If you are at a company that is running Shavlik Protect on a full SQL environment and have a DBA on staff with SQL maintenance and backup policies already running against our databases, great!  If you are running SQL Express or full SQL but don’t have a maintenance and backup plan in place, please keep reading.

A database that has no maintenance procedures being run against it is likely the single biggest cause of an upgrade issue that is encountered, the root cause of many GUI performance issues that can be mitigated, and in many cases, resolved by proactive maintenance on the database.  Below are our recommendations for good regular maintenance on your DB so you keep it running slim and clean for good performance and to reduce issues.

Keep in mind this is a starting point.  If you have regulatory needs that require more data kept live you should adjust to keep more data live.  If that is the case you may want to analyze how frequently you are scanning.  1000 agents scanning 8 times a day will grow your DB at a much more rapid rate than once per day or once per week.  And in most cases, you don’t really need all of that data.

Recommendations

Recommendation for regular Database maintenance:

Data Retention: Determine the amount of data that needs be kept on hand for operational purposes.  Typically 60-90 days is acceptable for operational purposes. The following document provides steps on how to perform deletion of old results in Protect:

Shavlik Protect Database Maintenance - Purging or cleaning up a large database

Reporting: Determine what report data is required for audit regulatory requirements.  Run monthly reports fulfilling these needs and keep on file as far back as policy requires.  Typically 13 months is acceptable.

Database Backups: It is recommended to run weekly incremental and monthly full backups.  The backup should be run just before your scheduled purge.  Keep backups as far back as the reporting data. See the following document on how to create backups using Protect's database maintenance function:

How to create a backup of the database with Protect

This Microsoft Technet article covers how to create a database backup using Management Studio:

(SQL 2012) http://technet.microsoft.com/en-us/library/ms187510.aspx

Recommended Database Maintenance Schedule:

Backups: full monthly, just after patch maintenance for that month.  Incremental weekly, end of each week (after weekend patch windows preferably).

Purge Data: After Full Monthly backup is run

Reindex: After Purge Data is run

Integrity: After Reindex is run

Full SQL Maintenance Guidance:

If you are using full SQL it may be easiest to setup maintenance plans using the maintenance wizard. If you have a DBA, they have most likely set maintenance tasks up already and you should check with them first. See the following Microsoft Technet articles on how to use the SQL Wizard to setup and maintenance plan:

(SQL 2012) http://technet.microsoft.com/en-us/library/ms191002.aspxhttp://www.networkworld.com/subnets/microsoft/110107-ch8-sql-server.html?page=2

(SQL 2008R2) http://technet.microsoft.com/en-us/library/ms189036(v=SQL.105).aspx

Additional information can be found in Microsoft Technet articles, here: http://technet.microsoft.com/en-US/sqlserver/

These Shavlik Community articles may also be relevant:

Limitations when using SQL Express editions as backend for Protect

How to shrink database in SQL

Restore Shavlik database from backup using SQL Server Management Studio

Shavlik Protect 9.x

vCenter Protect 8.x

This article provides a list of web addresses that may be required to download content or patches when using Shavlik Patch for Microsoft System Center.

Ensure that these web addresses required by Shavlik Patch are accessible and allowed through firewalls, proxies, or web filters:

• http://www.shavlik.com
• http://xml.shavlik.com
  • http://xml.shavlik.com/data/WsusCatalog.zip
  • http://xml.shavlik.com/data/engines/v9/91scup/manifest/engines.manifest.cab
  • http://xml.shavlik.com/data/engines/v9/91scup/manifest/engines.manifest.xml
• https://protectcloud.shavlik.com/
• http://protectservices.shavlik.com
• http://a1540.g.akamai.net
• http://www.apache.org
• http://archive.apache.org
• http://tomcat.apache.org
• http://www.adobe.com
• http://get.adobe.com
• http://download.adobe.com
• http://ardownload.adobe.com
• http://airdownload.adobe.com
• ftp://ftp.adobe.com
• http://ftp.adobe.com
• http://www.macromedia.com
• http://download.macromedia.com
• http://fpdownload.macromedia.com
• http://h20000.www2.hp.com
• http://ftp.hp.com
• ftp://ftp.hp.com
• http://www.mozilla.com
• http://www.mozilla.org
• ftp://ftp.mozilla.org
• http://ftp.mozilla.org
• https://ftp.mozilla.org
• ftp://mozilla.stu.edu.tw
• http://mozilla.stu.edu.tw
• https://addons.mozilla.org
• ftp://releases.mozilla.org
• http://download.cdn.mozilla.net
• http://java.com
• http://www.java.com
• http://javadl.sun.com
• http://www.sunbelt-software.com
• http://mail.bolioshot.com
• ftp://ftp.attglobal.net
• http://www.apple.com
• http://support.apple.com
• http://supportdownload.apple.com
• http://appldnld.apple.com
• http://appldnld.apple.com.edgesuite.net
• http://qtinstall.info.apple.com
• http://www.google.com
• http://dl.google.com
• http://desktop.google.com
• http://cache.pack.google.com
• http://download.nullsoft.com
• http://microsoft.com
• http://support.microsoft.com
• http://go.microsoft.com
• http://cgl.microsoft.com
• http://office.microsoft.com
• http://download.jp.microsoft.com
• http://code.msdn.microsoft.com
• http://hotfixv4.microsoft.com
• http://wl.dlservice.microsoft.com
• http://www.download.windowsupdate.com
• http://download.microsoft.com
• http://download.windowsupdate.com
• http://www.microsoft.com
• http://www.skype.com
• http://download.skype.com
• http://upgrade.skype.com
• http://download-akm.skype.com
• http://attnetclient.com
• http://opera.com
• http://get3.opera.com
• http://ftp.opera.com
• http://content.rim.com.edgesuite.net
• http://download.documentfoundation.org
• http://www.imgburn.com
• http://download.imgburn.com
• http://download.tuxfamily.org
• http://www.zimbra.com
• http://files2.zimbra.com
• http://iweb.dl.sourceforge.net
• http://downloadarchive.documentfoundation.org
• http://downloads.sourceforge.net
• http://superb-dca2.dl.sourceforge.net
• http://superb-dca3.dl.sourceforge.net
• http://superb-sea2.dl.sourceforge.net
• http://hivelocity.dl.sourceforge.net
• http://ftp.ussg.iu.edu
• http://ftp.osuosl.org
• http://localhostnt4w
• http://filezilla-project.org
• http://notepad-plus-plus.org
• http://voxel.dl.sourceforge.net
• http://mirrors.syringanetworks.net
• http://realvnc.com
• http://www.realvnc.com
• http://static.slysoft.com
• http://www.videolan.org
• http://mozy.com
• http://www.mozy.com
• https://secure.mozy.com
• http://pidgin.im
• http://software-dl.real.com
• http://support.citrix.com
• http://www.citrix.com
• https://support.citrix.com
• http://download.citrix.com.edgesuite.net
• http://www.coreftp.com
• http://localhost
• http://www.7-zip.org
• http://mirror.sdunix.com
• http://www.gtlib.gatech.edu
• http://sourceforge.net
• http://www.goo.bar.baz
• http://surfnet.dl.sourceforge.net
• http://www.wireshark.org
• http://wiresharkdownloads.riverbed.com
• http://www.libreoffice.org
• http://audacity.sourceforge.net
• http://audacity.googlecode.com
• http://www.winzip.com
• http://download.winzip.com
• ftp://ftp.winzip.com
• http://messenger.yahoo.com
• http://xh.yimg.com
• http://heanet.dl.sourceforge.net
• http://openoffice.cs.utah.edu
• http://www.real.com

