Description

Installing MS15-027 (KB3002657) 'basically' disables NTLM authentication to mitigate the vulnerability described in the Microsoft Security Bulletin.  Installing this patch may cause authentication failures on network machines where Kerberos authentication is disabled and NTLM is used to authenticate Active Directory users.  Shavlik Support has seen evidence of this on the community where a customer installed the patch in his Windows 2003 Servers and was no longer able to scan them after installing the patch.

According to theMicrosoft Security Bulletin, this patch is only required on Domain Controllers.  The following was information was taken directly from the bulletin:  "This update is applicable on server machines running as domain controllers. It is suggested, however, that the update be applied to all affected platforms so that machines are protected if they are promoted to domain controller role in the future."

More information about the patch can be found here: https://support.microsoft.com/en-us/kb/3002657

Resolution

The following will allow you to scan the target machines:

• Define a local security policy on the console machine.  Go to Local Security Policy > Local Policies > Security Options > Network Security: LAN Manager authentication level, if set to "Not Defined", change to the second level "Send LM & NTLM - use NTLMv2 session security if negotiated".
• Microsoft suggests to use the Kerberos protocol to authenticate Active Directory domain users.
• Uninstall MS15-027 (KB3002657) from the target machines.
  • Please note:  Uninstall the patch a Domain Controller that requires this patch could leave the server vulnerable.

  For additional information on the patch and workarounds, please contact Microsoft directly.

Affected Products

Shavlik Protect All Versions

Shavlik Patch All Versions

Purpose

The attached batch file will provide an easy method to obtain all registry exports that may be needed when working with support on a detection related issue for Shavlik Protect.

Directions

1) Download the attached Get_Registry_Exports.zip.

2) Extract the Get_Registry_Exports.bat to the desktop of the system where you wish to obtain files for support.

3) Double click the Get_Registry_Exports.bat, or right click the Get_Registry_Exports.bat and choose 'Run as Administrator'.

If you do not run as administrator the batch file may not be able to obtain all information.

Be aware that this will attempt to place a folder on the desktop for whichever user runs the batch file.

4) Allow the .bat to run through everything. When the operation is complete you will see the text of commandline turn green and the following text displayed:

Complete

Please zip the Registry Exports folder on your desktop and send to support

Press any key to continue...

If you do not see this you need to either run as administrator or wait until the operations are complete.

5) A folder titled 'Registry Exports' will be created on the desktop, containing all the files collected by the .bat.

6) Please create a compressed file (zip) of this folder. It is suggested to use 7zip for compression. 7zip will compress to a smaller file size than the built in Windows compression, and it allows for creation of an encrypted 7z or zip file. You can download 7zip here: http://7-zip.org/download.html

7) Send the 7z or zip file of the Registry Exports folder to support.

8) The folder 'Registry Exports' can be deleted after this.

Additional Information

This is often used in conjunction with obtaining a DPD Trace and only necessary if requested by Support.

Disclaimer: This file [Get_Registry_Exports.bat] is intended only to obtain information for support purposes. It is not an officially supported tool and has not gone through QA/Testing.

The user assumes any risks of running the attached file(s).

Affected Product(s)

All

Purpose

This document outlines how to run a DPDTrace. This may be necessary when troubleshooting detection issues.

Steps

DPD stands for Dynamic Product Detection.  It’s the method our scan engine uses to determine what supported products are installed on the machine. This tool was created for troubleshooting patch scan issues where we need to know what is going on during the DPD process.

.Net Framework v4.0.30319 or newer needs to be installed for this to work

1. Download DPDTrace.zip (See attachment at bottom of this page) and extract the file into a folder on the root of C:\
2. Read Disclaimer.txt.
3. Open a Command Prompt and change directory to C:\DPDTrace

4. Enter the following command, replacing {MACHINE_NAME} {ADMIN_USER_NAME} {PASSWORD} and {PATCHTYPE} with corresponding values. ({MACHINE_NAME} has to be the Target machine that is having the detection problem

          DPDTrace.bat {MACHINE_NAME} {ADMIN_USER_NAME} {PASSWORD} {PATCHTYPE}

5.      When the command line is run, a window titled 'Rename HF.1 Log' will appear with an OK button. Do not close this window as the scan continues.

6.    When the scan has completed the command prompt window will say 'Test Complete  Please zip up HFCLi folder and send it back to us'. Please verify that an XML document has been created in the HFCLI folder. If it has, please zip up the directory "C:\DPDTrace\HFCLI" and send it back for analysis.

