How To: Deploy Windows Security OOB updates released January 3, 2018

January 5, 2018, 8:34 am

≪ Previous: How To: Use a Custom Action to add required registry key for deploying Windows Security OOB updates release January 3, 2018

Purpose

The purpose of this document is to discuss the behaviors when deploying the Windows Security out-of-band updates that were released on January 3, 2018.

The following document contains information on the changes to detection for the applicable patches: Important information on detection logic for the Intel 'Meltdown' security vulnerability

Description

Microsoft is requiring a registry to be on every machine that has no Anti-Virus or outdated Anti-Virus. The following Windows Security OOB updates released January 3, 2018 are affected by this:

MS18-01-IE Q4056568
MS18-01-SO7 Q4056897
MS18-01-SO8 Q4056899
MS18-01-SO81 Q4056898
MS18-01-W10 Q4056888, Q4056890, Q4056891, Q4056892, Q4056893

Below is what the expected behavior when scan and deploying these patches without and with the registry key in place.

See Additional Information for help creating the registry key using a custom action.

This is what to expect for scan and deployments when the registry key does not exist on the target machine:

When scanning machines without the registry key in place, you will be offered detection of the updates, but will not be able to download or deploy the update. This will be noted in the Ivanti Comments section for the patch:

Detection only support means the following:

The patch is not downloadable. If you try to download the patch, a message stating 'None of the selected patches need to be downloaded'.

This patch cannot be deployed, this is what the Deployment Tracker will look like during the attempt. The download patches will not turn green as the patch cannot be downloaded and deployed until the registry key is detected.

This is what to expect for scan and deployments when the registry key exists on the target machine:

When scanning a machine that has the required registry key in place, the patches will be offered with full deployment support. This means the patch is now able to be downloaded from Microsoft and to be deployed to the endpoints.

The patch will now be downloaded and then packaged as normal.

The patch will now be scheduled and then start the deployment execution process.

Additional Information

How To: Use Custom Action To Add Required Registry Key For Deploying Microsoft Patches as of January 3rd, 2018

Affected Product(s)

Shavlik Protect 9.2

Ivanti Patch for Windows Servers 9.3

↧

manual activation file

January 5, 2018, 10:44 am

≫ Next: New patches not downloadable

≪ Previous: How To: Deploy Windows Security OOB updates released January 3, 2018

I'm currently refreshing/updating my license for Shavlik Protect 9.2. I'm using the offline method for this process. As I try to import my activation file, I get the following message: "The selected manual activation file is not valid". Not sure what is causing the error. Any thoughts?

↧

New patches not downloadable

January 5, 2018, 9:27 am

≫ Next: Snapshot Maintenance in Ivanti Patch for Windows Servers 9.3

≪ Previous: manual activation file

I'm using Ivanti Patch for Windows Servers Standard, running on Win Server 2012R2. I refreshed the XML to last night's (4 Jan 2018) release and scanned some systems. I see that there are new patches needed on our Win7/Win10 1607/WinSvr2012R2 machines, but the download feature is not available. Is this related to the Microsoft OOB release and the required registry entry, or just a glitch in the XML that will be updated? Or maybe something else?

dwhit5555

↧

Snapshot Maintenance in Ivanti Patch for Windows Servers 9.3

July 7, 2017, 12:40 pm

≫ Next: Is it possible to copy "Patch groups" to other Shavlik Consoles?

≪ Previous: New patches not downloadable

Purpose

This document will discuss the different methods of snapshot maintenance in Ivanti Patch for Windows Server 9.3. Snapshot Maintenance applies only if you have virtual machines in your network that are hosted on one or more VM servers.

Overview

Scheduled Snapshot Maintenance through the Console Task Scheduler

This allows you to configure a one-time or recurring task that will remove old virtual machine snapshots from the server. It will also require you to have a proper scheduler credential set in Manage > Scheduled Console Tasks as is mentioned here Manual scans work, scheduled scans fail: Scheduler Credential

1. Go to Tools > Options > Snapshot Maintenance.

2. When you click Add or Edit, the Scheduled Snapshot Maintenance dialog is displayed. This dialog is used to configure the snapshot maintenance task.

