Purpose

The purpose of this document is to resolve an issue where a previously input patch download directory is no longer accessible resulting in a Console crash at start up.

Symptoms

The following error is seen upon accessing the Console.

An error similar to the one below will be seen within the ST.Protect.managed log file:

2014-09-02T18:29:05.5119974Z 0001 E EnsureFolderExists|Failed to create directory: Y:\: System.IO.DirectoryNotFoundException: Could not find a part of the path 'Y:\'.

   at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)

   at System.IO.Directory.InternalCreateDirectory(String fullPath, String path, Object dirSecurityObj, Boolean checkHost)

   at System.IO.Directory.InternalCreateDirectoryHelper(String path, Boolean checkHost)

   at ST.UI.FileAndFolderUtilities.EnsureFolderExists(String rawPath)

Cause

The cause of this issue is due to the mapped drive or path of the patch download directory no longer being accessible.

Resolution

Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\Shavlik Protect\Console\Options registry key on the Console and change the 'DownloadPath' value data field to an accessible drive or folder. Once this change has been made, please restart the 'Shavlik Protect Console Service' from within the Console machine's Windows services and relaunch the Console.

Additional Information

Once the issue has been resolved, the patch download directory can be changed by navigating to Tools>Operations within the Console.

Affected Product(s)

Shavlik Protect 9.x

Symptoms

When performing the installation of Shavlik Protect 9.1, Patch 1 (9.1.4446.0) you receive the following error:

Windows Installer - The upgrade patch cannot be installed by the Windows Installer service because the program to be upgraded may be missing, or the upgrade patch may update a different version of the program. Verify that the program to be upgraded exists on your computer and that you have the correct upgrade patch.

Cause

The improper installer package is being run on the system. Most likely you are attempting to use the patch installer (intended when you already have version 9.1 installed) on a system with Protect 9.0 installed.

Resolution

Use the correct installer package to update your current version of Protect. Below is a listing of the installer for Protect 9.1.4446.0 that should be used for the corresponding version of Protect:

Currently on 9.0.x - Use full 9.1.4446.0 Installer package (84MB), found here.

Currently on 9.1.4334.0 - Use 9.1.4446.0 Patch Installer (17MB), found here.

Affected Product(s)

Shavlik Protect 9.x

Purpose

The purpose of this document is to show how to perform a patch uninstall on multiple systems via the Shavlik Protect console.

Description

Below is an example of how to set up the uninstall of one patch for multiple machines when using Shavlik Protect. This example is using agentless scan and deployment features.

1) Scan any systems you wish to remove a patch from.

Generally it's best to ensure you run a new scan so you have the most current assessment result available.

2) View the scan result.

You can also get to a scan result if you already have one by clicking the left drop down menu, and choose 'Results'.

3) In the scan result:

    1. Choose the machines you want to uninstall a patch from in the upper (Machines) pane. You can use CTRL + click or CTRL+Shift to select highlight multiple machines.

    2. In the lower pane (Patches), select any patch you wish to uninstall. Patches with an orange U and 'Yes' in the 'Uninstallable' column can be uninstalled via Protect. You can see      how many machines currently have the patch installed viewing the 'Affected Machine Count' column.

    3. Right click on the highlighted patch, and choose 'Uninstall Select'.

    Note: Only one patch can be uninstalled from each system on a single deployment, and a reboot is required to complete the uninstall process.

4) You'll be prompted with the 'Deployment Configuration' window.

You can use an existing deployment template, or create a new one. For patch uninstall it's recommended to use a deployment template that has a post-deployment reboot enabled since the uninstall process will require a reboot to complete. You can also change the time of the deployment to take place immediately (default), scheduled at a certain date/time, or perform the uninstall at the target system's next reboot.

Under 'Patches to be deployed by machine' you can see a list of which machines will have the uninstall performed and whatever patch will be uninstalled from each system.

