Question to the Shavlik experts !! Is their any intention to support linux server patching in the near future ?

Regards Andy

as mentioned above  KB2545833 for lsass.exe cpu,memory issue,

KB2832248-V2-x64 for wmiprvse memory,cpu issue are the mentioned fixes are resolving or not resolving the problem on windows 2008 R2 standard server with sql server 2008 installed on the same server,if you have installed/implemented these fixes please provide the result/outcome of these fixes and also inform while installing is there any issue on the server.

Hello,

I am experiencing numerous patches failures for no obvious reason. I have tried all of the usual steps:

   1. Deleted the ProPatches folder on PCs,

   2. Deleted the patches on the server and had them downloaded again during sub-sequent deployments.

   3. Performed SQL database maintenance.

The failures are intermittent. A patch for IE9 will install successfully on one PC but not another. Often after a patch failure, I will try and run the patch manually and I receive a Windows error staing the file is corrupt. I delete the file and resend it from Shavlik and I can then re-install it manually. I have been using NetChk Protect for over ten years and have never seen this many random problems.

About the only thing I have not done is delete my DB and started over.

Any help or ideas anyone may have are greatly appreciated.

Scenario

The following applies in a scenario where you may have one of the following setups:

-One Protect console connected to the internet, and other Protect consoles within an offline (disconnected) network.

-The internet connected console may be a rollup console with the other consoles sending results back to it.

This document is meant to provide an overview of requirements necessary for this configuration and the specific options that need to be set for this to work.

Requirements/Pre-Requisites

You will need to be able to set up a distribution server (share) that can be accessible in both the internet connected and disconnected networks, and it must meet any connection/port requirements. See the following linked documentation for more information on configuring a distribution server and any requirements:

Configuring a Distribution Server

Port requirements for Shavlik Protect

Synchronizing Distribution Servers

How to Manually Synchronize Distribution Servers

*Note* For the configurations mentioned below it would be easiest to make your existing 'Patch download directory' as the share for the distribution server. This way the patch downloads from your internet facing console will automatically be downloaded to the share and patch files don't need to be synced.

Configuration

This section assumes that you have already set up a distribution server meeting all requirements outlined in above documents. Below are the special requirements or information you may need to set up special configurations. The graphic below is intended to provide a basic illustration of possible configurations covered here.

Using Distribution Server to Host Datafiles & Patch Files for disconnected consoles

This configuration is meant to be used if you have at least one offline console system that can reach the distribution server share. This allows the offline

console(s) to update patch & threat defintions, binaries, and patch files easily without being connected to the internet.

*Note* The distribution server will need to be set up under Tools > Operations > Distribution Servers for all consoles.

Once you have your distribution server set up in all consoles, change the following settings for the Protect console systems within the offline network:

1. Go into Tools > Operations.

2. Click the 'Downloads' tab.

3. Change the 'Definition download source' to "Specific Distribution Server" and set it to use your distribution server.

4. Change the 'Patch and Service Pack download source' to use a "Specific Distribution Server" and point to your distribution server.

(Optional) You can set the 'Schedule automatic downloads' settings.

Important: This configuration requires that you are downloading the latest engines, definitions, and patch files on your internet connected console, and that you are synchronizing those downloads to the distribution server from the internet connected console. Definitions are downloaded by running Help > Refresh Files, and patch files are downloaded manually - either using View > Patches or by downloading from a scan result.

If the latest definitions and patches do not exist on the distribution sever share, your offline consoles will not display the latest patches and most likely fail to install many outdated patches.

If the "Specific Distribution Server" section is grayed out and cannot be chosen, refer to this document:

Attempting To Set Definition Download Source - "Specific Distribution Server" Is Grayed Out

If using data rollup

You can still use the data rollup function, however, you will need to either:

A) Open port 3121 and have a connection available to the master console system, or;

B) Set up port forwarding to port 3121 from one network to the other. We do not assist in setting this up so you will need to contact your network admin.

This will allow you to run reports on your master console to see the current status of all machines in your environment. Note that the master console for data rollup has no control over the other Protect consoles - it is only able to run reports based on results available from any other console that is set to run data rollup to the master console.