Snapshot Maintenance through your deployment template

1. Go to your deployment template and navigate to the Hosted VMs/Templates tab.

2. Select the amount of days that you would like to keep snapshots or the maximum amount of snapshots that Ivanti Patch for Windows Servers will keep and save your deployment template.

3. Use this deployment template in your next deployment to your hosted virtual machines.

Ivanti Patch for Windows Servers will now delete snapshots according to the rules set in step 2 during the next deployment. Unlike the first method of Snapshot Maintenance, this method does not run on a schedule and will not execute the rules set above until the next deployment. During the next deployment Ivanti Patch for Windows Servers will check the rules and delete snapshots accordingly if they meet the qualifications to be deleted.

For instance, if you have specified that snapshots should be deleted after two days, each deployment, Ivanti Patch for Windows Servers will check to determine if any snapshots are two or more days old.

You can automate this process using How To: Setup Automatic Removal of Vmware Snapshots in Protect 9.2 .

Affected Product(s)

Ivanti Patch for Windows Servers 9.3

↧

Is it possible to copy "Patch groups" to other Shavlik Consoles?

January 8, 2018, 6:52 am

≫ Next: server not found message at startup

≪ Previous: Snapshot Maintenance in Ivanti Patch for Windows Servers 9.3

Hello all,

I searched around for this answer however I was only able to find a post from 2013 where this previously wasn't possible. I manage 6 Shavlik consoles right now and with the Meltdown patches coming out, I want to be able to copy these patch groups to at least lessen the mundane work I have to do in order to scan machines for these patches specifically.

Is this a possibility at this time?

Thanks!

↧

server not found message at startup

December 18, 2017, 11:03 am

≫ Next: Shavlik Cloud email

≪ Previous: Is it possible to copy "Patch groups" to other Shavlik Consoles?

When I first launch Shavlik Protect 9.3 i get a pop up window in the lower right corner of my monitor saying a particular server was not found. The server it mentions did exist at one time but the server name was changed. For some reason the Shavlik app still thinks the server's old name exists somewhere. Is there anyway to stop this?

Thanks

↧

Shavlik Cloud email

November 28, 2017, 10:54 am

≫ Next: ACAS Support

≪ Previous: server not found message at startup

Is anyone getting emails that are sent from Shavlik Cloud? When I create a new agent key and select send email I never get it. The spam filter does not show anything either.

↧

ACAS Support

October 6, 2017, 10:07 am

≫ Next: January kb4056897 & kb4056898 Require Registry keys to activate Patch.

≪ Previous: Shavlik Cloud email

I currently use the Federal version of Shavlik/Ivanti Patch in my company's network infrastructure. I was told that Ivanti was supposed to be introducing some sort of compatibility with ACAS this fall. I would like to see if there is any information regarding this feature that I can review.

↧

January kb4056897 & kb4056898 Require Registry keys to activate Patch.

January 8, 2018, 10:56 am

≫ Next: File Validation Error - Adobe Flash Security updates

≪ Previous: ACAS Support

January KB4056897 & KB4056898 both require registry keys to activate patch. ( Server OS only)

Is there any guidance on including this in the push? Or Is Ivanti creating a custom patch to set these keys?

Thanks

Tim

↧

File Validation Error - Adobe Flash Security updates

January 4, 2018, 12:48 pm

≫ Next: Shavlik condensed software catalog

≪ Previous: January kb4056897 & kb4056898 Require Registry keys to activate Patch.

I have an Adobe Flash security update patch, specifically:

Adobe Flash 11
Bulletin ID: APSB17-42

KB: QAF2800126

I have a machine that is identified has missing it based on a default security patch scan. When attempting to deploy, the patch files are verified as having been downloaded (via patching window), are copied to machine (verified), and the installation directory is properly populated with the batch file to get things going. The batch file never renames itself to .HIS though, and instead the entire directory is cleaned up. The resulting error message in the console is "File Validation Failed". Examining the logs client side, STDeployerCore.log reports "WinTrustVerifier.cpp:270 Certificate verification failed with error: -2146762748.".

I've restarted all prerequisite services on this server, have done some root cert cleanup, and have attempted to redeploy and am receiving the same error message still.

Just looking for thoughts on what else might be causing this.