Additional Information

Please include the following registry exports from the target machine.  This will not only save time, it will also greatly increase our chances of determining the root cause of the detection issue and correcting it.

• HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432\Microsoft\Windows\CurrentVersion\Uninstall
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages
• HKLM\SOFTWARE\Classes\Installer\Patches

Please see the following document to obtain a batch file that can be used to easily obtain all of the above mentioned registry exports:

Batch File For Obtaining Registry Exports For Detection Related Issues

Affected Product(s)

All

Purpose

This document is meant to describe the best practices for the order in which to apply updates with Protect when using agentless patch scanning and deployment.

Description

When preparing to deploy updates to your systems with Shavlik Protect, it is best to follow the order listed below:

1. If you wish to deploy software using the software distribution feature of Protect, do so first.
   See the following document for more information on software distribution: http://community.shavlik.com/docs/DOC-23116
2. Run a patch scan for Security Patches and/or (optional) Non-Security Patches and Security Tools.
   More info about creating a patch scan template can be found here:
   http://www.shavlik.com/onlinehelp/Protect90HTMLHelp/Creating_or_editing_a_patch_scan_template.htm
3. View scan results. How many service packs show missing? These should be applied prior to patches/hotfixes.
4. Deploy operating system level service packs first.
5. Run your patch scan again after applying OS level SPs.
6. Deploy any remaining service packs. Take into account that each service pack must be deployed separately, and each service pack will require a reboot.
   This can seem tedious, however, it's important that you do service packs first. Service packs may update the base code for the application as well as apply currently missing updates during the process. New updates may be required once the service pack is applied as well.
7. After all service packs have been applied, run a patch scan on the systems once more, and then deploy missing patches.

Additional Information

More information about agentless deployment of service packs and patches can be found in Protect's online Help under "Agentless Patch Management Tasks".

Protect Online Help:

http://www.shavlik.com/onlinehelp/Protect90HTMLHelp/HFN.htm

Additional Information from Microsoft about best practices for applying updates can be found here:

http://technet.microsoft.com/en-us/library/cc750077.aspx

http://technet.microsoft.com/en-us/library/cc512589.aspx

Affected Product(s)

Shavlik Protect 9.x

vCenter Protect 8.x

Hello, it seems that my Shavlik Protect is having some issues with permissions.  First of all, whenever I try to scan a machine by itself, it will not work, however if I scan it as part of an entire group, it works, this includes machines just created.  Secondly, it has having trouble on new machines just created.  They do not show up in Machine view, and the permissions just used on say a DC with domain admin access will not work on the new machine.  All I get is unable to connect to remote machine.  We are using agentless scans.  The major difference is  that these machines that are unable to scan correctly are on a different domain.  Please provide any insight into what could be the issue with these permissions not working correctly.

Purpose         

This document outlines how to cancel a scheduled task.

Steps

In Protect choose Manage> Scheduled Tasks.

For Deployments

Select the target machine in the tree on the left. Deployments are scheduled on the target machine.

For Scans

Select the Console machine in the tree on the left. All agent-less scans are stored in the Console's scheduler. This means that even if you are scanning a different target machine, you still select the Console machine from the tree.

When the intended machine has been selected, the Scheduled Jobs should automatically populate in the list on the right.

Right click the desired job, and choose Delete.

When prompted to confirm, choose Delete.

After the job is deleted the Scheduler for the selected machine should refresh, and the scheduled task should no longer be displayed.

Affected Product(s)     

Shavlik Protect 9.x

Symptoms

You created a copy of either the built-in 'My Machine' or 'My Domain' group.

When attempting to run a scan against the machine group you receive the error message:

There was a problem creating the scan instructions. Please make sure the Favorite, Machine Group(s), and Scan Template haven't been deleted by another user.

The ST.Protect.managed log file may also contain an error such as the following:

System.InvalidOperationException: Unexpected predefined discovery filter 'xxx'

Image of message displayed in Protect:

Cause

The issue is caused by a defect when creating a copy of the above mentioned machine groups. This will be resolved in a future version of Protect.

Resolution

Workaround:

Do not create a direct copy of the 'My Machine' or 'My Domain' machine groups.

Instead, go to New > Machine Group, and create a machine group similar to the settings you can see within the aforementioned groups.