Additional Information

More information about uninstalling patches can be found here:

Protect Help - How to Uninstall Patches

Microsoft Documentation - Removing Patches

Affected Product(s)

Shavlik Protect, All Versions

Symptoms

You may see a pop-up error:

Protect Setup:

Error 1603: A fatal error occurred during installation

Error 1605: This action is only valid for products that are currently installed.

Error 1612: The installation source for this product is not available. Verify that the source exists and that you can access it.

You may see a message that says "protectinstaller.msi was not found".

Purpose

This article provides information on manually un-installing Shavlik Protect. This document is generally meant for the purpose of cleaning up a bad or broken installation of the Protect application.

Cause

Occasionally, the application may not be removed completely due corruption to the Windows Installer, Installer folder or other corruption to the automated uninstall process. When this occurs a manual un-install of the application is necessary.

Resolution

You may need to use the steps below to perform a manual uninstall of the application, and then re-install as necessary.

Microsoft provides assistance with the manual uninstall process by providing a Fix it tool.  The link to the tool is:  http://support.microsoft.com/mats/Program_Install_and_Uninstall

Here are instructions on how to use the Fix it tool

1. Use the link above to navigate to the Fix it main page.
2. Click on ‘Run Now’ and choose ‘Save File’.
3. Run the EXE that is downloaded and choose ‘Accept’ on the first page.
4. Choose the second option ‘Detect problems and let me select the fixes to apply’.
5. Choose the ‘Uninstalling’ option
6. You will see a list of the installed products on the server.  Choose the product if you see it on the list for instance. ‘Shavlik Protect’.  If you do not see the product on the list then select ‘Not listed’.

If Shavlik Protect, vCenter Protect, or Netchk Protect is listed:

1. Choose the corresponding name and click ‘Next’.
2. Choose ‘Yes, try uninstall’
3. Verify both options are check-marked and click ‘Next’.
4. You should see a screen that indicates whether Protect was uninstalled or not.
5. Click ‘Next’ and the close out of the screen.

If Shavlik Protect, vCenter Protect, or Netchk Protect is Not Listed:

1. Choose ‘Not Listed’ and click ‘Next’.
2. Enter the product code for the version of the Product installed and click ‘Next’. (Include the brackets)

     Product codes for Protect are listed below.

1. Verify both options are check-marked and click ‘Next’.
2. You should see a screen where it indicates whether the product was uninstalled or not.
3. Click ‘Next’ and the close out of the screen.

Product GUID codes:

Make sure to use the corresponding GUID for the version of Protect you are attempting to uninstall.

Protect 7.0.832.0: {C6D1AE7C-DE93-4E93-A916-C4144525C82C}

Protect 7.0.841.0: {C6D1AE7C-DE93-4E93-A916-C4144525C82C}

Protect 7.1.410.0: {90047C28-0B1B-4B30-8177-50729907EBF2}

Protect 7.2.155.0: {9B7F1E45-4C47-4E25-9EAB-098923E4171C}

Protect 7.5.2716.0: {CEA2D643-08C0-422E-9B27-B58ED9D38D07}

Protect 7.6.1482.0: {661A3308-5BE2-4E0F-A752-BDDB247DD2DB}

Protect 7.8.1340.0: {0A4D8D5E-7177-4A45-8A7F-0A5757403F97}

Protect 7.8.1388.0: {0A4D8D5E-7177-4A45-8A7F-0A5757403F97}

Protect 7.8.1392.0: {0A4D8D5E-7177-4A45-8A7F-0A5757403F97}

Protect 8.0.3756.0: {F77AFB04-D13F-48DA-BB99-A5B31B6AAE0B}

Protect 8.0.3965.1: {5A696B05-9F06-4B3D-83A0-69E848EFAC4A}

Protect 8.0.4027.2: {5A696B05-9F06-4B3D-83A0-69E848EFAC4A}

Protect 9.0.1106.0: {8045AD29-C6A4-43F5-9F1F-9560EB09F99A}

Protect 9.0.1182.0: {070964CB-00B0-4E36-A3F6-A09F76FBD197}

Protect 9.1.4334.0: {83593D3F-ADD7-491B-82EC-1A2E6D08C385}

ScriptLogic Patch Authority Ultimate 8.0.3756: {A8210996-CD25-4C8C-A2D7-207635DEDC28}