Thanks,

↧

Shavlik condensed software catalog

January 9, 2018, 9:29 am

≫ Next: Important information on detection logic for the Intel 'Meltdown' security vulnerability

≪ Previous: File Validation Error - Adobe Flash Security updates

It there anyway to create the Shavlik software catalog with a cumulative set to totals for each unique software found. Or do I need to export the data out to adjust.

↧

Important information on detection logic for the Intel 'Meltdown' security vulnerability

January 4, 2018, 2:30 pm

≫ Next: How To: Deploy Windows Security OOB updates released January 3, 2018

≪ Previous: Shavlik condensed software catalog

Overview

Microsoft has identified a severe compatibility issue with a small number of anti-virus software products.

We highly suggest all customers review these issues here: https://support.microsoft.com/en-us/help/4072699

Due to to possible BSOD issues that may occur when installing this update on system with out of date AV software, we will be adding a detection prerequisite:

Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"
Value="cadca5fe-87d3-4b96-b7fb-a231484277cc"
Type="REG_DWORD”

The patches will be offered for deployment if the key exists.
If key does not exist you will be offered the detection only version of this patch.

Affected patches:

MS18-01-IE Q4056568 - Cumulative Updates for Internet Explorer
MS18-01-SO7 Q4056897 - Security Only Update for Windows 7 and Server 2008 R2
MS18-01-SO8 Q4056899 - Security Only Update for Server 2012
MS18-01-SO81 Q4056898 - Security Only Update for Windows 8.1 and 2012 R2
MS18-01-W10 Q4056888, Q4056890, Q4056891, Q4056892, Q4056893 - Cumulative Update for Windows 10 and Server 2016

Affected CVEs:

CVE-2017-5753
CVE-2017-5715
CVE-2017-5754

Link to Security bulletin advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

Additional Information

How to scan for specific patches: How To: Include or Exclude Specific Patches in Scan Results

How to deploy these patches: How To: Deploy Windows Security OOB updates released January 3, 2018

How to add the registry key through Custom Actions:How To: Use a Custom Action to add required registry key for deploying Windows Security OOB updates release January 3, 2018

Affected Products

Ivanti Patch for Windows Servers 9.3.x

Shavlik Protect 9.2.x

↧

How To: Deploy Windows Security OOB updates released January 3, 2018

January 5, 2018, 8:34 am

≫ Next: Application shutdown

≪ Previous: Important information on detection logic for the Intel 'Meltdown' security vulnerability

Purpose

The purpose of this document is to discuss the behaviors when deploying the Windows Security out-of-band updates that were released on January 3, 2018.

The following document contains information on the changes to detection for the applicable patches: Important information on detection logic for the Intel 'Meltdown' security vulnerability

Description

Microsoft is requiring a registry key to be on every machine that has no Anti-Virus or outdated Anti-Virus. The following Windows Security OOB updates released January 3, 2018 are affected by this:

MS18-01-IE Q4056568 - Cumulative Updates for Internet Explorer
MS18-01-SO7 Q4056897 - Security Only Update for Windows 7 and Server 2008 R2
MS18-01-SO8 Q4056899 - Security Only Update for Server 2012
MS18-01-SO81 Q4056898 - Security Only Update for Windows 8.1 and 2012 R2
MS18-01-W10 Q4056888, Q4056890, Q4056891, Q4056892, Q4056893 - Cumulative Update for Windows 10 and Server 2016

Below is what the expected behavior when scan and deploying these patches without and with the registry key in place.

See Additional Information for help creating the registry key using a custom action.

This is what to expect for scan and deployments when the registry key does not exist on the target machine:

Detection only support means the following:

The patch is not downloadable. If you try to download the patch, a message stating 'None of the selected patches need to be downloaded'.

This is what to expect for scan and deployments when the registry key exists on the target machine:

The patch will now be downloaded and then packaged as normal.

The patch will now be scheduled and then start the deployment execution process.

Additional Information

How To: Use Custom Action To Add Required Registry Key For Deploying Microsoft Patches as of January 3rd, 2018

Affected Product(s)

Shavlik Protect 9.2

Ivanti Patch for Windows Servers 9.3

↧

Application shutdown

November 21, 2017, 8:02 am

≫ Next: File verification failed

≪ Previous: How To: Deploy Windows Security OOB updates released January 3, 2018

Hi, could anyone recommend a way to patch multiple servers that hold one application in the correct order?