If you require the IP addresses to create exceptions you can find the IP addresses used for XML.shavlik.com here. To obtain the IP for vendor sites you can ping the site for the current IP address or contact the vendor to obtain this information.

If you want to create an exception for an entire domain rather than entering all specific URLs, you can usually do so by entering the exception in this format:

*.domain.com

Example: *.Shavlik.com

Shavlik Patch for Microsoft System Center

(Shavlik SCUPdates)

In the SCUP.log or updatepublisher.log you find the following error:

Error Scup2011.10 Publisher.VerifyPackageRulesAndState VerifyPackageRulesAndState(): Too many locally published categories. Existing: 100, Adding: 1 at Microsoft.UpdateServices.Internal.BaseApi.Publisher.VerifyPackageRulesAndState()

Microsoft SCUP Publisher has a limit of 100 unique categories.

Microsoft has released a KB addressing the issue with a resolution: http://support.microsoft.com/kb/945536.

Shavlik Patch for Microsoft System Center

(Shavlik SCUPdates)

Java updates fail to install when deploying 32-bit Java updates to 64-bit operating systems after publishing Shavlik Patch data via SCUP.

This issue is caused by a Java install bug. The installer reads information for deployment on Windows operating systems in the 64-bit region of the registry, rather than the 32-bit region, which causes the failure.

Originally technical support submitted a bug report to Sun/Oracle. For more information, see Oracle bug 6995830. If you are still publishing the content via SCUP there is no workaround to fix this issue.

Update 2/11/14: The Shavlik Patch for Microsoft System Center plugin can help to resolve this issue. The plugin can allow Shavlik Patch to use dependent actions for Apple and Java patches.

For more information, please go to http://www.shavlik.com/products/patch/#/overview/.

This document provides more information about how the plugin assists: DOC-23415.

Shavlik Patch for Microsoft System Center

(Shavlik SCUPdates)

Publishing Apple Application Support fails when using SCUPdates content.

Within the SCUP.log you see a message such as the following:

Download file: file://scup-brandyh.scup-bh.local/AAS/AppleApplicationSupport234.msi failed with message "The network path was not found.

This article provides steps to obtain and publish Apple Application Support (AAS) when using SCUPdates content.

Apple does not provide a direct link to download the Apple Application Support MSI, and Shavlik does not host any vendor files. The path seen in the log files is only indicating the location of the file as it was published by Shavlik's content team.

Obtaining the Apple Application Support MSI package

    

    

    

Shavlik SCUPdates

(Previously) VMware vCenter Protect Update Catalog

• Cannot scan a remote machine with Protect
• Scanning a remote machine in Protect fails with the following error: 
  Error 5: Access is denied

1- Do I have local admin rights for the target machine ?

2- Is the remote registry service running ?

To test the remote registry connection: From the console machine to the target machine -

Open Regedit> File> Connect Network Registry , Open one of the hives and ensure you can read the actual Key - what is the result ?

3- Does the local user account have full permissions to the remote registry as local administrator ?

Open Regedit and go to:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurePipeServerswinreg

4- Reboot both target and console machine - what is the result after a scan ?

5- Can you complete a nslookup IP Address, NETBios Name, FQDN both forward and reverse for target and console. Ensure results are consistent.

6- Is this the only machine you are getting this error ?

7- Do you have credentials assigned to this machine in the machine group ?

8- What credentials are set in the Machine Properties?  Go to the Machine View, right-click on the device and click "Machine Properties".  Verify that the correct credentials are listed there.

9- Try disabling your anti-virus and firewall and seeing if it makes a difference to your error ?  If it does, re-check the port list to ensure all necessary ports are enabled.  http://community.shavlik.com/docs/DOC-22939

10- Is User Account Control Enabled on the Machine?

For machines using Windows operating systems that employ the use of User Account Control (this includes Windows Vista or later and Windows Server 2008 or later), you must either:

• Join the machines to a domain and then perform the scan using domain administrator credentials, or
• If you are not using the built-in Administrator account on the remote machines (and using that account is NOT recommended), you must disable User Account Control (UAC) remote restrictions on the machines. To do this:
  1. Click Start, click Run, type regedit, and then press Enter.
  2. Locate and then click the following registry subkey:

               HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 

               If the LocalAccountTokenFilterPolicy registry entry does not exist, follow these steps:

• On the Edit menu, point to New, and then click DWORD Value.b. Type LocalAccountTokenFilterPolicy and then press Enter.
• Right-click LocalAccountTokenFilterPolicy and then click OK.
• In the Value data box, type 1, and then click OK.
• Exit Registry Editor.

