This document contains information about the availability of patches and Shavlik updated XML files after vendor patch release.

While Shavlik aims to release updated assessment and deployment XML files on the same business day that a new security bulletin-related patch is released, we may require up to 24 hours after bulletin release to fully test the patches and release updated XML files. This is to ensure the proper amount of time for testing Protect's ability to scan, deploy and uninstall (where applicable) the latest patches on all affected systems.

New XML files can be downloaded by selecting Help > Refresh Files or by simply allowing a patch scan to automatically download them as part of the scanning process.

If you would like to be updated when new XML files have been released, please see the following resources:

Sign-up for XML announcement emails:

http://www.shavlik.com/support/xmlsubscribe/

XML Information page:

http://protect7.shavlik.com/

XML Twitter:

https://twitter.com/ShavlikXML

This document is meant to provide a checklist that will ensure successful deployment of patches when using agents with the Protect product.

Checklist for patch day when using agents with Protect

1) Make sure you are signed up for the XML Announcements list. This gives you up to date information on when XML releases and what new patches have been added into the product. Whenever our data content team releases new patch definitions for Protect you will be sent an email notification.

http://www.shavlik.com/support/xmlsubscribe/

You can also see the latest patch defiintion information at these sites:

http://protect7.shavlik.com/category/patch-and-bulletin-information/http://protectessentials.shavlik.com/

https://twitter.com/ShavlikXML

2) Once the latest XML is live make sure your Protect console is updated.  Run Tools > Refresh Files.  This will check in with XML.Shavlik.com and update any new XML and Engine files.

You can Automate this update by doing the following:

In Shavlik Protect 9: Go to Tools > Operations > Downloads. Under 'Schedule automatic downloads' choose Core engines/definitions in the drop down, then click the Add button to the left. You can then set up a schedule for the definitions to automatically download. You may also want to set up the same type of schedule for Threat Engines/Definitions.

In Protect 8: Go to Tools > Options > Definitions. Put a check next to 'Periodically download new definitions', and you can set the schedule.

3) Download patches you need to push for this patch cycle.

This step is required for agents using a distribution server for patch downloads, but is optional for agents set to download from vendor over internet. 

The best way to do this is to scan a test group of machines that include all products and platforms that would be found in your production environment.  From that scan result select and download all or selected patches. Another method is to search for the patches you want within View > Patches and download any that you know are required.

4) Synchronize your distribution servers. (Not required if your agent policy is set to downlaod via Vendor over Internet.)

How to do this:

In Protect 9: Go to Tools > Operations > Distribution Servers. Under 'Distribution Servers' highlight the distribution server you wish to synchronize. You must set up a scheduled sync - in the drop-down above the recommended method is to choose 'All engines, definitions, and patch downloads'. Then click on 'Add scheduled sync'. This allows the synchronization to take place on the schedule you set up, and you will now see the synchronization jobs listed under the 'Scheduled automatic synchronization' area. If you wish to run synchronization immediately you can highlight one of the scheduled syncs, then click 'Run now'.

In Protect 8: Go to Tools > Distribution Servers > Synchronization tab.  Synch Engines and XML and Download Center. You can also enable automatic synchronization, which would take place at the same time as the schedule set up under Tools > Options > Definitions for the automatic download.

5) Update any approved patch listing in the agent policy or patch groups that are being used. If you use these methods to limit what Protect can scan for or deploy you may need to update them accordingly to contain any newly released patches.

Shavlik Protect 9.x

vCenter Protect 8.x

This document outlines the various ways to activate the Protect Console.  These methods are also used when the protect subscription has been renewed and the license needs to be refreshed.

Help > Enter/Refresh license key

Shavlik Protect Activation window

Select "Product or Bundle license".

If this is a new license, enter your activation key and select Add.

Choose "Online activation".

Click "Activate online now"

If you are refreshing a license, leave the existing key and click "Activate online now"

Select "Product or Bundle license".

If this is a new license, enter your activation key and select Add.

If you are refreshing a license, leave the existing key

Choose "Offline activation".

Click "Create Request"

The manual activation request file "LicensInfo.xml will be saved to your desktop.

Move the XML file to a computer with Internet access.

Go to: https://license.shavlik.com/OfflineActivation to upload the file, "LicenseInfo.xml".

The license portal will generate a license file for you to download and import

Select "Download Manual License" to download the manual license file and move it to the console computer

Within Shavlik Protect, select Help>Enter/refresh license key.

Import the processed license to the console by selecting  "Import manual license"'.

Click "select file" to browse for the file, ProtectLicense.xml, and click "Open".

Shavlik Protect will process the file and the program will be activated.

Choose "Trial Mode" and hit "Create request".

Note : if you have a proxy, in order to go through the Shavlik licensing servers you will need to configure the parameters inside the "configure proxy" dialog box.

Shavlik Protect 8.x
Shavlik Protect 9.x

This document is meant to provide a full overview of how credentials are entered, used, and work within the Shavlik Protect product.

Credential Precedence for Physical Machines and Online Virtual Machines

Initiating actions from the home page, from a machine group, or from a favorite

The home page, machine groups and favorites can be used to initiate actions, patch scans, asset scans, power management, and to execute scripts. When performing these actions, Shavlik Protect will attempt to authenticate to each machine using a variety of credentials and will do so using the following strategy:

1.   If one or more of the following are available,  the credential with the highest precedence will be used. The precedence order is as follows:  

   1. Machine-level credentials

   2. Group-level credentials

   3. Default credentials

Example: If machine-level credentials are not available but group-level and default credentials are available, the program will use the group-level credentials.