Ideally what I'd like to do:

1 - stop application services across multiple servers

2 - patch application & database servers

3 - reboot database server first & ensure its back on line (pre 4)

4 - reboot application servers.

Any ideas would be greatly welcome. I believe I can achieve step 1 with the use of a Powershell script (though I can currently only get it to work if each server is running its own individual script) but I can't see a way to reboot/patch the servers in a particular order.

Thanks,

Lynette.

↧

File verification failed

January 10, 2018, 4:49 am

≫ Next: Firewall and Proxy Exceptions URL List - Shavlik Protect/Ivanti Patch for Windows Servers (01/09/2018)

≪ Previous: Application shutdown

Hello,

after creating a custom patch, i try to deploy the patch.

everytime i get a error: File verification failed.

I don´t find any problems in the logfiles.

Do you have any suggestions?

Kind regards

Daniel

↧

Firewall and Proxy Exceptions URL List - Shavlik Protect/Ivanti Patch for Windows Servers (01/09/2018)

December 31, 2012, 11:00 pm

≫ Next: "Patch is not available for the language selected" when trying to install KB4056987 and KB4056898

≪ Previous: File verification failed

Overview

This article provides a list of required web addresses for the Protect application to allow:

Patch files fail to download
Patch definitions fail to update
Activation or License Refresh fails
Home page RSS feed fails to load
Product check for update fails

URL List

Protect and Patch for Windows Servers require these URLs to be accessible through firewalls, proxies and web filters:

ftp://ftp.adobe.com

ftp://ftp.attglobal.net

ftp://ftp.winzip.com

ftp://mozilla.stu.edu.tw

ftp://releases.mozilla.org

http://34e34375d0b7c22eafcf-c0a4be9b34fe09958cbea1670de70e9b.r87.cf1.rackcdn.com

http://a1540.g.akamai.net

http://aimp.su

http://airdownload.adobe.com

http://app.oldfoss.com

http://app.oldfoss.com:81

http://appldnld.apple.com

http://appldnld.apple.com.edgesuite.net

http://archive.apache.org

http://ardownload.adobe.com

http://au.v4.download.windowsupdate.com

http://azure.download.pdfforge.org

http://bitbucket.org

http://cache.lumension.com

http://cache.pack.google.com

http://cache-download.real.com

http://ccmdl.adobe.com

http://cdn01.foxitsoftware.com

http://cdn02.foxitsoftware.com

http://cdn04.foxitsoftware.com

http://cdn09.foxitsoftware.com

http://cdn1.evernote.com

http://classicshell.net

http://content.ivanti.com

http://content.rim.com.edgesuite.net

http://download.accusoft.com

http://download.adobe.com

http://download.autodesk.com

http://download.betanews.com

http://download.cdburnerxp.se

http://download.documentfoundation.org

http://download.dymo.com

http://download.filezilla-project.org

http://download.gimp.org

http://download.imgburn.com

http://download.macromedia.com

http://download.microsoft.com

http://download.newaol.com

http://download.nullsoft.com

http://download.oldfoss.com

http://download.oldfoss.com:81

http://download.pdfforge.org

http://download.piriform.com

http://download.royalapplications.com

http://download.skype.com

http://download.splunk.com

http://download.teamviewer.com

http://download.techsmith.com

http://download.videolan.org

http://download.virtualbox.org

http://download.windowsupdate.com

http://download.winzip.com

http://download1.operacdn.com

http://download2.operacdn.com

http://download3.operacdn.com

http://download3.vmware.com

http://download3.xnview.com

http://download4.operacdn.com

http://download-akm.skype.com

http://downloadarchive.documentfoundation.org

http://download-origin.cdn.mozilla.net

http://downloads.hpe.com

http://downloads.pdf-xchange.com

http://downloads.sourceforge.net

http://downloadus1.teamviewer.com

http://downloadus2.teamviewer.com

http://en.community.dell.com

http://files2.zimbra.com

http://fpdownload.macromedia.com

http://ftp.adobe.com

http://ftp.gimp.org

http://ftp.opera.com

http://ftp.osuosl.org

http://g.live.com

http://get.geo.opera.com

http://get.geo.opera.com.global.prod.fastly.net

http://get.videolan.org

http://gigenet.dl.osdn.jp

http://hotfixv4.microsoft.com

http://install.nitropdf.com

http://jaist.dl.sourceforge.net

http://javadl.oracle.com

http://javadl.sun.com

http://jsimlo.sk

http://knowledge.autodesk.com

http://localhost

http://localhostnt4w

http://mirror.clarkson.edu

http://mirror.nexcess.net

http://mirror6.layerjet.com

http://mirrors.syringanetworks.net

http://mozilla.stu.edu.tw

http://mozy.com

http://olive.download.pdfforge.org

http://openoffice.cs.utah.edu

http://operasoftware.pc.cdn.bitgravity.com

http://orange.download.pdfforge.org

http://osdn.dl.osdn.jp

http://packages.vmware.com

http://pnotepad.googlecode.com

http://prodesigntools.com

http://pspad.poradna.net

http://pumath.dl.osdn.jp

http://purple.download.pdfforge.org

http://qtinstall.info.apple.com

http://releases.mozilla.org

http://silverlight.dlservice.microsoft.com

http://software-dl.real.com

http://sourceforge.net

http://superb-dca2.dl.sourceforge.net

http://support.citrix.com

http://support.citrixonline.com

http://supportdownload.apple.com

http://swupdl.adobe.com

http://tcpdiag.dl.sourceforge.net

http://teal.download.pdfforge.org

http://tenet.dl.sourceforge.net

http://ufpr.dl.sourceforge.net

http://up.autodesk.com

http://upgrade.skype.com

http://us.download.nvidia.com

http://videolan-mirror.vpsserver.com

http://white.download.pdfforge.org

http://wl.dlservice.microsoft.com

http://www.7-zip.org

http://www.aimp.ru

http://www.coreftp.com

http://www.cutepdf.com

http://www.dotpdn.com

http://www.download.windowsupdate.com

http://www.filesetups.com

http://www.fosshub.com

http://www.getpaint.net

http://www.goodsync.com

http://www.jam-software.com

http://www.microsoft.com

http://www.mirrorservice.org

http://www.oldfoss.com

http://www.peazip.org

http://www.piriform.com

http://www.rarlab.com

http://www.realvnc.com

http://www.tightvnc.com

http://www.uvnc.com

http://www.uvnc.eu

http://www.wireshark.org

http://xh.yimg.com

http://xml.shavlik.com

https://2.na.dl.wireshark.org

https://airdownload.adobe.com

https://allwaysync.com

https://assets.cdngetgo.com

https://astuteinternet.dl.sourceforge.net

https://atlassian.jfrog.io

https://ayera.dl.sourceforge.net

https://bitbucket.org

https://cdn.gomlab.com

https://cdn1.evernote.com

https://clientupdates.dropboxstatic.com

https://cytranet.dl.sourceforge.net

https://d1ilhw0800yew8.cloudfront.net

https://data-cdn.mbamupdates.com

https://desktopassets.prezi.com

https://dl.bandicam.com

https://dl.google.com

https://dl.tvcdn.de

https://dl3.xmind.net

https://download.cdburnerxp.se

https://download.gimp.org

https://download.microsoft.com

https://download.royalapplications.com

https://download.skype.com

https://download.splunk.com

https://download.sublimetext.com

https://download.teamviewer.com

https://download.techsmith.com

https://download.tortoisegit.org

https://download.visualstudio.microsoft.com

