I have been using Shavlik Patch for a few years now and did not seem to have issues.  Recently I updated our system to use agents on all of our PC's to make the patching process easier.  I have distribution servers setup, and thought everything was working.  What I am finding is that no matter at which location in our company, they all go back to a single server.  I have the IP Ranges setup to point to a certain server to use.  I also have my agents setup to download per IP Range.  Over multiple locations, they all go back to this one server.  The weird part is, I do not have secondary servers setup for my IP ranges, and this one server is only tied to two of the 10 IP ranges.  IP addresses that are no where close, come back to this one server.  I am lost.  Any ideas?

Hey guys,

We just became aware of the issue regarding ccleaner 5.53 being a trojan. Better late than never I guess. While we're already scanning everything with antivirus, I was curious what the best method to scan for the software is. So far I have attempted to make a patch group solely scanning for Piriform CCleaner. I know that we can run a Software Scan Report, but I have to go through and ctrl+F every time to find what version is installed on the computers. The other reports simply tell me what computers have CCleaner and that it needs to be updated (not what the current version has).

I'm sure this is something simple that I'm overlooking. Can someone help me with this?

Patches are failing with an error in the description field via Deployment Tracker with patch fails - returned 126

I am looking to pull complete report for all the patches that were applied this month along with the server names.

I deploy patches using the scheduled tasks within Ivanti patch. I have been informed today that two of the servers that were patched on a Sunday at 7PM rebooted today (Monday) at 10:30AM. I have checked the deployment and the patches we deployed and installed by 7:20PM however the servers did not reboot until 10:30 this morning. Has anyone else come across this issue?

I am trying to step up an patch Server in a network that doesnot have internet connection.   It is set up..but now I want to get patch from another server since I cannot download from the internet to this pc. 

I had taken the patch folder from other system and put on new system, however when I try to deploy patches it fails due to not validating certificates.

I am only concerned about getting the patches.. no need to get other information like machines, users etc..

What is the best way to do this.

Thanks

I was wondering if I can edit Protect Agent Installation message.  We don't allow saying files to the root of the C: drive so we would like to explain to our users just what to do in more detail.

I'm looking for a way to easily have Ivanti Patch tell the computer that before it applies a patch that it create a restore point.  It looks like I can inject a script but was just curious if there's a built in way or setting. 

I still have a large number of machines that stick on "SCHEDULED" but never deploy. Upon further research, I noticed that the "Shavlik92" key does not show in the registry path. Can I assume this is required to obtain a successful deployment?

Purpose

This document is meant to be a guide of some good documents and links specific to Shavlik Protect version 9.1. This is not a comprehensive list of documents.

Description

General Information

• Protect 9.1 Online Help
• Online Documentation
• Training Videos
• Release Notes

Installation & Configuration

• Download Site
• Protect 9.1 Installation Guide
• Protect 9.1 System Requirements
• Shavlik Protect Requirements Guide
• Firewall & Proxy Exception White-List
• Installing Prerequisite Software
• How to Activate Shavlik Protect

Upgrade Information

• Protect 9.1 Upgrade Guide
• Preparing for Upgrade of Protect and Resolving Common Upgrade Issues

9.1.4334.0 New Features and Bug Fixes

Released 4/17/2014

• Major New Features

  • Localized Console Experience
    • Shavlik Protect is now localized for the following languages: Chinese (Standard), Chinese (Traditional), French, German, Italian, Japanese, Korean, Portuguese (Brazil), Russian, and Spanish.
  • Localized SafeReboot
    • The SafeReboot dialog has been localized to support the same language set as above. The language of the client machine’s operating system will determine which language is displayed. The SafeReboot dialog will default to English if the operating system language is not supported.
  • Online Help
    • Localized versions of the Help system are now available on the Web. The help text will be localized according to the language specified on the Display Options dialog. An Internet connection is required in order to access localized help text from the console. For environments that do not have direct Internet access, an English-only version of the Help system is still shipped with the product and is available locally on the console.
  • IPv6 Support
    • Shavlik Protect now supports IPv6. IPv4 is still the preferred IP scheme that will be displayed in the UI, so for environments that happen to have IPv6 turned on but are not utilizing it yet, the IPv4 address will be the default address shown for machines.
  • Report Views
    • In conjunction with this release, Shavlik is providing a Report Views Guide that describes how to use database views within SQL Server database queries to generate custom reports for Shavlik Protect. This also allows for third-party tools such as SQL Reporting Services, Crystal Reports, Splunk, and others to be used to create reports for Shavlik Protect.
• Minor New Features and Enhancements
  • Improved Machine Resolution in FQDN and IP-only Environments
    • For customers who have environments that require FQDN or IP to resolve machines, Shavlik has made significant improvements to our machine resolver so that Shavlik Protect will retain multiple resolution methods for each machine. FQDN, Hostname, and IP can all be attempted to ensure the machine is resolved correctly.
  • Scan by Vendor Severity
    • The patch scan templates and the assessment engine have been updated to include filters that enable you to scan by vendor severity. You can now scan specifically for Critical, Important, Moderate, Low, or Unassigned security or non-security patches.
  • Deployment Workflow Enhancements
    • The deployment workflow has been consolidated to reduce the many branches that existed in the deployment experience. When you perform a deployment now you will see the same level of detail as a scheduled deployment. The deployment results are also available for viewing after the deployment is complete.
  • Machine-Level Status in Operations Monitor and in Deployment Tracker
    • A machine-level status has been added to the deployment flows. This gives you better visibility into the current state of your deployments.
  • Deployment Return Codes
    • Deployment return codes are now available within Deployment Tracker and within the deployment reports. Making the return codes available within the Shavlik Protect UI eliminates the need to comb through target machine logs for the return codes.
  • Active Directory (AD) Enhancements
    • Shavlik Protect is now able to discover any Active Directory Forests and Domains that are broadcasting themselves to the console machine’s domain. In addition, you can now add additional Forests and Domains and save credentials for these items. This allows you to browse these items without having to reconnect each time.
• Deprecated Features