2.   If the credential used above does not work, then Integrated Windows Authentication (the credentials of the person currently logged on to the program) will be used.

If neither of these credentials work, the scans and the power management tasks will fail.

One suggestion is to make your default credentials the same as the account credentials you typically use to log on to the program. This will eliminate problems that may occur if you forget to assign credentials.

Initiating an agent installation from a machine group

When using a machine group to push install the Shavlik Protect Agent service to connected target machines, the credentials used by the program follows the same strategy as above with one major exception -- integrated credentials will not be used. So the agent installation must be successful using machine-level, group-level, default, or explicitly supplied credentials.

Initiating actions from Machine View or Scan View

When initiating a scan, a patch deployment or a power management action from Machine View or Scan View, the program will attempt to authenticate to the target machines using a variety of credentials and will do so using the following strategy:

1.   If one or more of the following are available, the Protect console will try to authenticate using the credential with the highest precedence, where the precedence order is as follows:  

   1. Any manually or automatically assigned managed machine credentials (see the To Individual Machines in a Machine Group section in Supply Credentials for Machines (used if the scan credentials are invalid or missing, for example, if an agent performed the scan rather than the console)

2.   If the credential used above does not work, then Integrated Windows Authentication (the credentials of the person currently logged on to the program) will be used.

Note: Integrated credentials will not work for deployments to offline virtual machines or for rescans.

If neither of these credentials work then the action will fail.

Initiating an agent installation from Machine View or Scan View

When using Machine View or Scan View to push install the Shavlik Protect Agent service to connected target machines, the credentials used by the program follows the same strategy as immediately above with one major exception -- integrated credentials will not be used. So the agent installation must be successful using managed machine credentials, default credentials, or explicitly supplied credentials.

Credential Precedence for Offline Hosted Virtual Machines

Initiating actions from the home page, from a machine group, or from a favorite

The home page, machine groups and favorites can be used to initiate patch scans, asset scans, and power management actions and to execute scripts. When performing these actions, Shavlik Protect will attempt to authenticate to each offline hosted virtual machine using the browse credentials.

Initiating actions from Machine View or Scan View

When initiating a scan, a patch deployment or a power management action from Machine View or Scan View, the credentials that will be used to authenticate to an offline virtual machine depends on the power state of the machine when it was initially scanned.

If a machine was originally scanned in offline mode

The program will attempt to authenticate using the browse credentials.

If a machine was originally scanned in online mode

The program will attempt to authenticate using a variety of credentials and will do so using the following strategy:

1.   Try using any manually or automatically assigned managed machine credentials

2. If the following are available, try to authenticate using the credential with the highest precedence, where the precedence order is as follows:

   1. The administrator credential from the machine group. If the administrator credential exists but fails, the default credentials will not be tried.

   2. Default Credentials (used if the scan credentials are invalid or missing (for example, if an agent performed the scan rather than the console))

3.   If the credentials used above do not work, then Integrated Windows Authentication (the credentials of the person currently logged on to the program) will be used.

Note: Integrated credentials will not work for deployments to offline virtual machines or for rescans.

If none of these credentials work then the action will fail.

Defining Credentials

The Define Credential dialog can be accessed anywhere a credential is used within the Shavlik Protect interface (for example, from a machine group, from the Credentials Manager, etc.). It is used to specify a new user name and password pair that collectively define one credential. The credential is stored with strong encryption techniques. Only the administrator that creates the credential will be able to decrypt the credential and access it from within the program. If you elect to share the credential, however, it will be made available to other administrators as well as to Shavlik Protect service components.

Note: Credentials may be automatically defined for you during a product upgrade or when importing a machine group. Any credentials that are found during these processes are preserved and will be assigned friendly names according to their usage. The term Discovery filter is the friendly name assigned by the program to a machine group credential that it identifies during an upgrade or import process. Feel free to change the name to something that more closely reflects the usage of the credential in your organization.

Supplying Scan Credentials for Target Machines

Note: Browse credentials are slightly different from the scan credentials described in this section. Browse credentials are used by servers, domains, and organizational units to enumerate machines but do not actually authenticate to the individual machines.

This section provides information on how to define new scan credentials and how to assign the credentials to target machines. Credentials consist of a user name and password pair used to authenticate the program to specified target machines. One credential can be associated with any number of operations or entities. The credentials are stored with strong encryption techniques and are not available to anyone except the user who provided them.

The scan credentials you supply will be used to access remote machines, perform any scans, and push any necessary files. The supplied credentials will NOT be used to:

•   Authenticate to the local (console) machine

Rather, the program uses the credentials of the currently logged on user to authenticate to resources on the local machine. Therefore, in order to perform tasks on the local machine, make sure you log on using an account that has administrator and local machine access rights.

•   Perform a patch deployment

The machine credentials that you supply are used to provide access to the remote machine and to push the necessary patch deployment files. The actual deployment, however, will be run under the remote machine's Local System account.

You use a machine group to initially assign scan credentials to target machines. You can assign credentials to individual machines, to all machines in a machine group, or both. After a machine has been scanned and is contained in Shavlik Protect 's database of managed machines, you can use the Machine Properties dialog to assign different credentials if desired.