                For more details on disabling UAC remote restrictions, see http://support.microsoft.com/kb/95101

Be sure to have followed the pre-requisites guidelines :

http://www.shavlik.com/uploadedFiles/Support/Online_Documentation/Shavlik_Protect_90/administration-guide.pdf

Contact the support by opening a case via the portal and provide clean logs:

http://support.shavlik.com

To gather the logs, please see the following document: http://community.shavlik.com/docs/DOC-22921

This document is meant to provide information about where to obtain logging related to Shavlik Patch for Microsoft System Center.

Starting with Microsoft System Center 2012 there is a new log reading tool available called CMTrace.

You can locate this on your Configuration Manager server under:

C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe

We recommend creating a shortcut to this or setting this as the default log reader.

Locations of log files and useful information:

• System Center Configuration Manager (SCCM) Server:
  • C:\Program Files\Microsoft Configuration Manager\logs
    • Contains all logs related to operations of Configuration Manager
    • Most useful log(s) when troubleshooting issues with Shavlik Patch:
      • wsyncmgr.log - WSUS synchronization operations
  • C:\Users\*SCCM-Admin*\Shavlik\Shavlik Patch
    • Contains both logs and datafiles/binaries used by Shavlik Patch plugin.
      • Logs found here:
        • AutoPublish.log - Contains logging of publishing process.
        • Shavlik Patch.log - Contains logging of Shavlik Patch plugin operations.
• Client
  • For trouble with deployment of dependent action patches (Java or Apple) it can be beneficial to obtain the following:
    • C:\Windows
      • WindowsUpdate.log
    • C:\ProgramData\Shavlik\Installation
      • Contains files related to deployment of dependent action patches (Java, Apple). Collect and zip everything in this folder.
      • Note: This folder is automatically cleaned out after 30 days



The below table will help in understanding what log(s) may be most helpful during certain workflows:

(Click to Enlarge)

Shavlik Patch for Microsoft System Center

(Formerly SCUPdates)

• Detected patch continues to show as missing after successfully deploying.
• Patch that shows missing ends with 'U' every other deployment.

Certain patches exist as an installer and an uninstaller; these patches can cause a loop when scanning and deploying. When the installation patch is deployed it makes the uninstallation patch considered to be missing. These patches are designed by their vendor in this manner to facilitate adding/removing the patch according to environmental needs. If scanning/deploying these types of patches it may appear that the patch continually is missing as it continues to add/remove per deployment. The uninstallation patch will end with 'U'. These patches tend to belong to the 'Security Tools' patch type.

Example: Missing the Installation Patch

Example: After Installed, Now Missing Uninstall Patch

Exclude the specific patch utilizing a patch group, or choose not to deploy the patches installer/uninstaller after scanning.

Refer to the following document:

How to Find/Exclude Specific Patches in Scan Results (DOC-22967).

These are known patches that offer an uninstaller.

• Q2719615(U) - MS12-A04
• Q2719662(U) - MS12-A06
• Q2794220(U) - MS12-A10
• Q2847140(U) - MS13-A02
• Q2887505(U) - MS13-A08
• Q2896666(U) - MS13-A09
• QIE9001(U) - MSIE-002

Shavlik Protect 9.x

vCenter Protect 8.x

This document is meant to provide information on how to expire third party updates via the Shavlik Patch plugin, and how to run the WSUS Server Cleanup to remove expired updates and free up space on the WSUS server.

When using the Shavlik Patch plugin for Microsoft System Center you have the ability to expire updates from the 'Published Third-Party Updates' section.

How to expire third party updates:

1) Click the the category for 'Published Third-Party Updates

2) Check any updates you want to expire.

3) Click the button to 'Expire xx updates'.

4) You will be prompted with a confirmation. Click Yes to expire the selected updates.

     Note: Once the updates are expired - there is no option to re-publish or re-deploy these updates.

Expired patches don't automaticlly get removed from WSUS. The WSUS clean up tool needs to be run to perform clean up. This will allow you to remove many things that are no longer used including expired updates which in turn may help free up disk space.

How to run the WSUS clean up utility:

1) On the WSUS server, open the Windows Server Update Services console. (Best to run as administrator)

2) Expand your WSUS server, then click on Options.

3) Click on 'Server Cleanup Wizard'.

4) Check off anything that you want to clean off the WSUS server. Notice 'Expired updates' can be chosen by itself if you wish.

5) Click Next.

6) The wizard will run through the cleanup, and you'll be provided a summary when the cleanup is finished.

7) Click Finish.

*Note: The WSUS cleanup tool is not provided or supported by Shavlik. If you have issues running the WSUS clean up wizard, ensure you are as running as administrator. Contact Microsoft support for further assistance if you face other problems running this tool.