https://download3.vmware.com

https://download3.xnview.com

https://downloadmirror.intel.com

https://downloadplugins.citrix.com

https://downloads.arduino.cc

https://downloads.bluebeam.com

https://downloads.hpe.com

https://downloads.plex.tv

https://downloads.sourceforge.net

https://downloadus1.teamviewer.com

https://downloadus2.teamviewer.com

https://downloadus4.teamviewer.com

https://e3.boxcdn.net

https://endpoint920510.azureedge.net

https://files.zimbra.com

https://fpdownload.macromedia.com

https://get.geo.opera.com

https://gigenet.dl.sourceforge.net

https://github.com

https://hipchat-ops.s3.amazonaws.com

https://iweb.dl.sourceforge.net

https://knowledge.autodesk.com

https://launch.getgo.com

https://managedway.dl.sourceforge.net

https://master.dl.sourceforge.net

https://media.inkscape.org

https://meetings.webex.com

https://na19.salesforce.com

https://neevia.com

https://nmap.org

https://nodejs.org

https://notepad-plus-plus.org

https://packages.vmware.com

https://phoenixnap.dl.sourceforge.net

https://pilotfiber.dl.sourceforge.net

https://pkware.cachefly.net

https://s3.amazonaws.com

https://secure.logmein.com

https://secure.mozy.com

https://secure-appldnld.apple.com

https://slack-ssb-updates.global.ssl.fastly.net

https://sourceforge.net

https://storage.googleapis.com

https://superb-dca2.dl.sourceforge.net

https://superb-sea2.dl.sourceforge.net

https://support.citrix.com

https://support.microsoft.com

https://svwh.dl.sourceforge.net

https://swdl.bluejeans.com

https://technet.microsoft.com

https://telerik-fiddler.s3.amazonaws.com

https://the.earth.li

https://vorboss.dl.sourceforge.net

https://web.mit.edu

https://www.citrix.com

https://www.dotpdn.com

https://www.fosshub.com

https://www.goodsync.com

https://www.hipchat.com

https://www.jam-software.com

https://www.microsoft.com

https://www.mozypro.com

https://www.piriform.com

https://www.rarlab.com

https://www.realvnc.com

https://www.scootersoftware.com

https://www.telerik.com

https://www.tracker-software.com

https://www.uvnc.eu

https://www.wireshark.org

vhttps://www.microsoft.com

If you require the IP addresses to create exceptions you can find the IP addresses used for content.ivanti.com here. To obtain the IP for vendor sites you can ping the site for the current IP address or contact the vendor to obtain this information.

Affected Product(s)

Shavlik Protect, All versions

Ivanti Patch For Windows Servers, All versions

↧

"Patch is not available for the language selected" when trying to install KB4056987 and KB4056898

January 10, 2018, 1:59 pm

≫ Next: Adding patches to a patch template by using patch groups (feature request)

≪ Previous: Firewall and Proxy Exceptions URL List - Shavlik Protect/Ivanti Patch for Windows Servers (01/09/2018)

I have had a head scratcher all day and hope you can help!

I am currently deploying scheduled patches and am having no issues, however when trying to install the out of bank Spectre vulnerability fixes above, I get a language error message and the following when viewing the error:

Zero patches are available and properly signed.

No patches were deployed. Please review the program logs to determine the cause.

Patch deployment canceled due to failure building deployment instructions.

Error on machine 'XXXXXXX': Failed

I've completed a refresh of files, checked the patches are downloaded, all looks good. All other patches have installed ok.

We are running McAfee Endpoint protection 10.5 which is a verified supported AV (anything above 10.2 is good). I added the registry key to one machine and retried and it patched fine.

Can you advise as to what could be giving this issue? DO I need to install the registry fix even though we are on supported AV?

↧

Adding patches to a patch template by using patch groups (feature request)

January 10, 2018, 2:36 pm

≫ Next: Agent installer for 2003 servers (32 bit)

≪ Previous: "Patch is not available for the language selected" when trying to install KB4056987 and KB4056898

So guys, is there any way to start with a patch scan template and ADD patches to it via patch groups? I can override the entire template using a patch group as a baseline, I can also layer an exclusion group on top of the patch template via patch groups, but I can't take a patch template and add a patch group to it, to include patches that would otherwise be skipped.

Case and point, this time around for meltdown and spectre, we typically only push critical patches to our environment. The meltdown/spectre patches for server are largely considered important (not critical) this time around. So that means if I use my base patch scan template, I'm missing the important. If I check off important in the template, I'm now including importants from everything (even more of a problem). So I'm left with a stitched together solution which is as follows:

I create a patch group called 'Jan'18 Exceptions' and into it, I place all important patches which aren't the 2 that I need for meltdown/spectre. Then I do a scan from my base template and add the exceptions to it in order to come up with one scan that has everything I need.

Is this also how others do it? Or am I missing something? The alternative of course being to run 2 scans, one for baseline patches, the other for just the meltdown/spectre ones, but that''s double everything, double reporting, double deployments, etc etc.

Thoughts?

↧