Important! If there are two or more administrators using Shavlik Protect, each administrator should provide their own machine credentials.

Assigning Credentials to Individual Machines in a Machine Group

To assign credentials to one or more machines in a machine group, in the bottom pane select the machines and then select Credentials > Set Admin Credentials.

On the Assign Credentials dialog, select from the list of available credentials or click New to define new credentials.

When credentials are applied to the selected machines, the icon in the Admin Credentials column will become active. In addition, the name of the assigned credential is displayed next to the icon.

Assigning Credentials to All Machines in a Machine Group

To assign credentials to all machines in a machine group, in the top pane select Credentials > Set Credentials.

On the Assign Credentials dialog, select from the list of available credentials or click New to define new credentials.

When credentials are assigned the icon will contain a check mark:

In addition, the button name will change to the name of the assigned credential.

Assigning Credentials to Virtual Machines

There are several different tabs that can be used to add virtual machines to a machine group. The credentials that will be used to scan and/or deploy patches to these machines depends on how the machines are defined to the group and on the current power state of each machine.

• Hosted Virtual Machines tab: Used to add virtual machines that are hosted by a server. The credentials used to scan each machine depends on the current power state of the machine. 

  • A hosted virtual machine that is offline at the time of a scan will be accessed using the server's browse credentials. Any individual credentials supplied for the machine are ignored.

• A hosted virtual machine that is online at the time of a scan will be accessed using scan credentials for that machine. See Assigning Credentials to Individual Machines in a Machine Group, above.

• Workstation Virtual Machines tab: Used to add offline virtual machines that reside on individual workstations. You should assign individual machine credentials for each virtual machine defined using this tab. If appropriate, credentials can also be assigned at the machine group level. The credentials are used during the mounting process and provide permission for Shavlik Protect to access the virtual machine files on the workstation. See Assigning Credentials to Individual Machines in a Machine Group, above. 

• Machine Name tab, Domain Name tab, or IP Address/Range tab: Used to add virtual machines that reside on individual workstations and that are online at the time of a scan. See Assigning Credentials to Individual Machines in a Machine Group, above.

Assigning New Credentials to Machines After They Have Been Scanned

After one or more machines have been scanned and are contained in Shavlik Protect 's database of managed machines, you can use the Machine Properties dialog to assign different credentials or to remove credentials.

There may be several reasons for providing different credentials to machines after a scan has been performed. If you have multiple administrators in your organization and each is responsible for a different domain, they will need to set their own credentials before performing an action. Or, your organization's policy may be to separate scan (assessment) duties from deployment duties, in which case different credentials are probably required.

Managing Credentials

Important! If there are two or more administrators using Shavlik Protect, each administrator should provide their own machine credentials.

The Credentials Manager is used to manage all credentials used within the program. It is also used to set the default credential for the program.

Although you can supply new credentials from several different areas of the program, all of the credentials can be edited and deleted from this single location. This greatly simplifies the credentials management process. For example, if a password that is used to authenticate a specific group of machines changes, you simply use the Credentials Manager to update the associated credential. All items assigned to that credential are automatically updated with the new password.

To manage the credentials used by the program, select Manage > Credentials.

Managing Individual Machine Properties (Explicitly supplied credentials)

You can set explicit credentials for machines via View > Machines > Right Click a machine > Machine Properties.

Credential: Specifies the credential used when authenticating Shavlik Protect to the machine. The credential you supply here will override credentials specified in other areas of the program. If you select None you effectively remove the credential currently assigned to the machine.

There may be several reasons for providing different credentials to a machine after a scan has been performed. If you have multiple administrators in your organization and each is responsible for a different domain, they will need to set their own credentials before performing an action. Or, your organization's policy may be to separate scan (assessment) duties from deployment duties, in which case different credentials are probably required.

How Shavlik Protect Manages Multiple Administrators

Shavlik Protect contains a number of built-in checks to guard against simultaneous and conflicting commands from different administrators. For example:

• The program will not allow duplicate group names or template names 

• The program will not allow simultaneous updates to any groups, templates, distribution servers, or agent policies by different administrators. If this situation should occur the second administrator will receive a warning message similar to the following:

• Only one console will be authorized to use the Database Maintenance tool. If an administrator at another console wants to perform maintenance on the database, that administrator must take ownership of that task before the program will allow the administrator to continue.
  • Note: The 'Take Ownership' button is only displayed if you have two or more consoles that share one database. If your organization uses multiple Shavlik Protect consoles that share the same database, only one console will be authorized to use the Database Maintenance tool. If an administrator at another console wants to perform maintenance on the database, that administrator must take ownership of the task before the program will allow the administrator to continue. Any existing maintenance tasks will be allowed to complete before ownership is transferred to another administrator.

Best Practices When Using Multiple Administrators

Recommendations

• You should upgrade your hardware platform by increasing the number of processors and the amount of installed memory on the console machine. This will increase performance in those instances when two or more administrators are logged on at the same time and performing tasks. 

  • Minimum suggested hardware requirements for two administrators: 2 processor cores and 4 GB RAM

  • For each additional administrator, add 1 processor core and 1 GB RAM

  • For a high performance system, use 16 processor cores and 32 GB RAM

• When two administrators log on to the same console they must use different accounts. The same account can be used only when logging on to different consoles.