Shavlik Patch for Microsoft System Center

Inbound

• TCP 80 (Only for Distribution Servers that utilize HTTP) Needed for Distribution Servers to Sync patches with Console only if using HTTP
• TCP 135 (Inbound on agentless target machine) WMI Scanning – Only needed if using Asset Scanning
• TCP 137-139 (Windows file sharing/directory services) required for agentless scan to work
• TCP 445 (Windows file sharing/directory services) required for agentless scan to work
• TCP 3121 (Inbound on the console) required for tracker status updates for patch deployment and agent communication back to console
• TCP 4155 (Inbound on agent machine) Allows agent to allow commands from console
• TCP 5120 (Inbound on agentless target machine) Allows scheduler to receive commands from console machine
• TCP 5985 (Inbound on agentless target machine) Allows you to use IT Scripts feature
• TCP 443 (Only for Distribution Servers that utilize HTTPS) Needed for Distribution Servers to Sync patches with Console only if using HTTPS

Outbound

• TCP 80 (Only for Distribution Servers that utilize HTTP) Allows agent and console communion with Distribution Server using HTTP
• TCP 137-139 (Windows file sharing/directory services) required for agentless scan to work)
• TCP 445 (Windows file sharing/directory services) required for agentless scan to work)
• TCP 3121 (Agent machine to console) Required for tracker status updates for patch deployment and agent communication back to console
• TCP 5120 (From console to agentless target) Allows console to send commands to target machine scheduler
• UDP 9 (Only used if using Wake on Lan)
• UDP 137 Shavlik Protect is using UDP port 137 (NetBIOS name service) to enumerate the browse list

• Patch Scans stalls or freezes between step '4. Scan for Patches' and step '5. Wait for Results.'
• Scans go from '1 of 1 machine complete. 0 machines not scanned' to '0 of 0 machine complete. 0 machines not scanned'.
• Protect's ST.ServiceHost.Managed.Log contains an error such as:
  • Failed to determine service pack name for product 'xxx'
  • The required attribute 'Ordinal' was not found

Example of error found in the ST.ServiceHost.Managed.Log:

2013-09-20T16:52:08.7528184Z 0011 W PatchResultXmlSerializer.cs:225|Failed to determine service pack name for product 'Microsoft Report Viewer Redistributable 2008'.

This issue is caused because Protect's product detection is finding a version of an application that needs a repair/reinstall or is not supported, such as a beta or RC version of a product. The scan failing out due to this is a known defect that should be fixed in a future version of Protect.

First, ensure that you have the latest patch definitions by going to Help > About. Outdated patch definitions can cause this issue to occur. Running Help > Refresh Files should update your patch definitions.

If you continue to have the issue, it will be best to open a case directly with support. You can open a case at, http://support.shavlik.com/

If you can provide the following information at the time you open a case it will help to expedite support's ability to provide a resolution:

• Protect Console side Logs as noted in this document:
  • http://community.shavlik.com/docs/DOC-22921
• A copy of the 'Arrivals' folder, which can be found in the following location:
  • Version 9 -
    • Vista & Later: C:\ProgramData\LANDesk\Shavlik Protect\Console\Arrivals
    • Earlier OS's: C:\Documents and Settings\All Users\Application Data\LANDesk\Shavlik Protect\Console\Arrivals
  • Version 8 -
    • Vista & Later: C:\ProgramData\Shavlik Technologies\Console\Arrivals
    • Earlier OS's: C:\Documents and Settings\All Users\Application Data\Shavlik Technologies\Console\Arrivals

If you are aware of which system may be causing the scan to fail out, it can also be helpful to obtain the following information:

• A DPD Trace of target system found to have this problem. Refer to the following document:
  • http://community.shavlik.com/docs/DOC-22997
• An Export of the following registry keys from the target system:
  • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432\Microsoft\Windows\CurrentVersion\Uninstall
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products

Shavlik Protect 9.x

This document is meant to help understand why a threat may not have been detected by the Shavlik Protect agent and what actions to take in such a scenario as well as best practices for using/configuring threat protection with Shavlik Protect agents.

Why didn’t Shavlik Protect agent catch 'xxx' threat?

While this sounds like a straight-forward question, the reality is there are so many variables that come into play when you try to protect a machine against malware that it is almost impossible to give any one reason.

The most likely cause is improper configuration or outdated threat definitions being used. We will go into how to ensure you've configured everything correctly and how to check the threat definitions version later. First, some background.

The Shavlik Protect agent's Threat Protection engine is based on the Vipre SDK engine and uses threat definitions created by GFI's ThreatTrack Security (formerly Sunbelt Software). At this point there are over 13 million detections in the Vipre signature files. There are hundreds of generic detections that can catch some new malcode before the Vipre analysts even see it. Also the Vipre threat engine has the ability to detect and stop a great deal of virus-like behavior. However, it is worth noting that there may be as many as 50,000 new pieces of malcode arriving somewhere on the Internet EVERY day. The Vipre team see cases in which new malcode does make it through the threat protection defenses, but it is not a common occurrence.

Is there a place I can check if a certain threat should be detected?

Since the Shavlik Protect agent uses Vipre (ThreatTrack) threat definitions you can search the database, here:

http://sunbeltsecurity.com/BrowseCategories.aspx

How to verify your threat definitions are up-to-date

There are a few places you may need to check to verify the threat definitions in-use by Shavlik Protect agents in your environment are up-to-date.

1. Ensure that the threat definitions downloaded on the Protect console system are current. (This is especially important if you are using distribution servers.)

-Go to Help > About within Protect. If your definitions are current you should see a green check under 'Data versions' next to Threat definitions.

-If the threat definitions displays a red x you should run Help > Refresh Files to perform the update of definitions.

-When running Help > Refresh Files you will see that the 'Threat Definitions download will complete in the background.'

-Make sure to give it a few minutes to update. Then you should see a green check next to Threat definitions in Help > About.

2. You can use Machine View to see some threat definition information from your agents.

-Go to View > Machines.

-You can use the columns 'Threat Definition', 'Threat Definition Age', and 'Latest Threat Scan Date' to help in determining if your agents are current.

-Keep in mind that these columns only update when the agent reports back results of a threat scan. That's why 'Latest Threat Scan Date' is important.

-It is also worth noting that if the agent uses vendor-over-internet download settings the definition number may be slightly off from the console definition version from Help > About. It's nothing to worry about - just a difference in Major vs Minor versions.

-Some of these columns are not shown by default - you can add them by right-clicking on a column title and clicking 'Column Chooser'.

3. If necessary, you can check the definition version on the agent itself.

-Open the agent by double clicking the taskbar tray icon, or by going to Start > All Programs > Shavlik Protect > Shavlik Protect Agent.

-Go to the Overview tab if you are not brought there by default. Here you can see the threat definition version used during the last threat scan.