Additional Information

For more information about setting up Machine Groups, see this Shavlik Online Help article:

Working with a Machine Group

Affected Product(s)

Shavlik Protect 9.1.x

Symptoms

When installing Shavlik Protect, you notice that it appears to be installing in an unexpected language.

Cause

The language setting within Windows is set to the language that Protect is attempting to install with.

Resolution

There are two options:

1) Set the localization setting for Protect. You can see how to do this in the following document:

     How to manually set language localization for the Shavlik Protect Interface

2) Re-install Protect after changing the language/region setting within Windows.

• Uninstall Protect.
• Depending the OS you are on, you will need to change the Language/Region setting in these places:
  • Windows 8/2012:
    • Control Panel > Region
    • Control Panel > Language
      
  • Windows 7/2008R2 and Earlier:
    • Control Panel > Region and Language
      
• After changing the language/region setting within Windows, run the Protect installer again.

Additional Information

Protect console localization was added in Shavlik Protect version 9.1.4334.0.

Affected Product(s)

Shavlik Protect 9.1.x and later

Purpose

This document provides steps to perform an offline or 'manual' activation of the Shavlik Protect.

Description

If you are unable to activate Shavlik Protect over an internet connection for any reason, you have to option to choose the 'Manual Activation' function. Use the steps below to perform a  manual (or offline) activation of Shavlik Protect.  If file transport from the secure offline network to an online network is not allowed, follow instructions to use the DisconnectedLicenseInfo.txt file:

Steps to create a license activation file

1. Select an activation mode (either Product or bundle license or Trial mode).
2. Paste or type your key into the Enter your activation key(s) box.
3. Select Manual activation.
4. Click Create request.
5. Files named LicenseInfo.xml and DisconnectedLicenseInfo.txt are generated and saved to the desktop of your console computer. These files contain the information needed to make an offline activation request.
6. Move the LicenseInfo.xml file to a computer with Internet access. If file transport from the secure offline network is not allowed, follow instructions under "If Secure to Non Secure network file transfer is not allowed" to use the information in DisconnectedLicenseInfo.txt .
7. On the Internet-connected computer, open a browser and go to https://license.shavlik.com/OfflineActivation.
8. Upload the LicenseInfo.xml file
9. The web portal will process the license information and generate a license file.
10. Download the processed license file and move it to the offline console computer.
11. Import the processed license file to the console by selecting Help->Enter/refresh license key and then click 'Import offline license'

If Secure to Non Secure network file transfer is not allowed

Go to https://license.shavlik.com/OfflineActivation to enter this data

• The web portal will process the license information and generate a license file
• Download the processed license file and move it back over to the offline console computer.
• Import the processed license file to the console by selecting Help->Enter/refresh license key and  click 'Import offline license'

If for some reason you are unable to activate using the offline activation portal mentioned above, please open a case with support and send your manual activation file in using the support portal: https://www.support.shavlik.com.

Please see this article if you need assistance registering: http://community.shavlik.com/docs/DOC-2265

Further details about activating the program can be found in the following Help document within Shavlik Protect:

Help > Contents > Installation and Setup > Getting Started > Activating the Program

Affected Product(s)

Shavlik Protect 9.x

Purpose

This document provides information about a new software distribution update for Java installation.

Description

As of XML version 2.0.1.1814, Modified 3/31/2015, Protect now contains a software distribution update that will allow you to push out the installation of Java 8 Update 40 which will also remove any version of Java 7 from the system at the time of installation.

The initial update is listed in Protect as Bulletin JAVA7U8-40, QJAVA8U40SU.

Newer versions of the "Upgrade" software distribution for Java will be added when there are new versions of Java.

To deploy these updates you will need to enable 'Software Distribution' within a scan template.

See the following document for more information about using software distribution in Protect:

Software Distribution Best Practices and Informational Guide

Affected Product(s)

Shavlik Protect 9.x

Greetings,

We are in the process of testing Agents and the Cloud sync and had a couple questions regarding patch downloads.

1. When using Agentless scanning and patching, patches are pushed from the Console. However when reviewing the Agent policy, I noticed there isn't an option to push patches from the console - only Vendor Over Internet and Distribution Server. Is this by design?

2. And if I select Vendor over Internet, does this literally query Microsoft, Adobe, Java etc and download the patches straight from the source, bypassing the Console and Distro points?