• If you edit a group that is typically used by another administrator you should notify that person about the change.

• Each administrator should create their own credentials and assign them to machines.

• Each administrator should define default credentials that are the same as their logon credentials. This will eliminate problems that may occur if the administrator forgets to assign machine credentials.

Potential Issues When Using Multiple Administrators

Usage Issues

You must take a few common sense precautions when using multiple administrators.  Even though Shavlik Protect contains a number of built-in safety checks, it cannot guard against all possibilities. The program may act in unpredictable ways if the following occur:

•   If two administrators try to scan the same machine group or ESXi Hypervisor at the same time.

The machines will be scanned twice, causing potential performance issues. In addition, there may be administrative rights errors due to the multiple connections.

•   If two or more administrators try to deploy patches or bulletins to the same machine at the same time.

The most likely result is that one deployment task will succeed and the other will fail. But because the deployment that succeeds will likely perform a restart of the target machines, the machines may be in an unknown state when the other deployment fails.

Credential Issue

When you create credentials and assign them to machines, those credentials belong to your administrator account. If a different administrator (Administrator B) logs on and uses Shavlik Protect, they will not have access to the machine credentials you provided. The second administrator must provide their own machine credentials.

One of the ways this can be confusing is if Administrator B fails to provide their own machine credentials and tries to schedule a patch deployment from a scan that was performed by Administrator A. The deployment can be successfully scheduled if default credentials are available, but the actual patch deployment will likely fail because the patch deployment requires machine credentials -- credentials that were provided by Administrator A but that are not available to Administrator B.

Recommendations:

• Each administrator should create their own credentials and assign them to machines 

• Each administrator should define default credentials that are the same as their logon credentials. This will eliminate some of the problems that may occur if the administrator forgets to assign machine credentials.

Virtual Inventory Consideration

Unlike machine groups (which can be viewed by all administrators), vCenter Servers and ESXi Hypervisors can only be viewed by the administrator that added them to Shavlik Protect. If two different administrators want to manage the same vCenter Server or ESXi Hypervisors, both administrators must add the item to the Virtual Inventory list.

More information concerning credentials usage in Protect and possible known issues can be found in the following community documents:

Shavlik Protect Encryption Q&A

How-To troubleshoot Error 5 - Access is denied

Change Machine Credentials on Multiple Machines at Once

Account Lockout - Scheduler Service using Credentials

Shavlik Protect 9.x

vCenter Protect 8.x

This document is meant to provide information about specific patches that cannot be supported for patching within the Protect application.

The following patches from the January 14, 2014 Patch Tuesday will not be supported within Protect:

MS14-004 - DynamicsAX

Reason: The patch cannot be automated in Protect.

MS14-001, KB2863901 only

Reason: This is a custom Microsoft patch for a specific customers which we cannot support.

You can find additional information for these patches at the corresponding Microsoft articles:

MS14-004

http://technet.microsoft.com/en-us/security/bulletin/ms14-004http://support.microsoft.com/kb/2880826

MS14-001

http://technet.microsoft.com/en-us/security/bulletin/MS14-001

Shavlik Protect 9.x

vCenter Protect 8.x

Shavlik SDK, All Versions

Shavlik Rebrands

This document explains why Microsoft Security Bulletin MS14-004 cannot be supported by Shavlik Protect.

Patch bulletin MS14-004 (http://technet.microsoft.com/en-us/security/bulletin/ms14-004) references a security update for Microsoft Dynamics® AX that resolves a security vulnerability in the software. Some administrators may wonder why MS14-004 cannot be found under patches in Shavlik Protect. Restrictions on this security update from Microsoft does not allow for it to be distributed through Shavlik Protect or any other standard means.

According to Microsoft's official bulletin article:

"Due to the servicing model for Microsoft Dynamics AX updates, Microsoft is releasing these updates to the Microsoft Download Center, Microsoft Dynamics CustomerSource, and Microsoft Dynamics PartnerSource only."

From <http://technet.microsoft.com/en-us/security/bulletin/ms14-004>

For this reason, Shavlik Protect is unable to provide this security update to customers for patching. For those with affected software (see next section of article), the security update referenced in this bulletin as noted above is only available through Microsoft Download Center, Microsoft Dynamics CustomerSource, and Microsoft Dynamics PartnerSource.

This security update is applicable to the following software versions:

From <http://technet.microsoft.com/en-us/security/bulletin/ms14-004>

Microsoft KB Article for Security Bulletin MS14-004

Shavlik Protect 9.x
vCenter Protect 8.x

When deploying 32-bit Java updates to 64-bit operating systems when using SCUPdates, the update fails.

This issue is caused by a Java install bug. The installer reads information for deployment on Windows operating systems in the 64-bit region of the registry, rather than the 32-bit region, which causes the failure.

Currently, there is no workaround or resolution available for this issue. Once a workaround or a resolution is available, this article will be updated.

Technical support has submitted a bug report to Sun/Oracle. For more information, see Oracle bug 6995830.

Update 1/16/14 - Shavlik will soon be releasing a new plugin for SCCM called Shavlik Patch for SCCM which should help to resolve Java installation issues. The plugin allows Shavlik to utilize the same mechanisms that the Shavlik Protect program uses to workaround the Java bug.

To be alerted when this article is updated, click Subscribe to Document in the Actions box.