-If you have not recently run a threat scan this can be misleading. You can run a threat scan via the Threat tab, if configured.

-To update the threat definitions from the agent GUI or run a threat scan, use the tasks in the upper left when on the Threat tab.

-Note: Depending on the settings in the agent policy you may not be able to access the agent or access certain tabs. To change these settings go to the Protect console, and edit the agent policy. The settings are under General Settings > 'Allow the user to'.

*Note: For offline or disconnected environments refer to this document for instructions on manually updating threat definition files:

DOC-23162: Manually downloading threat definitions for Protect

Why does the console (Help > About) threat definition version differ from the latest threat definition version on an agent?

There can be a slight variation in the version numbers due to a minor and major version number system that the Vipre threat engine uses. The major, or 'Package Version' in the examples above is 27274 where the Minor or 'MinVersion' is 27270. Both versions are the current definition versions. These can be manually found by looking at the latest entry in the ThreatManifest.xml on the console sytem. Before checking this make sure the console threat definitions are up-to-date (step one above).

The ThreatManifest.xml can be found in the Datafiles folder, most commonly:

C:/ProgramData/LANDesk/Shavlik Protect/Console/ThreatData/ThreatManifest.xml

Generally the latest will be the last entry, but it's best to base it on highest version number found or newest date. The entry in the xml will look something like this:

<SpursPackage MinVersion="27270" PackageVersion="27274" URL="http://av.shavlik.com/av/CSE39-EN-27274-I.sbr.sgn" MD5="62FF771EAAE285B172A3A5EA2C8E7DB2" FileSize="103114" ReleaseDate="2014-03-10T16:12:48.250" IsIncrementalPackage="1"><SpursPackageType PackageType="ThreatDef" Language="EN" PackageTypeData=""/></SpursPackage>

Notice the MinVersion and PackageVersion numbers. Note the ReleaseDate value - this will help determine the latest entry in the ThreatManifest.xml.

Ensuring the Agent Policy, Distribution Server(s), and other settings are configured correctly

Here are the best practices for ensuring the threat protection is configured correctly. You may need to verify agent policy settings in each agent policy you are using.

1. Open the agent policy.

2. Go to the General Settings tab.

-Check on how your agent policy is set for the agent to obtain its definitions under 'Engines, data, and patch download location'.

-If this is set to vendor over internet the agent will attempt to obtain definitions directly from the vendor site, so you may need to ensure that the internet connection is working properly and that the vendor site(s) are not blocked.

-See this document for the URL exception list: DOC-2155: Shavlik Protect firewall and proxy exceptions URL list

-Additionally if the agent policy is set to use vendor over internet and you use a proxy in your environment, it is pertinent that you verify your proxy settins and provide any required proxy credentials to authenticate. This can be done under the 'Network' section of the General Settings tab.

3. Go to the Threat Tab

-In the tabs above go to 'Threat Tasks'

-Ensure that you have at least one threat task set up. There are options of quick or full scan.

-Note: Quick scan covers common locations and runs within a few minutes. Full scan will scan all files on the system and may take up to an hour.

4. Once you have your Threat Task(s) set up, go to the Active Protection tab.

-Ensure to have a check next to 'Enable Active Protect'

-Set the file access level that you would like active protection to use. Using the 'limit to high risk file types' or 'on execute' settings will increase performance but not all things will be checked by active protection.

5. Check your settings on all other Threat tabs - Threat Actions, Allowed Threats, Exceptions to ensure they are set correctly.

6. Save the changes to your policy.

Ensuring Distribution Servers are configured correctly and synchronizing

This section only applies if your agent policy is currently set to use a distribution server under 'Engine, data, and patch download location'.

1. Verify the distribution server settings in-use by your agent policy or policies. If you have multiple distribution servers in-use you may need to perform the following steps for each distribution server. If your agent systems have internet connectivity available it's recommended to allow the 'Use vendor as backup source' setting.

2. Go to Tools > Operations > Distribution Servers to verify the setup and sync of your distribution server(s).

3. Make sure to verify the paths to each distribution server is still valid, and verify there are valid credentials set on each distribution server.

4. Make sure that automatic synchronization is set up for each distribution server.

-You can add a scheduled sync by highlighting the distribution server, choose 'Threat engines/definitions' from the drop-down above, then click on the '+ Add scheduled sync' button.

-You will see the scheduled sync added to the list of 'Scheduled automatic synchronization' below.

5. Manually run the synchronization to make sure it completes successfully.

-To do this, highlight the scheduled sync for threat data, then click 'Run now' above it.

6. If you want to manually verify the files are synchronizing properly you can compare the files in your share to what exists on your Protect console.

-The ThreatData directory of the console is: C:\ProgramData\LANDesk\Shavlik Protect\Console\ThreatData

-If the sync has worked correctly you should have a ThreatData folder on your distribution server share with the same files in it as the above directory.

For more information about configuring distribution servers, see this Protect Help article:
Configuring a New or Existing Distribution Server

Setting up automatic recurring download of threat definitions

Follow these steps if you would like to set up the automatic download of threat definitions. This will help to ensure your definitions are always at the latest.

1. Go to Tools > Operations > Downloads.

2. Under the 'Schedule automatic downloads' section choose 'Threat engines/definitions' from the drop-down, then click '+Add'.

3. You'll be brought to the Schedule Download screen where you can set up a recurring schedule to automatically download new definitions.

4. Once you have this set up how you like, click 'Save.'

5. You should now see a task for 'Download threat data' showing the next run time and recurrence. You can also highlight this and click 'Run now'.

Other Considerations

1. Use of Protect Cloud Agents

-If you are using the Protect Cloud agent functionality you may need to ensure that your Protect cloud account is set up correctly.

-Go to Tools > Operations > Protect Cloud Sync for these settings.

-Make sure the Protect Cloud account credentials are correct, and you may need to run a 'Forc full update now'.

