script and call action.

Additional Information

You may need to verify your specific version of Java is included in the batch file. You can also add new versions of Java by using the document below to get the uninstall string for that specific version of Java.

- How To Uninstall A Program Using Custom Actions

More information on working with batch files within Protect.

- Custom Action - How To Work With Batch Files

Affected Product(s)

Shavlik Protect 9.x

Purpose

This document provides a walk-through on how to install and use a Shavlik Protect Cloud Agent.

Requirements

Below are the requirements that must be met to be able to successfully install a Protect Cloud Agent:

• The client machine must have Internet access.
• The Shavlik Protect console must be registered with Protect Cloud
• Outgoing TCP ports 80 (http) and 443 (https) must be available when communicating with Protect Cloud.
• The URL protectservices.shavlik.com must be accessible when communicating with Protect Cloud.
• There must be at least one agent policy that is configured to allow synchronization with Protect Cloud.
• You cannot install a cloud-based agent on a Shavlik Protect console machine.
• The user that installs an agent must have local administrator access on the machine.

Installation Procedure

1. Ensure that you have registered the console with Protect Cloud.
   
2. You will need to make sure the agent policy you intend to use is enabled to sync with the Protect Cloud.
   This is done via the agent policy > General > check the box, 'Sync with the Protect Cloud'.
   
3. After updating the agent policy, make sure to go back to Tools > Operations > Protect Cloud Sync, and run 'Force full update now.'
   This will make it so the policy shows as available on the Protect Cloud site for the next steps.
4. Go to https://protectcloud.shavlik.com/.
5. Log in. If you haven't registered yet, you will need to do so by clicking on Register Now.
6. Go to the 'Agent Keys' section.
7. Click 'New'.
   
8. You'll be prompted with the 'Create New Agent Key' options.
   
   • You need to choose:
     • Console name - the console system this agent key is associated with.
     • Policy - the agent policy that any agents installed with this agent key will use.
     • Max number of installations - The maximum number of times this agent key can be used to install an agent.
     • Expires in (hours) - The amount of time this agent key will be valid for installing an agent.
     • Send the agent key and activation instructions to one or more email addresses - list of anyone you want to send the agent key to for installation.
       You can also just send to yourself, and then forward the email on to anyone you want to receive it.
9. You'll now see the agent key in the list below.
   
   • Details about the information provided here:
     • Agent Key - The agent key that will be used during installation of the agent to associate the agent.
     • Console Name - The name of the Protect console that the agent key is associated with.
     • Console Version - Version of the Protect console that the agent key is associated with.
     • Policy - The agent policy that the agent key is associated with.
     • Status - Lists the number of installations remaining with this agent key, based upon the 'Max number of installations'.
     • Created by - Shows the protect cloud user who created the agent key.
     • Actions
       • Resend Key (Mail Icon) - Allows you to send the agent key to additional recipients.
       • Download Agent (Download Icon) - Allows you to download the agent installer.
10. If an email was sent, this is an example of what it will look like. It does provide the full set of directions so a user can easily install the agent.
    
11. The actual installation of the agent is pretty straightforward. Download and run the stplatformupdater.exe.
12. When prompted with 'Select the method you want to use to register this agent, choose 'I connect tot he console through the cloud'.
    
13. When prompted for the Activation Key, enter the agent key which can be copy/pasted from the email.
    
14. You should be prompted with 'Registration Succeeded. Click Done.
    
15. If you open the agent just after installing you will see that it shows the agent is provisionally registered.
    This means the agent will be functional shortly. Be aware it may take some time for the registration process to complete.
    (It has to trickle down the registration through the Protect cloud site to your Protect console and back.)
    
16. It is also possible to install cloud agents using an installation script.
    An example:
    STPlatformUpdater.exe /wi:"/qn /l*v install.log ACTIVATIONKEY=e034a812-c071-49b8-9256-a2ef199527a6"
    
    

Using Cloud Agents

Cloud agents can be used the same as any other agents. Everything is based on what's set within the agent policy.

The main thing to keep in mind is that changes to agent policies and seeing reported information from the cloud agents show up in the console can take a longer period of time than agents installed with a direct connection to the console.

Additional Information

Additional information and resources about Cloud Agent functionality:

• Protect Cloud Synchronization Overview
• Protect Cloud Sync Operations
• Agent Quick Start Guide (9.1)
• Video: Introduction to Protect Cloud

Affected Product(s)

Shavlik Protect 9.x

Purpose

The purpose of this document outlines the process of using Protect to install Internet Explorer.  You can also view Software Distribution Best Practices and Informational Guide or more information about using the Software Distribution feature.

Steps

To install IE with Protect you will need to use the Software Distribution to do this.

First you will need to create a scan template to detect the version of IE you will want to install.

The first step for this is to create a patch group that contains the installer patch for IE. To do this go to view patches then in the search you will input MSIE-010 (This is for IE10, IE11 would be MSIE-011). Then you will see the QNumber QIE1061N right click on this and create new patch group.

Now you will name and save your patch group.

Next Step is to create the scan template.

Go to New\Patch Scan Template

Under the filtering tab you will need to select the “Scan Selected” under Patch Filter Settings and select your patch group.