More information about setting up the data rollup function can be found here:

Help: Data Rollup Operations

Affected Product(s)

Shavlik Protect 9.x

Purpose

The purpose of this document is to provide information on setting Machine Criticality for machines within the Shavlik Protect environment. Setting Machine Criticality enables you to specify a custom criticality level for the listed machines. This value is something you assign and use for your own purposes. For example, if you have a set of machines that are of particular importance to your company, you can assign a criticality level to the machines and then use the filtering and sorting capabilities in Machine View to quickly locate the machines and determine their status.

Resolution

1. Navigate to Machine View (View>Machines) within the Shavlik Protect Console.

2. Within the list of machines select the machine(s) you wish to alter the Machine Criticality of. Right click and select 'Machine Properties'.

3. Within the Machine Properties locate the 'Criticality' drop-down box and select the appropriate value for the selected machine(s).

Note: You can select from the following Criticality levels:

Additional Information

In order to have this information reported within Machine View, please ensure the Machine Criticality column is selected within the Column Chooser. This can be completed by right-clicking on any of the top columns within Machine View>selecting Column Chooser>select Machine Criticality.

Affected Product(s)

Shavlik Protect 9.x

Purpose

This document will take you through a recommended method to manage your offline infrastructure with Shavlik.  We assume here that you want to patch a disconnected network without having to manually located the required files needed for the disconnected Protect console.

Description

Please note: If your network policy allows a connection to a network which is connected to Internet (even controlled by a firewall), you should refer the below document:  This document makes use of a distribution server, accessible from the both offline and online network to transfer the files.

Of course this solution is less secure than the solution described here since you can pass files via the distribution server. However it is more convenient as you will not have to manually transfer the files via a removable drive such as an old fashion USB key or an hard drive.

Configuring consoles within an offline environment to obtain definitions & patches from a distribution server share

Offline Activation

Please refer to this document to activate Shavlik in offline mode:

How to process a Manual (offline) Activation for Shavlik Protect

Requirements to Scan and Patch in an Offline Network

To do so you will need:

• Two installation of the Shavlik console:
  • One in the offline network
  • And another in an online network
• One removable drive such as a USB key or an hard drive to copy:
  • Patches
  • Definition files
  • And the scan results across the online and offline Shavlik console.

Setting up the online and Offline Consoles

On the online console:

1. Plug your removable drive.
2. In Windows Explorer, go in your removable drive and create a new folder. Ex: DistServ
3. Open the Properties of the of the folder and share it.
4. Go in Tools> Operations
5. Go in Distribution Servers
6. In the Distribution Servers panel click New
7. Put a name Ex: Bridge drive
8. Put the UNC path. Ex: \\localhost\DistServ
9. Save
10. Select the created Distribution Server
11. Next to the button Add scheduled sync: in the list choose All engines, definitions, and patch downloads
12. Click on Add scheduled sync:
13. Choose Once:
14. Select what ever date you want it doesn't matter as we will sync it manually
15. Save

On the offline console:

1. Plug your removable drive.
2. Go in Tools> Operations
3. Set up the path for the Patch download directory to the removable drive.
4. Keep Auto-update definitions (before scans) unchecked
5. Select Custom share or URL and give the path to the removable drive folder for both Definition download source and Patch and Service Pack download source. Ex: E:\DistServ
6. Save
7. Go in Tools> Options
8. Go in Scans
9. Check Keep imported files
10. Save

Using the Online and Offline Consoles

Download the latest definition:

1. Plug your removable drive on the online console
2. Go in Help> Refresh files...
3. Go in Tools> Operations> Distribution Servers
4. For each of the 3 lines in the Schedule automatic synchronization panel, select it and click on Run now
5. Close the window
6. Unplug the removable drive and plug it in the offline console

Scanning:

1. After performing the steps Download the latest definition
2. Plug your removable drive on the offline console
3. Scan the machines normally

Import the scans from the offline to the online console:

1. Plug your removable drive on the offline console
2. Move the files located in C:\ProgramData\LANDesk\Shavlik Protect\Console\Arrivals\Patch\Xml\ImportedFiles
   in an other folder in your removable drive. Ex: E:\ShavlikScans\
3. Plug your removable drive on the online console
4. Move the files in the folder C:\ProgramData\LANDesk\Shavlik Protect\Console\Arrivals\Patch\Xml
5. Reopen Shavlik