-You may also need to go into your agent policy or policies and ensure the policy is set to sync with Protect Cloud if using this feature.

-This setting is a checkbox found in agent policy > General Settings > Network > Sync with the Protect Cloud.

For more information about Protect Cloud Sync see the following Protect Help articles:

-Requirements and Usage Notes

-Protect Cloud Sync Operations

What do I do if I have verified everything appears to be working properly and threat definitions are current, but a threat is still not detected by the Shavlik Protect Agent?

Here is what to do:

1. Obtain as much of the following information as possible to provide to support:

-Threat definition version currently used. (See above on how to find this)

-Software being wrongly detected (in case of false positive), software version affected, and what is the software is detected as? (Threat Name)    

-Any applicable screenshots, a link to threat download if from a website, or a zipped copy of files that are suspected to be infected.

-Logs from the agent. Make sure logging is set to 'All' in your agent policy. Follow steps for agent logging in DOC-22921.

2. Submit the information to support by creating a case at https://support.shavlik.com/.

3. The Shavlik support team will work with ThreatTrack (Vipre) to ensure the threat is assessed and added to future threat definitions.

More informationa about Shavlik Protect agents and threat protection can be found at the following resources:

-Preparing to use Agents

-Creating and Configuring a Threat Task

-Configuring Active Protection

Shavlik Protect 9.x

You have the ability to record a video capture to help us to diagnose your issue.  You can click the Capture My Issue button after you first save a new support request or you can add it at any point when the support request is active.

Why record a video?

• Sometimes it is difficult for support to understand the symptoms that you are describing without seeing them.  By adding a video this should help us to understand first time and assist you faster.

What happens when I record a video?

• Click the Capture My Issue button after your new case number is displayed or when you have opened up an exisiting request from your request list.

NOTE: You may need to accept to allow or install a java plugin.

• The Screen Recorder runs.
  • Change the size of the captured area if required.
  • You can switch microphones or switch sound off (select No Audio Recording) before you begin recording.
• When ready to start, click the red button to record your issue steps.
• Click Done when you are finished (or Cancel if you made a mistake and want to record again).
• The video will upload to a secure area accessible to the support team and accessible via the portal by contacts for your company account.
• The support engineer who is dealing with your case will be notified that a video has been added.

TROUBLESHOOTING - Issues with the recorder

• You may need to accept to allow the java plugin to run in order to be able to record a video first time.

• You can also download the latest version of java here or check whether you have the correct version installed here.
• You may need to temporarily adjust your Java security settings (from the Java program group open the Java Control Panel) in order to allow the applet to run:

• The recorder will only record up to 15 mins at a time.  You would need to add additional videos if you need to record more information.
• The recorder will only record on your primary monitor.

If you see any of the following errors and/or symptoms during installation or upgrade of Shavlik Protect you may need to use the following steps to perform a manual uninstall of the application:

Errors /Symptoms

Error 1603: A fatal error occurred during installation

Error 1605: This action is only valid for products that are currently installed.

Error: Shavlik Protect Advanced. Sorry, an unexpected error has occurred and Shavlik Protect Advanced must close to recover. Depending on the configuration of your operating system, a second dialog may be displayed that gives you the option to report this error and check online for a solution. We really want to fix this problem (to help you and other customers) and hope you will select the "Check online" or "Send Error Report" option. Thanks!

Impacted Products

Shavlik NetChk Protect 7.x
VMware vCenter Protect 8.x

Shavlik Protect 9.x

Cause

The Shavlik Protect application may not have been removed in full due to a possible corruption of the Windows Installer, Installer folder or the automated uninstall process.

Resolution

Microsoft provides assistance with the manual uninstall process by providing a Fix it tool.  The download link for the the tool can be found at the following url: http://support.microsoft.com/mats/Program_Install_and_Uninstall

(Impact/Risks:  The Fixit utility is provided by Microsoft. Make sure you read any known issues or guidelines for this tool on Microsoft's site prior to use.)

Here are instructions on how to use the Fix it tool

1. Use the link above to navigate to the Fix it main page.
2. Click on the ‘Run Now’ button and save the file to the desired location on the problem machine.
3. Run the MicrosoftFixit.ProgramInstallUninstall.RNP.5230312412494560.2.1.Run.exe from the download location and select ‘Accept’ on the first page.
4. Select ‘Detect problems and let me select the fixes to apply’ from the pop-up window.
5. Select the ‘Uninstalling’ option.
6. A list of installed products will be displayed.  If the Protect product (i.e. Netchk Protect, Shavlik Protect or VMware vCenter Protect) is in the list select it, if you do not see the product in the list then select ‘Not listed’.

 
If a Protect product is listed:

1. Select the applicable product and click ‘Next’.
2. Select ‘Yes, try uninstall’
3. Ensure that both the 'Cannot install or uninstall a program' and 'Uninstall and cleanup?' boxes are check-marked and select ‘Next’.
4. A screen should then be displayed indicating whether the selected product was uninstalled or not.
5. Select ‘Next’ and the close out of the screen.

If a Protect product is not listed:

(Notes: It is best practice, and highly advised, that a backup of the registry before making any changes to or performing any modifications to the registry.  Please review the 'How to Backup Windows Registry' article found at the following link if you have questions about this process: http://windows.microsoft.com/en-US/windows-vista/Back-up-the-registry)

  1.  Choose ‘Not Listed’ and click ‘Next’.

  2.  Enter the associated product code from the list below for the version of Protect installed, being sure to include the { and } brackets, and select ‘Next’.