ScriptLogic Patch Authority Ultimate 8.0.4027: {86DE6110-3F1C-40EE-98D9-05CD7A4B212F}

ScriptLogic Patch Authority Ultimate 9.0.1182: {0EAD1B8A-6F58-2304-A817-34C1724CE04C}

At this point, install the latest version of Protect.

If you continue to encounter any install errors, contact Shavlik support. (http://www.shavlik.com/support/contact/)

If the Fixit tool fails to correct the error, you may need to manually delete an upgrade key located under HKEY_CLASSES_ROOT\Installer\UpgradeCodes in the registry. Then try reinstalling Protect with the latest installer.

Notes

Latest versions of Protect can be downloaded from: http://www.shavlik.com/downloads/

It is highly recommended to perform a backup of the registry before performing any modifications.

How to backup Windows Registry:  http://windows.microsoft.com/en-US/windows-vista/Back-up-the-registry

Impact / Risks

The Fixit utility is provided by Microsoft. Make sure you read any known issues or guidelines for this tool on Microsoft's site prior to use.

Affected Product(s)

Shavlik NetChk Protect 7.x
VMware vCenter Protect 8.x

Shavlik Protect 9.x

The purpose of this document is to help to prepare a current Protect console and database for upgrade to a newer version of Protect, and also to provide some information about how to resolve common upgrade issues.

Preparing for Upgrade of Protect

Most issues with upgrading Protect can be avoided by ensuring that you are meeting system requirements and that proper database maintenance has been performed prior to upgrade. The list below can be used as a guide to ensure you have a successful upgrade:

• Review the System Requirements for the version of Protect you plan to install.
  Refer to the document - Shavlik Protect Requirements Guide
• Review the Shavlik Protect Upgrade Guide.
• Prior to upgrade, it is recommended that you clean out as much old results as possible and perform database maintenance.
  This document covers the full steps for database maintenance: DOC-23430
• The user who will perform the upgrade of the database should either be the SA for the database in SQL, or the user should at least have the following privileges for the Protect database:
  Privileges required for upgrade purposes: db_securityadmin, db_ddladmin
  Privileges required for all Protect users: STExec, DB_DataReader, DB_DataWriter
• If your Protect database is hosted on SQL 2005, review the document; Authentication Limitation with Protect 9.0+ and SQL 2005.
• If you plan to move/migrate your console to a different system, review the document; Migrate Shavlik Protect Console.
  • There is a Migration Tool that can be used in some scenarios to move the console. Make sure to closely follow the Guide for this.

Resolving Common Upgrade or Post-Upgrade Issues

If you do have an issue during the upgrade process, it's possible the issue can be resolved based on some common issues listed below:

Upgrade/Install Failure

• Error: "Installation Failed.  A data conversion error has been detected during the database upgrade process."
• Resolving database upgrade timeout failures for Shavlik Protect
• Upgrading Protect fails with the error: Cannot create a new Service Broker in a mirrored database
• Upgrade to v9.x fails with error "Protect bootstrapper has stopped working"
• Upgrade\Installation Error, Background Intelligent Transfer Service (BITS) is disabled
• Failed to commit or save the database installation. Invalid License
• Upgrade - Error - Data Conversion Error - EventSubscription
• Shavlik Protect Install/Uninstall Issues
• Upgrade to version 9 Fails with error 'This installation package could not be opened.'
• How to clean up broken installs of Shavlik Protect with the Microsoft Fixit Tool
  • Applies when seeing installer errors 1603, 1605, and 1612.