We have implemented a workaround solution with our Shavlik Protect product. Unfortunately, SCCM does not have the advanced commands for patch deployment which are necessary for this solution to be used along with a publicly available download of Java patches. For SCUPdates, we are looking for ways around this problem, but for the time being will need to continue waiting for Oracle to fix the installer issue.

We submitted a bug over two years ago to Sun/Oracle stating the issue and the necessary fix. Oracle has a voting system from their consumers to decide on which non-security bugs will be fixed with each update.

Shavlik SCUPdates

This document covers information about patch supersedence or replacement and how to expire patches via SCUP when using the Shavlik SCUPdates content.

Patch Supersedence or Replacement information

The first thing to note is that SCUPdates content does not include any built-in detection for patch supersedence or patch replacement. There is currenlty no information provided within the SCUPdates concerning patch supersedence or replacement.

How to handle patch supersedence/replacement with SCUPdates content:

Since there is no supersedence information provided within the SCUPdates content, you can still use these methods to find out if patches are superseded:

1) For most 3rd party updates such as Adobe and Java you can assume that the newest update replaces all others of that version. In the example screenshot you will see that the latest version of Adobe Flash Player for Internet Explorer is 11.8.800.175. Therefore any previous/older Adobe Flash for Internet Explorer updates would be superseded by this patch. Using the "Date Modified" column in SCUP will help determine the newest patch available.

2) To make certain if a patch replaces others you can always go to the vendor's website for more information. In SCUPdates content under the patch Summary there is generally a link provided to the vendor's webpage concerning the patch release. This can be helpful in determining patch supersedence as well as other information.

Expiring Superseded/Replaced Patches in SCUP

The Shavlik content team did not focus on including built in supersedence detection so that it's left up to administrators to expire patches when they wish to. You can use the "Expire" feature within SCUP if you determine that you no longer want old, superseded, or unwanted patches being detected.

*Important notes*: When you expire an update within SCUP it is a permanent change, and it may take some time for the change to synchronize with WSUS/SCCM.

How to expire patches in SCUP:

1) You will need to locate the patch(es) you wish to expire. In the example below you can see that we have Adobe Flash for IE version 11.8.800.174 highlighted. This patch is superseded (replaced) by the latest Adobe Flash for IE update - version 11.8.800.175. Since it is superseded we are going to expire Adobe Flash for IE version 11.8.800.174.

In this image you can also see where more information is available in the patch summary.

2) Highlight any patches you wish to expire. You can select multiple items with the CTRL+ features in Windows. Right click on the highlighted item(s) and choose 'Expire'.

3) You will be asked if you're certain you want to expire the updates since the change is permanent. Click yes.

4) You will now see that the Expired column shows 'Yes'.

You can find more information about using the latest version of System Center Updates Publisher (SCUP) here:

http://technet.microsoft.com/en-us/library/hh134742.aspx

Shavlik SCUPdates

• Cannot publish an update in SCUP using data SCUPdates content
• Publishing  an update in SCUP using data from SCUPdates fails 
• You see the error:
  
  Hash verification failed on content for update

       or

       Digest Verification failed

• In the AutoPublish.log you see messages such as:
  • Error: the downloaded update for 'xxx' does not match the expected digest. The vendor may have replaced the download with a newer update.
  • Error downloading and/or verifying installers

To resolve this issue ensure you are using the latest data, and do not attempt to publish outdated updates.

Shavlik SCUPdates

Shavlik Patch for SCCM

Environmental and setup prerequisites for Power Management and Wake-on-Lan functionality

Power Management Requirements

Before performing a power management task, please confirm that you meet the following requirements.

General Requirements

• Power management tasks performed from machine groups will be successful on physical machines and online virtual machines, but not on offline virtual machines

• A power management license key is required for all power tasks

• An asset management license key is also required for Wake-on-LAN tasks

• In order for power state changes to be made to a target machine, a user must be logged on to the machine or the local security policy Interactive logon: Do not require

• CTRL+ALT+DEL must be disabled.

• The proper credentials must be available:
  • When initiating a power management action from Machine View or Scan View, the program will attempt to authenticate to the target machines using the credentials used in the most recent patch scan. If those credentials are invalid or missing (for example, if an agent performed the scan rather than the console) the program will attempt to authenticate to the machines using the default credentials. If the default credentials do not work the program will attempt to authenticate using the account credentials of the person currently logged on to the program. If those credentials do not work, the power management task will fail.

• When initiating a power management action from a machine group or a favorite, the program will attempt to authenticate to the machines using the credentials defined in the machine group. If those credentials are invalid or missing, the program will attempt to authenticate to machines using the default credentials. If the default credentials do not work, the program will attempt to authenticate using the account credentials of the person currently logged on to the program. If those credentials do not work , the power management task will fail.

Sleep and Hibernate Requirements

In order to put a machine in or take a machine out of a sleep or hibernate state, its operating system must be configured to allow the operation.

Wake-on-LAN (WoL) Requirements

Hardware Requirements:

• WoL tasks must be performed on physical machines, not on virtual machines
• WoL must be enabled in the BIOS of the target machines. See your hardware vendor's product documentation for details.
• Target machines must have either a wired or a wireless Network Interface Card (NIC) that supports WoL. See your hardware vendor's product documentation for details.
• Target machines can be in sleep, hibernate, or powered off states.
• Network cards on the target machines must have power available (either electric or battery).
• Any intervening routers may need to be configured to forward subnet-directed broadcasts. See your hardware vendor's product documentation for details on configuring your routers.
• Whether you need to configure your routers depends on where your target machines are located. If all the target machines are located on the same subnet as the console, your routers do not need to be reconfigured. If some of your target machines are behind one or more routers and thus on different subnets, the intervening routers must be configured to forward subnet-directed broadcasts on UDP port 9.