     Product GUID codes:

     Protect 7.0.832.0: {C6D1AE7C-DE93-4E93-A916-C4144525C82C}

     Protect 7.0.841.0: {C6D1AE7C-DE93-4E93-A916-C4144525C82C}

     Protect 7.1.410.0: {90047C28-0B1B-4B30-8177-50729907EBF2}

     Protect 7.2.155.0: {9B7F1E45-4C47-4E25-9EAB-098923E4171C}

     Protect 7.5.2716.0: {CEA2D643-08C0-422E-9B27-B58ED9D38D07}

     Protect 7.6.1482.0: {661A3308-5BE2-4E0F-A752-BDDB247DD2DB}

     Protect 7.8.1340.0: {0A4D8D5E-7177-4A45-8A7F-0A5757403F97}

     Protect 7.8.1388.0: {0A4D8D5E-7177-4A45-8A7F-0A5757403F97}

     Protect 7.8.1392.0: {0A4D8D5E-7177-4A45-8A7F-0A5757403F97}

     Protect 8.0.3756.0: {F77AFB04-D13F-48DA-BB99-A5B31B6AAE0B}

     Protect 8.0.3965.1: {5A696B05-9F06-4B3D-83A0-69E848EFAC4A}

     Protect 8.0.4027.2: {5A696B05-9F06-4B3D-83A0-69E848EFAC4A}

     Protect 9.0.1106.0: {8045AD29-C6A4-43F5-9F1F-9560EB09F99A}

     Protect 9.0.1182.0: {B7F5FF6F382B8834B85B6390F7F4DA1}

     ScriptLogic Patch Authority Ultimate 8.0.3756: {A8210996-CD25-4C8C-A2D7-207635DEDC28}

     ScriptLogic Patch Authority Ultimate 8.0.4027: {86DE6110-3F1C-40EE-98D9-05CD7A4B212F}

     ScriptLogic Patch Authority Ultimate 9.0.1182: {0EAD1B8A-6F58-2304-A817-34C1724CE04C}

  3.  Ensure that both the 'Cannot install or uninstall a program' and 'Uninstall and cleanup?' boxes are check-marked and select ‘Next’.

  4.  A screen should then be displayed indicating whether the selected product was uninstalled or not.

  5.  Select ‘Next’ and the close out of the screen.

       * It is recommended that you check that the associated product GUID has been deleted from the following registry location:

            HKEY_CLASSES_ROOT\Installer\UpgradeCodes

  6.  A reboot of the problem machine is also recommended at this point.

You should now be able to move forward with a clean installation of Protect (preferably the latest version which can be found at http://www.shavlik.com/downloads/). 

If you continue to have issues please contact Shavlik support by using one of the following methods:

Phone:

US Support: 800-690-6911

EMEA Support: +44-1344-442190

Support Portal:

Register at http://support.shavlik.com to create, update, and manage your Shavlik support cases

This document outlines the services that the Protect Console and Protect Agent's utilize. This may be necessary for adding exclusions for anti-virus, or for documenting internally.

Display Name: Shavlik Protect Console Service
Service Name:STConsoleSvc
Description:Provides support for Shavlik Protect management functions
Path to executable:"C:\Program Files\LANDesk\Shavlik Protect\ST.ServiceHost.exe"
Computers Affected:This service only shows on the Protect Console computer.

Display Name: ST Remote Scheduler Service
Service Name:STSchedEx
Description: Supports patch management and related operations
Path to executable:C:\Windows\ProPatches\Scheduler\STSchedEx.exe
Computers Affected: This service will show on any computer that an agentless deployment occurred.

Display Name: Shavlik Protect Agent
Service Name: STAgent
Description: Provides network services for Shavlik Protect Agent components
Path to executable:"C:\Program Files (x86)\LANDesk\Shavlik Protect Agent\STAgent.exe"
Computers Affected:This service will show on any computer that has a Protect Agent Installed, regardless of tasks the agent policy uses.

Display Name: Shavlik Protect Agent Dispatcher
Service Name: STDispatch
Description: Provides dispatching for Shavlik Protect Agent components
Path to executable:"C:\Program Files (x86)\LANDesk\Shavlik Protect Agent\STDispatch.exe"
Computers Affected:This service will show on any computer that has a Protect Agent Installed, regardless of tasks the agent policy uses.

Display Name: Shavlik Protect Threat Engine
Service Name: STThreat
Description: Provides dispatching for Shavlik Protect Agent components
Path to executable:"C:\Program Files (x86)\LANDesk\Shavlik Protect Agent\STThreat.exe"
Computers Affected:This service will show on any computer that has a Protect Agent Installed that is also using Threat Protection.

Note: As of Protect 9.1 only 64bit Operating Systems will be supported, so all agent paths will be within the Program Files directory.

Shavlik Protect 9.x

This document provide a resolution when Active Protection alerts are not send out.

Alerts are configured to send emails to a number of recipients when a virus/infection is found on a machine. A virus/infection is found by the Antivirus but no alerts are send out.

The alerting function is configurable from Tools> Operations> Alerts.

In order to trigger an alert, the threat count must meet or exceed one of the two alert thresholds, and it must do so within the specified period of time. This means that when the threats are received is just as important as the number of threats that are received.

The Infection time window (hours) must be less than 24 hours, we would recommend to let 4 hours as configured by default.

• vCenter Protect 8.x
• Shavlik Protect 9.x

This document outlines how to export a list of machines that have been scanned, or failed to be scanned from a specific scan result. This can be useful for identifying machines that may be experiencing issues scanning. It may also be useful for identifying why a particular machine has not been receiving patches (i.e. if it cannot be scanned, it will not receive patches from Protect).

After performing a scan against multiple machines, it may be desirable to have a list of machines that were successful vs. those that were unsuccessful.

Export Machines Scanned

1. Select Results from the navigation panel drop down list (or Choose View> Results).
2. Select the scan to report on from the navigation panel on the left.
3. Select the Machines Scanned tab.
4. Select All Machines in the list.
5. Right click, choose Export Selected Machines to CSV.

In the Save window that appears, choose a location to save, give the file a name, and choose Save.

Export Machines Not Scanned

1. Select Results from the navigation panel drop down list (or Choose View> Results).
2. Select the scan to report on from the navigation panel on the left.
3. Select the Machines Not Scanned tab.
4. Select All Machines in the list.
5. Right click, choose Export Selected Machines to CSV.