3. When "use vendor as backup source" is selected, will this recognize an Agent with the Cloud feature in the policy enabled and use the vendor in the case it is not connected to our MPLS?

Thanks,

AC

Symptoms

• Shavlik Protect or vCenter Protect report database timeout errors 
• In the ST.Protect.managed.log file, you see may see an error such as the following:

System.Transactions.TransactionAbortedException: The transaction has aborted. ---> System.TimeoutException: Transaction Timeout

     OR

2012-07-17T21:10:46.8328850Z 0001 W ScanSummaryPresenter.IsRecoverable|A SQL Server query operation timed out. Consider increasing the command timeout in the configuration file

Purpose

This article provides steps to increase the database timeout value in Shavlik Protect and vCenter Protect.

Resolution

To increase the database timeout period:

Note: Close the Protect application before proceeding.

1.Navigate to C:\Program Files\LANDesk\Shavlik Protect

2.Locate the ST.Data.Config file and open it using a text editor.

3.Change this entry:
st.data commandTimeout="30"
To:
st.data commandTimeout="3600"

This increases the timeout period allotted for transactions with the database. This number is in seconds and you can set the number to a higher value as required. 3600+ is the recommendation value for most timeout issues.

4. Save the changes for the ST.Data.Config file.

5.Re-open your Protect console, and test to see if the issue is resolved.

  This setting is not maintained during a re-install or upgrade.  Also, running the Database Setup Tool will revert this setting to 30 seconds.

Affected Products

Shavlik Protect 9.x

Purpose

This document provides best practices and guidance on scanning and deploying patches with Shavlik Protect. This will cover how to properly use many features of Protect so that you can successfully perform patching, automate patch tasks, and have a better understanding of the patching abilities of Protect.

Best Practices

The best practices have been broken into different sections. Follow the links below for each scenario/category.

Verifying Requirements and Initial Setup

Verifying and Updating Patch Definitions

Configuring Patch Scan Templates and Filtering Options

Configuring Patch Deployment Templates

Successfully Running Agentless Patch Scans & Deployments

Considerations

Patch Tuesday Survival Guide and Best Practices

Additional Information

There may be additional best practice information in the Best Practices Guide from our online documents.

A Zip file containing these guides as well as all referenced documentation (other than Microsoft links and videos) is attached below if you prefer to have a downloaded copy of all necessary documentation to get started and successfully use Protect for patch scanning and deployment.

[See attached "Patch Scan & Deployment Best Practices.zip"]

Note: Files in attachment last updated 4/7/2015.

Affected Product(s)

Shavlik Protect 9.x

Purpose

This document will walk you through on configuring your machine so that it can be scanned while it is part of a workgroup and not in a domain.

Symptons

Although you have the correct credentials, Protect fails to scan a machine that is not part of a domain. Errors include 451 The specified user account requires administrative rights to the target machine. or 452  Unable to connect to the remote machine.

Resolution

For machines using Windows operating systems that employ the use of User Account Control (this includes Windows Vista or later and Windows Server 2008 or later), you must either:

Join the machines to a domain and then perform the scan using domain administrator credentials, or

Disable User Account Control (UAC) remote restrictions on the machines.

To do this:

1. Click Start, click Run, type regedit, and then press Enter.

2. Locate and then click the following registry subkey:

     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

3. If the LocalAccountTokenFilterPolicy registry entry does not exist, follow these steps:

     a. On the Edit menu, point to New, and then click DWORD Value.

     b. Type LocalAccountTokenFilterPolicy and then press Enter.

4. Right-click LocalAccountTokenFilterPolicy and then click OK.

5. In the Value data box, type 1, and then click OK.

6. Exit Registry Editor.

For more details on disabling UAC remote restrictions, see http://support.microsoft.com/kb/951016

Symptoms

When deploying to a machine it fails with the error: Error - Failed to create remote directory - %SystemRoot%\ProPatches

You can also see this error in the ST.Protect.managed log

2015-04-08T12:55:19.6125618Z 0022 E PatchDeploymentTaskView.cs:305|Deployment id 10217: Error on machine 'Server1': Failed - Error - Failed to create remote directory - %SystemRoot%\ProPatches

You are able to scan the machine but you are not able to access the UNC path via Windows Explorer; ie \\Machine\C$

Cause

A Windows server is missing the Administrative Share (e.g. C$, D$)

Additional Information:

By default, Windows creates hidden or Administrative Shares for root partitions or volumes on the server.
These shares are known by the drive letter followed by the dollar sign ($). Sometimes the Administrative
Shares will disappear for some or all of the drives

Resolution

Open the registry and examine the AutoShareServer and\or AutoShareWks registry values to ensure that they are not set to 0:

   a.  Windows Server 2008 R2 and earlier- At the domain controller (DC) desktop click the Start menu, select Run, type regedit and click OK.