Software Requirements

• A hardware asset scan of each target machine must be performed prior to initiating a WoL request. The scan is needed in order to obtain the MAC address of each target machine. When configuring the hardware asset scan, make sure the Network option is selected.
• Each target machine's operating system must be configured to allow WoL.
• Outbound UDP port 9 must be open on the console machine.

Power Status Scan Requirements

A power status scan can be performed on physical machines, online virtual machines, and offline virtual machines.

A 3rd party freeware application can be used to verify that the target workstation is setup properly to receive Magic Packets. This is explained in the following document: Wake-on-Lan Magic Packet Test http://community.shavlik.com/docs/DOC-23187

Protect 9.X

Protect 8.X

When attempting to add machines to a machine group in Protect via the Organizational Unit tab when clicking 'Browse Active Directory' you experience any of the followng:

-You see the message "The list of servers for this workgroup are currently unavailable".

-The OU list is missing machines that you expect to show up.

For any number of reasons the Protect application is unable to either connect to or browse active directory.

Here are troubleshooting steps that should help:

1) Check that the "Browse Credentials" are set correctly and have access to active directory.

2) Make sure NetBIOS is enabled.

- Go into Computer Management > Device Manager.

- Click View > Show hidden devices.

- Under Non-Plug and Play Drivers locate NETBT.

- Right click on NETBT and go to Properties.

- Ensure the General tab lists this device as working properly.

- Ensure the Driver tab lists this device with a current status of Started.

3) On your Protect console system, open command prompt, and run NBTSTAT -R

This command purges the contents of the NetBIOS name cache and then reloads the #PRE-tagged entries from the Lmhosts file. The #Pre section is where domain controllers may be listed.  For more information on nbtstat commands see this Microsoft Technet article: http://technet.microsoft.com/en-us/library/bb490938.aspx

4) If you are having problems enumerating Organizational Units across domains, ensure that the Protect console has access to a DNS server that provides lookups to all involved domains.

You can edit the host file (C:\WINDOWS\system32\drivers\etc)

Add an entry for:

[Net Bios Name of Domain Controller] [IP Address]

or

[DomainName] [IP Address of primary DC]

5) Enable the Computer Browser service. The computer browser service is disabled by default on Server 2008 R2, but it should start without error.

See this document: http://community.shavlik.com/docs/DOC-22966

-Is there an error in the event log? This can help narrow down what is going wrong.

-The computer browser service will automatically stop if your registry settings are not configured to maintain the browse list. To verify your settings do the following:

-Go to Start> Run

-Type regedit

-Press enter

-Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters

-The MaintainServerList value should be set to Yes or Auto. If this Value is No then the computer browser service will not start.

6) Check to make sure netbios ports are open. (139 & 445)

7) A couple other things that may help troubleshoot:

-Check if the "Browse Network" button in the Machine Group configuration dialog on the Machine Name tab functions as expected.

-Make sure you can browse your network (Network Places) using Windows Explorer.

The following Microsoft articles may also prove helpful:

Troubleshooting Active Directory (2003):

http://technet.microsoft.com/en-us/library/cc776795(v=ws.10).aspxhttp://technet.microsoft.com/en-us/library/cc737561(v=WS.10).aspx

Troubleshooting Active Directory Domains & Trusts (2008 R2):

http://technet.microsoft.com/en-us/library/cc770264.aspx#BKMK_1

Shavlik Protect 9.x

vCenter Protect 8.x

This document explains how to tell if Protect is scanning for a specific Virus?

The Shavlik Protect Threat Protection engine is based on the Vipre SDK engine, and uses threat definitions created by GFI's ThreatTrack Security (formerly Sunbelt Software). You can do browse for or search for specific viruses on the following website.

http://sunbeltsecurity.com/BrowseCategories.aspx

Shavlik Protect 8.x
Shavlik Protect 9.x

How to manually configure a remote SQL Server to accept machine account credentials

Manually Configuring a Remote SQL Server to Accept Machine Account Credentials

Note: The manual process described here is required only if the automated account creation process failed during product installation.

If you are using Integrated Windows Authentication to access a remote SQL Server, in order for Shavlik Protect to interact properly with the server you must configure the server to accept machine account credentials. The best time to do this is immediately after you have installed Shavlik Protect but before you actually start the program. You can, however, perform these steps after starting the program. Any scans you initiate prior to this that require interaction with a remote SQL Server database will probably fail.

This section describes how to configure a remote SQL Server to accept Windows authentication (machine account) credentials from the Shavlik Protect console. For security purposes, Shavlik recommends using Windows authentication where possible. Microsoft SQL Server Management Studio is used as the editor in the following examples but you can use a different tool if you prefer.

1. The Shavlik Protect console and SQL Server must be joined to the same domain or reside in different domains that have a trusted relationship.

This is so the console and the server can compare credentials and establish a secure connection.