Now on the General tab of the scan template you will want to check the box “include effectively installed patches  and leave “Both missing and installed
patches” selected

Now on the Software Distribution tab you will need to check the box “Software Distribution” so the scan template will show results for Software Distribution patches

Now you can scan the machine you want to install IE on and it should either show you the IE version is either missing so you can deploy it or it is effectively installed

Additional Information

Prerequisite updates for Internet Explorer 11

Prerequisite updates for Internet Explorer 11

Affected Product(s)

Shavlik Protect 9.x

Symptoms

• You are not able to download or deploy a patch.
• The message "Warning: No patches were deployed. Please review the program logs to determine the cause. Patch deployment canceled due to failure building deployment instructions." appears:

Cause

The data files that contain the download URLs for patches may be out of date.

Resolution

Refresh the files by going in Help > Refresh Files.

Use Help > About... and verify Data Version for Patch Deployment are not in red text.

Affected Product(s)

Shavlik Protect 9.x

Symptoms

When using Shavlik Protect, you receive the error pop up stating: "Shavlik Protect Standard cannot fully comunicate with the console service.  Some tasks requiring the console service will be unavailable until the service can be reached."

Cause

When Protect's components try to reach the console service it fails to communicate with the service.

There can be many reasons why this may happen. The steps listed below should help find the root cause of the error and fix it.

Resolution

To fix this error you may need to follow the steps for one of the reasons listed below, or you may need to go through each one. The possible resolutions are listed in order from most common to least common.

If you are using a Proxy for web connections you need to bypass the proxy for local addresses

Here's how to set this:

• On the Protect console system go into Internet Explorer > Tools > Internet Options > Connections > LAN Settings.
• Put a check in the box for 'Bypass proxy server for local addresses'.

Note: If you are using a passthrough proxy you may need to enter the proxy information in, set the bypass, save the settings, and then come back in and remove the settings. This has been known to put the bypass into place even for passthrough proxies.

If you are unsure if you are using a proxy, you can try running the below listed commands from a command prompt screen (based on operating system level):

• Windows 7/2008/Vista 32-bit:
  netsh winhttp show proxy
• Windows 7/2008/Vista 64-bit:
  %windir%\SysWOW64\netsh winhttp show proxy
• Windows XP/2003 32-bit:
  proxycfg
• Windows XP/2003 64-bit:
  %windir%\SysWOW64\proxycfg

The Shavlik Protect Console service may be failing to connect to the database, in turn failing to properly start

This will also cause Protect to be unable to communicate with the service. This will usually only happen when using a remote SQL server for your Protect database.

To fix this:

• Close Protect.
• Go to Start > All Programs > Shavlik Protect > Database Setup tool.
• Choose to use your existing database.
• On the Database Configuration screen you will need to provide alternate credentials for the console service connection to the database. You would need to provide an account that has administrative access to the Protect database on the SQL server.

.NET in conjunction with Protect's components are not honoring the settings to bypass a proxy for local addresses.

You can manually enter the bypass for the proxy into the config files for Protect. This works because Protect will look to our config files prior to checking the IE settings or WinHTTP settings for the proxy.

How to do this:

• Locate the files:
  - C:\Program Files\LANDesk\Shavlik Protect\ST.Protect.exe.config
  - C:\Program Files\LANDesk\Shavlik Protect\ST.ServiceHost.exe.config
  Note 1: If you are on a 64 bit system they will be in the Program Files (x86) folder. You may also need to go into your Folder Options > View settings and enable 'Show hidden files, folders, and drives' as well as uncheck the 'Hide extensions for known file types' option.
  Note 2: You should backup these files, before changing, by coping them to a separate folder.
• Modify the "ST.ServiceHost.exe.Config" file, adding the following section within the "configuration" tags, at the bottom of the document:
  <system.net>
  <defaultProxy>
  <proxy proxyaddress="http://**PROXY**:**PORT**" bypassonlocal="true" />
  <bypasslist>
  <add address="127.0.0.1" />
  <add address="**PROTECT_CONSOLE_SYSTEM_NAME**" />
  </bypasslist>
  </defaultProxy>
  </system.net>
• Modify the "ST.Protect.exe.config" file, adding the following section within the existing "system.net" tags:
  <defaultProxy>
  <proxy proxyaddress="http://**PROXY**:**PORT**" bypassonlocal="true" />
  <bypasslist>
  <add address="127.0.0.1" />
  <add address="**PROTECT_CONSOLE_SYSTEM_NAME**" />
  </bypasslist>
  </defaultProxy>
• Make sure to File > Save after updating each of these files. Once this is done make sure to open services.msc, and perform a Restart on the Shavlik Protect Console service. Then you can re-open Protect, and test to see if it works.

Other items worth checking

• Ensure that inbound TCP ports 3121 is allowed on the Protect console system.
• Make sure the Protect console system is able to resolve itself.
• Make sure the hosts file does not contain invalid information. This is located in C:\Windows\System32\drivers\etc

Impact/Risks

• If you edit the information in the config files as mentioned in step three, be aware that you have now hardcoded the information that Protect uses for your proxy.
• If you make changes on your network you may need to go back and edit these files again at a later date.

Affected Product(s)

Shavlik Protect 9.x