Download patches:

1. After performing the steps Import the scans from the offline to the online console
2. You can download the patches you plan to deploy
3. Go in Tools> Operations> Distribution Servers
4. For each of the 3 lines in the Schedule automatic synchronization panel, select it and click on Run now

Patching:

1. Plug your removable drive on the offline console
2. Patch the machines normally

Affected Product(s)

Shavlik Protect 9.x

Purpose

The purpose of this document is to help provide a solution to the error : "Logon Failure the user has not been granted the requested logon type at this computer"

Symptoms

When trying to schedule a job in Protect you receive the error  Failed to schedule operation:'Logon Failure the user has not been granted the requested logon type at this computer'

Cause

This happens if the user you are currently logged on as does not have the rights to "Log on as a batch job"

Solution

1. Open run, type in secpol.msc, this will bring up your Local Security Policy

2. Expand Local Policies

3. Click on User Rights Assignment

4. Locate

     A. "Log on as a batch job" and verify you have this right

     B. "Deny log on as a batch job" also verify you are not denied this right it will override the "Log on as a batch job" settings

Affected Products

Shavlik Protect 9.x

Purpose

This document explains how to transfer data and patch files manually from a Shavlik Protect Console on a Internet facing network, to a Protect Console on a Secure network with no internet connection using Write Once/Read Only Media .  This procedure is used when data from re-writable media is not allowed to be copied to machines in a secure zone.

Procedure

Setup a separate Distribution Share for Internet Connected and Offline Protect Consoles as a data file and patch repository

• Setup a separate shared folder for each security zone for the Internet Connected and offline facing consoles that is accessible from the console to be used as the path for Distribution Server configuration.
• Make sure that patch definitions downloads are scheduled so that current patch definitions are synced to the Distribution Server share
• Configure a Distribution Server on each console using the document, Configuring Authenticated SMB Distribution Servers.
• Configure the Distribution Server on the Connected Protect Console to Sync All engines, definitions, and patch downloads.
• Under Tools > Operations > Downloads on the Secure Network Protect Console, select the Specific Distribution Server for the "Definition download source" and the "Patch and Service Pack" download source.

Copy files to a DVD to be delivered to the Protect Console on the Secure Network 

• Sync data files and patches to the Distribution Server share manually using information the document How to Manually Synchronize Distribution Servers
• Burn contents of the Distribution Server Share from the Internet Connected Console to a write one DVD-R
• Walk the DVD-R to the Secure non-internet facing network and copy the contents to the Distribution Share on the Secure Network Protect Console

Using the copied files

After the data files and patches have been downloaded to the Secure Network Protect Console Distribution share, data files will be transferred to the correct folder when files are refreshed automatically during a scan or manually using Help > Refresh files.  Patch downloads will go to the Downloads folder when the console requests a patch download during deployment.

Additional Information

This Procedure is simplified by using the existing Download folder as specified under Tools > Operations > Downloads as the Distribution Share for the internet console.  This eliminates the need to sync the Patch downloads.  You would only need to sync the Core engines/definitions and Threat engines/definitions if you are using agents. 

Affected Product(s)

Protect 9.X

I am simply looking to patch only a version of Office Viewer to a certain number of machines. Is there a way to easily do this manually without creating policies, etc?

Purpose

The following document is designed to be a landing page for common issues associated with restrictions, procedures, and regulations typical of a Military or Government classified environment

Common security policies and issues that exist for a Government/Military Environment (Classified)

The following connectivity and file restrictions can exist in a military environment:

• No connectivity with subnets outside the security zone including the internet
• Files can only be transported one-way to machines inside the restricted environment
• Files from restricted subnet cannot be transported outside the subnet without review from security personnel

Shavlik Protect Functionality impacted by above restrictions

• Patch Definition files cannot be downloaded directly from XML.Shavlik.com or
• Patches cannot be downloaded on demand directly from Patch Vendor sites such as Microsoft, Adobe, or Firefox
• Unable to use the Online activation method to activate a Shavlik Protect activation key