  • Features That Have Been Removed in Shavlik Protect 9.1

  • The following platforms are no longer supported for use as a console:
    • Windows XP
    • Windows Server 2003
    • Windows Vista
    • Windows Server 2008 (prior to R2)
    • Windows 8 (Windows 8.1 is supported)
    • 32-bit architecture operating systems
    •   In response to Microsoft’s strategic direction and recent end-of-life announcements, Shavlik has removed support for the above platforms as a Shavlik Protect console. Shavlik Protect 9.0 is the last version to support these platforms as a Protect console. All of these platforms are still supported as agentless and agent-based targets.

    • To help ease the migration to newer platforms, Shavlik has developed a migration tool that will help administrators to transition a console from one machine to another. Microsoft has announced an end-of-life for Windows XP in April 2014 and for Windows Server 2003 in April 2016. We are recommending that customers on these platforms migrate to newer operating systems as soon as possible. Shavlik will not be supporting Windows 8 as a console due to an incompatibility issue with Powershell 4.0, which is a new prerequisite in Protect 9.1. Windows 8.1 support is being added with Protect 9.1.

  • The following VMware ESX Hypervisors are no longer supported:
    • ESX 4.0
    • ESX 4.1 (ESXi 4.1 Hypervisors are still supported)
  •   Shavlik is removing support for hypervisor patching and offline VM, template, and snapshot features for these versions, as VMware is ending support for these platforms in 2014. Shavlik Protect 9.0 is the last version to support these versions.
  • Export to TIF, TXT, and RTF formats

  • Shavlik has removed support for these formats as they are little used and provide little value to the majority of customers. Future versions of Shavlik Protect will still support export to PDF, XLS, TSV, CSV, and XML formats.

  • Features That are Targeted for Removal After Shavlik Protect 9.1

  • Windows Server 2000 support for agentless scan and remediation will be removed after 9.1
  •   Shavlik is announcing that Protect 9.1 will be the last version to support Windows Server 2000 as an agentless target. Protect 9.1 will support this version of Windows until it reaches its end-of-life, which has not yet been announced.
  • SQL Server 2005 support will be removed after Protect 9.1

  • Shavlik is announcing that Protect 9.1 will be the last version to support SQL Server 2005 (all editions). Customers should work towards moving to newer editions of SQL Server as soon as possible.

  • User Criticality Filter will be removed after Protect 9.1
  •   With the introduction of the Vendor Severity filter, the User Criticality Filter’s primary function is now obsolete and will be removed in a later release. The feature has a high maintenance cost and low value for most customers.