2. On SQL Server, create a new login account for Shavlik Protect to use.

You must have securityadmin privileges in order to create an account.To do this: Within the Security node, right-click Logins and select New Login. Type the login name using a SAM-compatible format (domain\machine name). The machine account is your console's machine name and must contain a trailing $.Note: Do not use the Search option. You must manually type the name because it is a special name.Make sure you choose Windows Authentication and that the Default database box specifies the Shavlik Protect database. For example:

3. For your Shavlik Protect database, create a new user login using the console machine account.

Right-click the Users folder, select New User, browse to find the Login name, and then paste the name in the User name box. Assign the user the db_datareader,db_datawriter, STCatalogUpdate, and STExec roles. For example:

4. Start Shavlik Protect.
5. Perform any troubleshooting as necessary.

• You can use the SQL Server activity monitor to determine if connection attempts are successful when performing a patch scan.
• If you ran Shavlik Protect before creating the SQL Server user account, some services may fail to connect to SQL Server. You should select Control Panel > Administrative Tools > Services and try restarting the services.
• If the connection attempts are failing you can view the messages in the SQL Server logs to determine why the failures are occurring.

Allowing Other Users Access to the Program

Note: This section also applies if you are using the role-based administration feature.

If you wish to allow other users access to the program, you may need to configure SQL Server so that those users have the necessary database permissions. Specifically, when using Windows integrated authentication, users without administrative rights on the database machine must be granted read and write permission to all tables and views. They must also be granted execute permission to all stored procedures in the Shavlik Protect application database. They may not otherwise be able to start Shavlik Protect.

One way to grant these permissions is to assign your users the db_owner role. For security reasons, however, this may not be the best solution. A safer alternative is to grant execute permission at the database level. You do this by assigning the users in question to the STExec role.

For an explanation of the permissions specified above, reference Protect SQL Account Configuration for least privilege requirements http://community.shavlik.com/docs/DOC-1463

Protect 9.X

Protect 8.X

This document outlines how to cancel a scheduled task.

In Protect choose Manage> Scheduled Tasks.

For Deployments

Select the target machine in the tree on the left. Deployments are scheduled on the target machine.

For Scans

Select the Console machine in the tree on the left. All agent-less scans are stored in the Console's scheduler. This means that even if you are scanning a different target machine, you still select the Console machine from the tree.

When the intended machine has been selected, the Scheduled Jobs should automatically populate in the list on the right.

Right click the desired job, and choose Delete.

When prompted to confirm, choose Delete.

After the job is deleted the Scheduler for the selected machine should refresh, and the scheduled task should no longer be displayed.

Shavlik Protect 9.x
vCenter Prtoect 8.x

This document outlines how to schedule a patch scan to take place at a future date/time.

A scan can be scheduled to run a single time at a specified date/time. Alternatively the scan may be scheduled to run at the same time on different days, or on a desginated day each month; these scheduled scans occur until removed from the scheduler.

Related Document: How to Cancel / Delete Scheduled Tasks

Once

Scheduling a scan using the 'Once' option will cause a scan to be run a single time at the designated date/time.

Example: The image shows a scheduled scan that will begin on February 1, 2014 at 6:00 PM. Because this is a 'Once' type scan, it will not occur again.

Recurring - Daily

Scheduling a scan to be 'Recurring Daily' will cause the scan to be run at the designated time on the specified days. To stop the jobs from continuing to run, the scheduled task must be deleted.

Example: The image shows a scheduled scan that will occur Weekdays (Monday, Tuesday, Wednesday, Thursday, Friday) at 6:00 PM. Because this is recurring, this will happen every week at the same time on the same days.

Recurring - Monthly

Scheduling a scan to be 'Recurring Monthly' will cause the scan to be run at the designated time on the specified day each month. To stop the jobs from continuing to run, the scheduled task must be deleted.

Day of Month to Run

Example: The image shows a scheduled scan that will occur the 21st day of every month at 6:00 PM. Because this is recurring, this will happen every month on the 21st at the same time.

 

The First, Second, Third, Fourth, Last Occurance of Day

Example: The image shows a scheduled scan that will occur the SecondTuesday each month at 6:00 PM. Because this is recurring, this will happen every month on the 2nd Tuesday at the same time.

 

 

 

When scheduling a scan there are 4 options to define.

1. Name this operation (optional):
   • This will be displayed in the scheduled task manager, scan results, and logging.
2. Select/confirm targets:
   • Define the machine groups that will be part of the scheduled scan by adding checkmarks to them.
3. Select schedule:
   • Select the scheduling options. More information on this in beggining of this document.
4. Select/confirm operation:
   • Identify the scan template to be utilized.
5. After setting up the the scan to use the template desired, the machines needing to be scanned, and the frequency of the scan to occur, click the Schedule button.

If the job is scheduled successfully you will see a toast popup indicating such.

Within Protect, click the Home button in the upper left corner of the GUI. The Home screen will display options to setup a scheduled scan.

Note: One or more groups may be selected to have the scheduled job ran against them.

Within Protect, in the navigation panel on the left of the interface, select to view Machine Groups.

Click on the intended Machine Group.

Within the Machine Group editing window, choose Run Operation.

The Run Operation screen will display options to setup a scheduled scan.

In Protect choose View> Machines.

In Machine View, select the Machine(s) to schedule the scan against.
Right Click
Choose Patch Scan
Select the desired Scan Template

The Run Operation screen will display options to setup a scheduled scan.