Updating Patch Definitions and Install files to a Console located in a Secure Environment

When files can only be transported one-way to machines inside the restricted environment, many customers copy these files to Write Once/Read Only Media to manually transport them to the Protect Console in the Secure Zone.  This is explained in the document

Updating Patch Definition And Install files To A Non-internet Facing Console Using Read Only Media

How to Process A Manual (Offline) Activation when >Secure to Non Secure network file transfer is not allowed

Many military customers are unable to transport digital files from a Secure to Non-Secure network.  If this is case use the manually enter Activation Request data option in Manual Activation to gather numbers that can be hand written and carried to the non-secure zone to create a activation key request file.  This is explained in the document

How To Process A Manual (Offline) Activation For Shavlik Protect

Deploying patches downloaded from the Department of Defense Patch Repository

In order to ensure patches are downloaded from a Secure site, the Department of Defense provides vendor patch downloads from https://patches.csd.disa.mil/ These Patches that have been downloaded from the Department of Defense Patch Repository and can be used if the files are renamed to match the Shavlik "Download File Name" for the patch. .  For example WinSec-MS15-046_v3.0-003-P58853-excel2010-kb3054845-fullfile-x64-glb.exe would be renamed to excel2010-kb3054845-fullfile-x64-glb.exe . Instructions to obtain and use the "Download File Name" are found in the documentProtect doesn't recognize a patch that was manually downloaded

Information Assurance Vulnerability Alert (IAVA)

When the license key Government Edition of Shavlik Protect is activated, the Information Assurance Vulnerability Alert (IAVA) Reporter is enabled

The following links provide information dealing with IAVA information and Shavlik Protect

IAVA XML File Overview: Location and download information for IAVA files

Creating an IAVA Report: How to create an IAVA Report

Performing an IAVA Patch Scan: How to create and use a IAVA patch Group

AVA Patch Lookup:How to look up IAVA patches from the official IAVA list. This may be useful when identifying patches that may not be present within Protect

Affected Product(s)

Shavlik Protect 9.X

Hi,

I am trying to activate Shavlik Protect but the connection looks like it is being blocked by our firewalls, I can find lots of information about inbound and outbound ports but nothing that clearly states what is needed for the activation. Is it over HTTP or HTTPS or another method.

Many thanks,

Steve

Purpose

The purpose of this article is to go over how to reschedule jobs that have already been scheduled in Shavlik Protect.

Description

1. Go to Manage > Scheduled Tasks.

2. Locate the console's machine from the left pane-window. Make sure there is an small hourglass next to the name of the console machine. This means it has scheduled jobs on it. If not, select "Refresh All" in the upper-left hand corner. 

NOTE: If you are unable to find the console's machine, follow the guide in this article (Protect Console Missing from Machine List in Scheduled Task Manager) and then continue on to the next step.

3. Select the jobs you want to reschedule on the right.

4. Right-click on the job and select "Reschedule".

5. Configure the settings to when you want to the job to be scheduled to execute. Click "Reschedule". Confirm reschedule in pop-up window.

6. Confirm correct schedule by selecting job and reviewing parameters in the window below.

Additional Information

You can also manually run the scheduled tasks now or delete them in the same manner and selecting the appropriate option when right-clicking on the scheduled task(s).

Affected Product(s)

Shavlik Protect 9.x

Hello all

• Client has signed an CSA agreement with Microsoft (Extended Windows Server 2003 support)
• We have received information from Client regarding their agreement with Microsoft on how the updates will be provided past EOL date. (An alternate download procedure).  The procedure for updates downloads are similar to that of Windows XP CSA.
  1. 1. MS provide a tool which give the customer access to download Windows Server 2003 security patches into the WSUS installation
  2. 2. From the WSUS the relevant patches can be distributed to the deployment tool of choice (e.g SCCM, others…)
     (see an example on how to do this here  )

My questions to you are (regarding patching of Windows Server 2003 past EOL):

  Can we integrate this procedure to work with our current Shavlik patch management of Client enviroment ?

  Does Shavlik has some kind af aproach tot his issue ?

Ideas ? Thanks

Purpose

This document will go over how to exclude machines in a machine group through the Link to File feature.