• Bug Fixes

  • Resolved an issue where duplicate agent results could conflict, causing import to fail.
  • Resolved an issue where duplicate agent results cause a loop on import, blocking up the import queue.
  • Resolved an issue where custom patch could allow a .bat file to be used which would cause agents to fail deployment. The .bat extension has been pulled from the custom patch file options.
  • Resolved an issue where LDAP over SSL connections would attempt to use the Shavlik Certificate. The Shavlik Certificate on upgrade will be moved into a custom store.
  • Resolved an issue where the 'Is Policy Current' value for Threat Protection Agents could incorrectly show as No when they really are up to date.
  • Updated the Help System to include descriptions for agent icons that were not documented.
  • Updated the Help System with an outbound port 443 requirement for the Protect Cloud Sync feature.
  • Resolved an issue where a result could not be imported if the service pack of the product could not be determined.
  • Resolved an issue where attempts to delete a partial scan result could result in a console crash.
  • Resolved an issue where an agent result missing the EndTime attribute would fail to import.
  • Resolved an issue where the Patch Status Detail Report could end up with PatchBulletinTitle on multiple lines due to a carriage return.
  • Updated the community link for data conversion errors on upgrade to point to the proper community article.
  • Resolved an issue where the Executive Summary Report could reflect the Effectively Installed Patches count incorrectly.
  • Resolved an issue where scan results could fail to import do to a 'Arithmetic overflow error' on the primary key in the ScanItems table.
  • Updated the Administration Guide to place the 'What's New?' section in the correct location in the document.
  • Resolved an issue where using the Microsoft Scheduler could cause scans to add five minutes to the specified scheduled time.
  • Resolved an upgrade issue where an unassociated event subscription could cause the database upgrade to fail from 8.0.2 to 9.0.1182.
  • Resolved an import issue where Agent Deployment Results could cause the importer to loop backing up the import queue.
  • Resolved an issue where the console could crash when you start many scans simultaneously on a resource constrained machine.
  • Changed from using MD5 hash to SHA1 in asset value normalization to be compliant on a FIPS enabled machine.
  • Resolved an issue where HFCLI.exe was not using the Protect License Key, causing certain licensed features of HFCLI to not work.
  • Resolved an issue where using the Browse Active Directory feature would not allow you to select a forest.
  • Resolved an issue where the console service could crash on foreign key exceptions.
  • Resolved an issue where the console service could crash when encountering an unknown service pack item type.
  • Resolved an issue where 2003 R2 SP2 systems could reboot unexpectedly when upgrading the agent from 8.0.2 to 9.0.1106.
  • Resolved an issue where an unnecessary horizontal scroll bar would appear in the Machine View.
  • Resolved an issue where the console service could crash when it is unable to decrypt credentials.

Affected Product(s)

Shavlik Protect 9.1.x

Purpose

This is a list of highly recommended documents for improving general knowledge of the Shavlik Protect product. This article is not a comprehensive list of documents.

For the Shavik Protect specific landing page, please see document DOC-23514.

Initial Installation & Configuration

• Download Site
• Training Videos
• Protect 9.1 Installation Guide
• Protect 9.1 Upgrade Guide
• Protect 9.1 Online Help
• Protect 9.2 Online Help
• Protect 9.2 Agent Quick Start Guide
• Protect 9.2 Quick Start Guide
• Protect 9.2 Installation and Setup Guide
• Protect 9.2 Upgrade Guide
• Protect 9.2 Administration Guide
• Protect 9.2 Report Views Guide
• Protect 9.2 Virtual Machine Quick Start Guide
• Protect 9.2 Best Practices Guide
• Protect 9.2 Guidelines For Creating Custom ITScripts
• Protect 9.2 Supported Products
• Shavlik Protect Requirements Guide
• Firewall & Proxy Exception White-List
• Installing Prerequisite Software

Licensing Information

• How to Activate Shavlik Protect
• Managing License Seat Usage
• Offline Activation Process
• Sales/Licensing Contact Information

Best Practices & How To's

• Best Practices Guide (9.1)
• Best Practices: Java Deployment
• Best Practices: Software Distribution
• Best Practices: Agentless Scanning & Deployment of Service Packs
• Best Practices: Using Security Tools
• Best Practices and FAQ on using Threat protection with Shavlik Protect agents
• How To Configure Windows Firewall for Protect
• How to Create a Custom Patch
• How to manage Shavlik in an Offline network
  • Offline Environment: How To Manually Update patch data files
  • Offline Environment: How to Manually Update threat definitions

Troubleshooting & Common Issues

Installation & Upgrade

• Preparing for Upgrade of Protect and Resolving Common Upgrade Issues
• Data Conversion error during Upgrade
• Cleaning up broken installs of Protect
• Resolving database upgrade timeout failures

Obtaining Trace Logs

• Console, Client Side (agentless), and Agent log files
• Console Install and Setup Logs
• DPD Trace (for scan detection issues)
• Listing & Purpose of All Log Files

Scanning & Detection

• Troubleshooting Patch Scan Error Codes
• Scans running slow or taking long time to complete
• Scan Results fail to import (Incomplete results)
• Why Shavlik Protect scan results may differ from Windows Update
• Java patches not shown missing or installed
• How to include or exclude specific patches in scan
• Adobe & Mozilla Incremental Updating process
• Patch install/uninstall loops (patches that always show missing)