In the Save window that appears, choose a location to save, give the file a name, and choose Save.

Shavlik Protect 9.x

This document outlines how to use a Custom Action to remove the Propatches folder.

A Custom Actionmay include executing a specific command or invoking a custom batch file at specified time(s) during the deployment process. You can specify custom files and actions that occur during every deployment that uses the template, or only for those deployments that install a specific patch or service pack.

Note: A Custom Action will only run if a deployment occurs. If there are no missing patches selected to deploy to a target machine, the Custom Action will NOT occur.

1. Create a New Scan Template; enter a Name for the Template, and Save it.
   1. Alternatively - open an existing Scan Template you wish to modify.
   2. Select CustomActions under the Patch Properties tab.
   3. Save and close.

2.  Create a new Deployment Template.

     -     Give it a Name

     -     Uncheck Send Tacker Status

3.     Go to the Post-Deploy Reboot tab and choose "Never Reboot After Deployment".

4.     Go to the Custom Action tab and click New.

        -    Step 1 - Leave default

        -    Step 3 - Change to 'After all Patches"

        -    Step 4 - Enter the following: rmdir /s /q %pathtofixes

        -    Click Ok

5.     Save and close the Deployment Template.

6.     Use the new Scan Template to scan all your machines

7.     Use the new Deployment Template to deploy the QSK2745 MSST-001 patch. This patch is used for Custom Actions.

• NullPatch.exe/Noop.exe Information
• Null.exe or Noop.exe False-Positive
• Custom Action - Remove the Remote Scheduler for Protect version 9
• Custom Action - Delete Specific File
• Custom Action - Uninstall a Program
• Delete Patches from Target After Deployment

Protect Version: All

This document explains how to locate the default or user-defined patch download location in Protect.

When Shavlik Protect deploys patches to other machines on its environment, prior to deploying it must first download the patch to the console machine from the software vendor. These patches are routed to a default location on the local machine or if set to so, to a user-customized location. These patches will remain on the local machine following deployment so that the patch does not have to be redownloaded every time it is detected as missing and deployed. Sometimes if space is limited administrators may wish to clear out some of the older patches on the machine. This document explains how to locate the default location on the local console machine, or to determine where the user-defined patch download location is set in Protect.

In Shavlik Protect version 9: the default patch download location can be found by navigating to this directory on the local disk:

C:\ProgramData\LANDesk\Shavlik Protect\Console\Patches

The patch download location can be viewed or modified by going to Tools > Operations:

In the Operations menu, the Download tab which will be displayed by default contains this location in the top section.

To change this path to which patches will be downloaded prior to deployment, simply change the path in this field, and click save at the bottom. (Note: After changing all patches that are not in the new location will be downloaded- so it may be wise if you are changing this download location to transfer or delete the patch files in the default repository.)

Shavlik Protect 9.x
vCenter Protect 8.x

Importing a Custom ITScript presents an error. The error, cause, and solution will vary; this doucment will cover each individually.

Note - The following errors list a specific file and/or Script name. These may vary in your environment.

Script metadata is missing or incorrect.

A script '...' already exists, but was signed by a different authority

Error

 

[Window Title]
Script Importer

 

[Main Instruction]
The script 'C:\test.ps1' failed to import.

 

[Content]
A script 'Set Target Machine Verbose Logging' already exists, but was signed by a different authority

Cause

The UID value within the ps1 files Metadata matches the value of a script that is already imported into Protect. This specific error is typically seen when the UID matches one of the Shavlik default ITScript UID values.

 

Example:
<stScript uid="333a27e3-a651-4a30-9150-63757e689a19" schemaVersion="1.0.0.0">
uid value has already been used for a ITScript called 'Set Target Machine Verbose Logging'.

Solution

Change the uid to a unique value.

The contents of file '...' may have been tampered because the hash of the file does not match the hash stored in the digital signature. The script will not execute on the system. Please see "get-help about_signing" for more details.

Error

Cause

Solution

A script '...' by author '...' already exists

Error

Cause

Solution

• Change the Name value
• Change the Author value
• Delete the Script that is already imported into Protect.

The '...' start tag on line # position # does not match the end tag of '...'. Line #, position #.

Error

Cause

Solution

The script '...' failed to import. Scripts cannot have the same ID or Name as another imported script. Please check your script to ensure it has unique metadata entries for those fields.

Error

Cause

Solution

A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file

Error

Cause

• The system Date/Time is incorrect.
• The Root Certificates on the Protect Console computer are out of date.

Solution

• Correct the system Date/Time.
• Update the root certificates.
  • Related Document: Correcting Agent issues caused by out of date root certificates

Could not find any recognizable digits.

Error

[Window Title]

Script Importer

[Main Instruction]

The script 'C:\test.ps1' failed to import.

[Content]

Could not find any recognizable digits.

[OK]

Cause

• The GUID in the ps1 file has a non-hexadecimal value.

Solution

• Verify the GUID in the ps1 file contains only hexadecimal values (A-F, 0-9).

The following required fields are empty:...

[Window Title]

Script Importer

[Main Instruction]

The script 'C:\test.ps1' failed to import.

[Content]

The following required fields are empty: purpose

[OK]

Cause

• The listed element/node is does not contain any information.

Solution

• Enter information into the listed element/node

Example: In the listed example, the node 'Purpose' did not contain content. Adding something between the opening and closing tags fixes this issue.

The required element '...' is missing.

[Window Title]

Script Importer

[Main Instruction]

The script 'C:\test.ps1' failed to import.

[Content]

The required element 'purpose' is missing.

[OK]

Cause

• The listed element is missing from the ps1 file. Certain elements are required, and if they are missing they cause this issue. See this document on required elements.

Solution

• Add the listed/missing element.

Example: In the listed example, the element 'Purpose' was not in the ps1 file. Adding the element back into the ps1 file within the Description tags fixes the issue.

Guidelines for Creating Custom ITScripts

Shavlik Protect 9.x