Description

1. Create a text file with the list of machines you want to exclude.

However the machines are added into the Machine Group (IP address, machine name, FQDN) is how you will need to list the machines to exclude in the text file.

2. In your Shavlik Protect Console, click on "New" and then Machine Group.

3. Pick the tab that you will be adding the machines into the machine group. (This example is using IP Address/Range. Since the text file has multiple IPs, the range exclusion will be used.)

  Link to file exclusion is only available for Machine Name or IP Address/Range tabs.

4. Check the box next to "Exclude" and then click on the "Link to file" button. (This example is using IP Address/Range. Since the text file has multiple IPs, the "Link to file (ranges) exclusion will be used.)

5. Navigate to the text file you created in Step 1 and add the file.

6. Confirm that your text file location shows in the box below and has "Exclude" in the column under "When Scanning".

Additional Information

• You cannot add the "Link to file" and then right-click on the area below to "Exclude".
• For more ways to exclude machines in a machine group, consult the following article: Exclude Machines During Scans

Affected Product(s)

Shavlik Protect All

Purpose

When scanning a non-discriminate group of machines, such as by IP range, or OU, Protect will try all machines that exist as part of the group. In some situations it may be desirable to exclude certain machines.
Example: Scanning an IP range that contains many machines that should be patched, and one machine that cannot be patched on the same schedule as the others.

This document outlines how to exclude one or more machines from during a scan.

Resolution

Open the machine group that you will be using to scan against.
The machine group will show your machines that are going to be scanned.

Example: In this machine group, Protect will scan an IP range of 5.5.5.1-5.5.5.255

Add the machine(s) that should be skipped. This can be done by IP, NetBIOS, FQDN. These will by default be added and Included in the scan.

Example: Added a machine called 'SkipThisMachine' and a machine with IP 5.5.5.100

After the machines to be excluded have been added into the machine group, right click each and choose 'Exclude'.
Note: Holding CTRL while selecting allows you to highlight multiple entries at once, at which point you can right click any and it applies the changes to all that are highlighted.
Note: Alternative to right clicking, you can click the 'When Scanning' box at in the machine group and choose 'Exclude'.

The machines should now show Exclude under the When Scanning column. This will prevent the machine from being scanned and showing up in the scan results.
Note: In version 9.0 the operations monitor during a scan will list machines that have been excluded (only for informational purposes - no scan results occur for that machine). In verisn 9.1 it will not list excluded machines in the operation monitor during a scan.

Additional Information

•   However you add the Machines into the Machine Group is how you will need to list them to be excluded from the group (i.e. Machine Name, IP address, FQDN).
• You can place the machines to exclude in a text file and add it in by linking to the file and setting the file to exclude. To do this, consult the following article: How To Exclude Machines Through The 'Link To File' Feature

Affected Product(s)

Shavlik Protect 9.x

Purpose

In some environments, there may be multiple administrators tasked with overseeing patch management. When using multiple administrators with Protect- understanding how this works and the best practices for such a configuration can help this process run more smoothly. This document explains how Protect handles multiple administrators and shares some best practices for using Protect with multiple admins.

Description

How Shavlik Protect Manages Multiple Administrators

Shavlik Protect contains a number of built-in checks to guard against simultaneous and conflicting commands from different administrators. For example:

• The program will not allow duplicate group names or template names
• The program will not allow simultaneous updates to any groups, templates, distribution servers, or agent policies by different administrators. If this situation should occur the second administrator will receive a warning message similar to the following:

     "Another user has updated the Machine Group named 'Sample Machine Group' since you opened it. Reload 'Sample Machine Group' to see their changes."

• Only one console will be authorized to use the Database Maintenance tool. If an administrator at another console wants to perform maintenance on the database, that administrator must take ownership of that task before the program will allow the administrator to continue.
  • Note: The 'Take Ownership' button is only displayed if you have two or more consoles that share one database. If your organization uses multiple Shavlik Protect consoles that share the same database, only one console will be authorized to use the Database Maintenance tool. If an administrator at another console wants to perform maintenance on the database, that administrator must take ownership of the task before the program will allow the administrator to continue. Any existing maintenance tasks will be allowed to complete before ownership is transferred to another administrator.