Patch Deployment & Shavlik Scheduler

• Deployed patches appear as missing
• Deployment Tracker Status Message Values
• How to Troubleshoot A Failed Patch Install
• Service Pack Deployment Guidelines
• Reinstalling the Shavlik Remote Scheduler Service

Database Related

• SQL Database Maintenance Recommendations for Protect
• Cleaning up (purging) a Protect Database
• Increasing database timeout period
• Moving/migrating Protect database

Agents

• Agent Diagnosis Commands
• Agent Install failing at 67% (registration failure)
• How to fully uninstall and reinstall an agent

Other

• Issues adding machines to a group via Active Directory/OU
• Verifying Proxy Settings for Download Issues
• Role Based Administration Lockout Fix
• Understanding the Machine Groups and the Machines View

Other Useful Information

• XML (Patch Definitions) Update Information
• List of Currently Supported Products
• Feature or Change Requests

I have a handful of machines when I am deploying patches, and I receive the above errors.

I found an article talking about this issue, see below link:

Deployment Tracker Status - Unable to Verify or Complete (not verified)

I am running:

Ivanti Patch for Windows® Servers Standard 9.3.0 Build 4440

However I cannot find where the HF.log is, and by following the document below, it does not exist in that location for me:

Scans Show Few/No Missing Patches and No Installed Patches.

I have looked on the Console server and the client and i can't find it. Has this log be renamed?

Thanks in advance.

Kieren

Is anyone getting emails that are sent from Shavlik Cloud?  When I create a new agent key and select send email I never get it.  The spam filter does not show anything either. 

Overview

These documents provides information about the End of Life policy for legacy Shavlik products, VMware branded versions of the same product lines and legacy Shavlik and HEAT OEM products that are now a part of the Ivanti family. The Ivanti Product Support Policy applies to the products released under the Shavlik or HEAT brand name. The Shavlik Product Support Policy applies to the products released under the Shavlik and VMware brand names. All dates presented in this document are in the ISO developed international format. This format uses a numerical date system as follows: YYYY-MM-DD where YYYY is the year, MM the month and DD the day. The information contained herein is believed to be accurate as of the date of publication, but updates and revisions may be posted periodically and without notice.

Legacy Shavlik products, VMware branded versions of the same product lines:

End of Life Information for Products Powered by Shavlik

Legacy Shavlik and HEAT OEM products that are now a part of the Ivanti family:

End-of-Life Information for OEM Products Powered by Shavlik and HEAT

Purpose

This article explains how our detection the Delta or Cumulative version of the patch is offered.

Description

Our detection logic will verify the  'UBR' value from the registry to determine if the Delta or the Cumulative update will be offered.

HKLM" Key="SOFTWARE\Microsoft\Windows NT\CurrentVersion" Value="UBR" (Update Build Revision)

• The Delta is offered if build version equals N-1. (N= Latest Build. Current build being offered minus one version level)
• The full Cumulative update is offered if build version is N-2 or less.

You will only be offered one or the other and never both.

Related Documentation

Windows 10 release information

Affected Product(s)

Shavlik Protect 9.x

Ivanti Patch for Windows Server 9.x

Hello,

I'm just getting started pushing Windows security patches to (mostly) vm's in an ESXi cluster.

I have Shavlik Protect pointed to our vCenter so it can see all machines, and I have manually created machine groups and put the machines into them accordingly.

Our interest at this time is only Windows security patches (critical, etc). We pushed out patches to handful of servers last night successfully, but it keeps "adding" VMware Tools and it also threw in Java Runtime to the patch list for each server.

I need some help determining why it's doing this, as I have only a limited set of Microsoft products defined as what will be patched.

If there's an easy way to remedy this without defining special patch groups that would be great.

Running Shavlik Protect Standard 9.2.0 Build 5119

Thank you in advance to anyone who can assist as we move closer to pushing patches to production machines.

-Brian G

I have a 2 hour countdown and the option to extend for 2 hours. The extend on the system is greyed out after deployment. Does it wait until a certain point to give the ability to extend?

Thanks

I am using Ivanti Patch for Windows Standard v9.3 Build 4510.  Is there a method using the product to stop specific services prior to rebooting after patches have been deployed?

Thanks

Hello --

I am encountering the 501 error code when trying to do a scan on a Windows 10 system. The system in question has been updated

to the Windows 10 version 1709 release. I have confirmed the Windows Defender firewall is allowing port inbound connections through

the 5120 port, and the Remote Registry Service is running and on Automatic.

Additionally, I have gone into the Registry itself, and modified the Disabled setting for the RegistryIdle to 1. None of the steps that I have

taken have solved the problem. What other measures do I need to take?

Thanks.

I am trying to delete a machine group, but it does not appear readily apparent on how I can do this.

Can someone provide information?

Thanks.