Shavlik Protect 9.x

A patch that was manually downloaded and placed in the patch repository, does not show as downloaded in protect.

This is often caused by the patch not having the Shavlik Name.
Some vendors will update their patches but utilize the same file name. When the file has the same name, it causes issues with Protect's ability to delineate between different files. To resolve this, Protect utilizes a 'Shavlik Name'. A Shavlik Name is the unique file name given to a file when the vendor chooses to not give one. The name is the only change that occurs on the file, and will typically consist of append the name with the file version, and language of the patch where applicable.

Example:
Adobe Flash patches are hosted under a generic name: install_flash_player_11_plugin.exe
To differentiate between files, a Shavlik Name is given to the file that specifies version, and bit version: install_flash_player_11_plugin_64bit119900170.exe

Modify the patches file name, by giving it the corresponding Shavlik Name.
To identify the Shavlik File name of the patch:

• Open Patch View (View> Patch View)
• Right click the column headers and select 'Column Chooser'

• In the Customization window, drag the 'Download File Name' option into the Patch View window.

• Search for the Q# of the patch
• When the patch is found in Patch view, expand its view and the Shavlik Name will be displayed under the Download File Name column.

Note:
You can also enable the Vendor File Name option in the Customization window to see what the files default name is when hosted by the Vendor.

Shavlik Protect 9.x
vCenter Prtoect 8.x

This document explains what is meant by "informational" items under patch status in Shavlik Protect.

Some users may be unsure what "Informational" items are in Protect. These items can sometimes be found under the "Current Patch Status" column in the patches tab when viewing scan results or individual machine listings in the machines view. This article explains what "informational" means and why it can be found in the scan results.

After running a scan in Shavlik Protect, under the default view- under original patch status, in addition to patch installed, and patch missing- there can often be found informational items.

Informational status identifies products on the target machine that have been fully patched or for which there exists no applicable patches. This informational status is meant to be an indicator that all available patches have been applied for the designated products.

In this example above, all of the products on the right (Internet Explorer 11, Direct X 9.0c, etc.) have been fully patched on the target machine, and do not currently require patching.

Informational items cannot have actions performed on them as they do not reference a particluar patch- but rather a fully patched product.

Shavlik Protect 9.x
vCenter Protect 8.x

Recurring Scheduled Tasks are being deleted.

The Scheduled Tasks log tab shows a status 1326 when the deleted task was last attempted.

The ST.Activation.managed.SYSTEM@NT AUTHORITY log shows the following error:"Failed to check access to '192.0.7.18', error: 1326".

System error code 1326 means "Logon failure: The user name or password is incorrect." This error code may also display as "ERROR_LOGON_FAILURE" or as the value 0x52E.

The Scheduled Tasks log tab shows a status 1331 when the deleted task was last attempted.

The ST.Activation.managed.SYSTEM@NT AUTHORITY log shows the following error:"Failed to check access to '192.0.7.18', error: 1331".

System error code 1331 means "Logon failure: account currently disabled." This error code may also display as "ERROR_ACCOUNT_DISABLED" or as the value 0x533.

Shavlik Protect will delete a recurring task after credentials fail.  A new task will need to be created with proper credentials.

Verify that Credentials are correct for the target machine in the scan task using the following steps:

• Verify which user was logged into the console machine when the scan task was created and log in to the console machine as that user.
• Verify the credential listed as default credential under Manage Credentials
• Login to the console as the user listed as default credential under Manager Credential in the last login.
 
 
• Make sure that you can access the default administrative share (c$) on the target machine.
 

For other scanning prequisities please visit the following link to online help:

http://www.shavlik.com/onlinehelp/Protect90HTMLHelp/Scanning_prerequisites.htm

Protect Version: All

Manually installing an agent fails during the registration process.

  Error found in registration.log

• 'Error during registration. Error: Error 1300: Not all privileges or groups referenced are assigned to the caller'

  Error found  in the STAgentUI.log

• 'Error 1314: A required privilege is not held by the client'

This error is seen if the user account used to install the agent does not have the correct permissions.

Add required rights in User Rights Assignments.

     Known rights needed to install and register agents.

• "Act as Operating System"
• "Take Ownership"

1. Open Local Security Settings.
2. In the console tree, click User Rights Assignment.
   - Security Settings/Local Policies/User Rights Assignments
3. In the details pane, double-click the user right you want to change.
4. In UserRight Properties, click Add User or Group.
5. Add the user or group and click OK.

*Note: To open Local Security Policy, click Start, point to Settings, click Control Panel, double-click Administrative Tools, and then double-click Local Security Policy.

You can also check what rights the current user has by running the following command from a Windows Command Prompt.

>whoami /priv

Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:

Local policy settings
Site policy settings
Domain policy settings
OU policy settings

*Note: When a local setting is greyed out, it indicates that a GPO currently controls that setting.

Shavlik Protect 9.x

Many of the common Shavlik Protect scan errors can be corrected by changes to configuration or environment. This article lists the most common scan error messages and provides some guidance on correcting the issue.

Scan errors can occur:

• If one or more of the Shavlik Protect Scanning Prerequisites have not been met 
• If one or more configuration issues are present in Shavlik Protect 
• Due to one or more environmental issues

Shavlik NetChk Protect 7.x

VMware vCenter Protect 8.x

Shavlik Protect 9.x