Best Practices When Using Multiple Administrators

Recommendations

• You should upgrade your hardware platform by increasing the number of processors and the amount of installed memory on the console machine. This will increase performance in those instances when two or more administrators are logged on at the same time and performing tasks.
  • Minimum suggested hardware requirements for two administrators: 2 processor cores and 4 GB RAM
  • For a high performance system, use 16 processor cores and 32 GB RAM
  • For each additional administrator, add 1 processor core and 1 GB RAM
• When two administrators log on to the same console they must use different accounts. The same account can be used only when logging on to different consoles.
• If you edit a group that is typically used by another administrator you should notify that person about the change.
• Each administrator should create their own credentials and assign them to machines.
• Each administrator should define default credentials that are the same as their logon credentials. This will eliminate problems that may occur if the administrator forgets to assign machine credentials.

Potential Issues When Using Multiple Administrators

Usage Issues

You must take a few common sense precautions when using multiple administrators.  Even though Shavlik Protect contains a number of built-in safety checks, it cannot guard against all possibilities. The program may act in unpredictable ways if the following occur:

•   If two administrators try to scan the same machine group or ESXi Hypervisor at the same time.

The machines will be scanned twice, causing potential performance issues. In addition, there may be administrative rights errors due to the multiple connections.

•   If two or more administrators try to deploy patches or bulletins to the same machine at the same time.

The most likely result is that one deployment task will succeed and the other will fail. But because the deployment that succeeds will likely perform a restart of the target machines, the machines may be in an unknown state when the other deployment fails.

Credential Issue

When you create credentials and assign them to machines, those credentials belong to your administrator account. If a different administrator (Administrator B) logs on and uses Shavlik Protect, they will not have access to the machine credentials you provided. The second administrator must provide their own machine credentials.One of the ways this can be confusing is if Administrator B fails to provide their own machine credentials and tries to schedule a patch deployment from a scan that was performed by Administrator A. The deployment can be successfully scheduled if default credentials are available, but the actual patch deployment will likely fail because the patch deployment requires machine credentials -- credentials that were provided by Administrator A but that are not available to Administrator B.Recommendations:

• Each administrator should create their own credentials and assign them to machines
• Each administrator should define default credentials that are the same as their logon credentials. This will eliminate some of the problems that may occur if the administrator forgets to assign machine credentials.

Virtual Inventory Consideration

Unlike machine groups (which can be viewed by all administrators), vCenter Servers and ESXi Hypervisors can only be viewed by the administrator that added them to Shavlik Protect. If two different administrators want to manage the same vCenter Server or ESXi Hypervisors, both administrators must add the item to the Virtual Inventory list.

Additional Information

How Credentials work in Protect

Affected Products

Shavlik Protect 9.x

Symptoms

Deployments are failing on machines that are configured, under a deployment template, to download patches directly from a Distribution Server rather than a console push.  The error in the st.distribution servers.log shows the following:

08:39:02 Distribution Servers

File cannot be copied from this location.

Cause

The scheduler credentials are corrupt or invalid.

Resolution

Uninstall and Reinstall the Scheduler on the affected machine using instructions found at How To: Uninstall & Reinstall The Shavlik (ST) Remote Scheduler Service On A Single Machine to refresh the credentials file.

Affected Product(s)

Protect 9.X

Hello,

  I am using Shavlik protect and am trying to scan a machine group and turn the missing critical and important patches into a patch scan template to scan against other machine groups and eventually deploy patches.  I am able to highlight the patches I want from the completed scan and turn them into a patch group, but how do I then use that patch group to scan against other machine groups, and then deploy those patches.

Thank you,

Jeff

this question has possibly been answered already in a prior thread. Why do I see a difference in the number of missing patches when I run a security scan in Shavlik vs. running Windows Update directly on the server ? Any insight would be appreciated.

The past week or so when I run a scan, the operations monitor reports that the patch progress is "0 of" whatever and the status is building deployment files.  When you look below at each machine the state is "file downloaded" for each machine.  It never moves past this point.  I have done the obvious; rebooted the server, refreshed the files, confirmed everything is up to date, and synced the distribution servers.  I do not know what is up with this.  Any thoughts or advice?