   Windows Server 2012 and later- Press the Windows key + Q, and type regedit in the search box.  Double-click on the regedit.exe icon when displayed.

   b.  Locate and then click the following registry sub-key:

        HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters

   c.  If the AutoShareServer and AutoShareWks DWORD values in the LanmanServer\Parameters sub-key are configured with a value data of 0,

        change that value to 1.

  Back up the registry before you modify it, this is done at your own risk. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base

http://support.microsoft.com/en-us/kb/322756

Affected Product(s)

Shavlik Protect 9.x

Purpose

This document outlines how to run a DPDTrace. This may be necessary when troubleshooting detection issues.

Steps

DPD stands for Dynamic Product Detection.  It’s the method our scan engine uses to determine what supported products are installed on the machine. This tool was created for troubleshooting patch scan issues where we need to know what is going on during the DPD process.

.Net Framework v4.0.30319 or newer needs to be installed for this to work

1. Download DPDTrace.zip (See attachment at bottom of this page) and extract the file into a folder on the root of C:\
2. Read Disclaimer.txt.
3. Open a Command Prompt and change directory to C:\DPDTrace

4. Enter the following command, replacing {MACHINE_NAME} {ADMIN_USER_NAME} {PASSWORD} and {PATCHTYPE} with corresponding values. ({MACHINE_NAME} has to be the Target machine that is having the detection problem

          DPDTrace.bat {MACHINE_NAME} {ADMIN_USER_NAME} {PASSWORD} {PATCHTYPE}

5.      When the command line is run, a window titled 'Rename HF.1 Log' will appear with an OK button. Do not close this window as the scan continues.

6.    When the scan has completed the command prompt window will say 'Test Complete  Please zip up HFCLi folder and send it back to us'. Please verify that an XML document has been created in the HFCLI folder. If it has, please zip up the directory "C:\DPDTrace\HFCLI" and send it back for analysis.

Additional Information

Please include the following registry exports from the target machine.  This will not only save time, it will also greatly increase our chances of determining the root cause of the detection issue and correcting it.

• HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432\Microsoft\Windows\CurrentVersion\Uninstall
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages
• HKLM\SOFTWARE\Classes\Installer\Patches

Please see the following document to obtain a batch file that can be used to easily obtain all of the above mentioned registry exports:

Batch File For Obtaining Registry Exports For Detection Related Issues

Affected Product(s)

All

Purpose

This document provides guidance to running a DPDTrace on servers with no internet connectivity or other issues preventing the download of hf7b.xml data file.

Description

You attempt to run a DPDTrace following the instructions from this document:  DPDTrace Logging Tool Used For Patch Detection Issues

The DPDTrace fails to scan the target machine with this error in the ErrorA.txt file:  Could not download file (.\hf7b.xml) from URI 'http://xml.shavlik.com/data/hf7b.xml

Cause

The DPDTrace tool is unable to download the hf7b.xml file from the internet.  This could be caused by no internet connection, firewall, proxy or some other setting/device on your network/server.

Resolution

• Correct the internet connection issue.
• Manually down the hf7b.xml file from http://xml.shavlik.com/data/hf7b.xml(right-click save link as) then place the file in the DPDtrace\HF7B folder.

Affected Product(s)

DPDTrace Tool

Purpose

Can Shavlik Protect be used to Patch Windows Surface tablets?

Resolution

Shavlik Protect is able to patch all Windows based tablets running versions of the Windows 8 Family, excluding Windows RT using either Agent-Less and Agent based patching. 

Additional Information

See System Requirements at http://help.shavlik.com/Protect/onlinehelp/91/ENU/EN/System_requirements.htm

Affected Product(s)

Shavlik Protect 9.X

Just looked to use this option and don't see it anymore. Has this option been discontinued?

I've created a custom pack for a MS Hotfix and regardless of what type of patch, I choose.  It is detected as a Security Patch.  This is not the behavior I want it to be detected as...  I've used the article found on this site to no avail.