  Post-Upgrade 

• Scheduled Jobs Missing from Scheduled Task Manager in Protect Console
• Scheduled Task Manager pops Error: -2080374779 - Upgrade scheduler now
• It is worth noting that the Agent Manager has been removed in version 9. All functionality is available from within Machine View.
  • You can see the full list of changes in each build, here.

What to do if you face an upgrade failure you cannot resolve

If you receive an upgrade or installation failure, and you are not able to use the above resources to resolve the issue it's time to open a support case.

• Contact Support with one of the following methods:
  • Support Portal: https://support.shavlik.com/
  • Other contact methods: http://www.shavlik.com/support/contact/
• If possible please provide the following information:
  • Console Logs
  • Installation Logs
  • Any applicable screenshots
  • Operating system of the console system and version of SQL used to host Protect database

Shavlik Protect 9.x

vCenter Protect 8.x

This is a list of highly recommended documents for improving general knowledge of the Shavlik Protect product. This article is not a comprehensive list of documents.

For the Shavik Protect 9.1 specific landing page, please see document DOC-23514.

• Download Site
• Protect 9.1 Installation Guide
• Protect 9.1 Upgrade Guide
• Protect 9.1 Online Help
• Shavlik Protect Requirements Guide
• Firewall & Proxy Exception White-List
• Installing Prerequisite Software

• How to Activate Shavlik Protect
• Managing License Seat Usage
• Offline Activation Process
• Sales/Licensing Contact Information

• Best Practices Guide (9.1)
• Best Practices: Java Deployment
• Best Practices: Software Distribution
• Best Practices: Agentless Scanning & Deployment of Service Packs
• Best Practices: Using Security Tools
• Best Practices and FAQ on using Threat protection with Shavlik Protect agents
• How To Configure Windows Firewall for Protect
• How to Create a Custom Patch
• How to manage Shavlik in an Offline network
  • Offline Environment: How To Manually Update patch data files
  • Offline Environment: How to Manually Update threat definitions

Installation & Upgrade

• Preparing for Upgrade of Protect and Resolving Common Upgrade Issues
• Data Conversion error during Upgrade
• Cleaning up broken installs of Protect
• Resolving database upgrade timeout failures

Obtaining Trace Logs

• Console, Client Side (agentless), and Agent log files
• Console Install and Setup Logs
• DPD Trace (for scan detection issues)
• Listing & Purpose of All Log Files

Scanning & Detection

• Troubleshooting Patch Scan Error Codes
• Scans running slow or taking long time to complete
• Scan Results fail to import (Incomplete results)
• Why Shavlik Protect scan results may differ from Windows Update
• Java patches not shown missing or installed
• How to include or exclude specific patches in scan
• Adobe & Mozilla Incremental Updating process
• Patch install/uninstall loops (patches that always show missing)

Patch Deployment & Shavlik Scheduler

• Deployed patches appear as missing
• Deployment Tracker Status Message Values
• How to Troubleshoot A Failed Patch Install
• Service Pack Deployment Guidelines
• Reinstalling the Shavlik Remote Scheduler Service

Database Related

• SQL Database Maintenance Recommendations for Protect
• Cleaning up (purging) a Protect Database
• Increasing database timeout period
• Moving/migrating Protect database

Agents

• Agent Diagnosis Commands
• Agent Install failing at 67% (registration failure)
• How to fully uninstall and reinstall an agent

Other

• Issues adding machines to a group via Active Directory/OU
• Verifying Proxy Settings for Download Issues
• Role Based Administration Lockout Fix
• Understanding the Machine Groups and the Machines View

• XML (Patch Definitions) Update Information
• List of Currently Supported Products
• Feature or Change Requests

Purpose

This document is meant to provide some basic information about how to re-sign updates that have been previously published to WSUS, but may need a new digital signature due to changing certificates.

Description

If you change the certificate used for WSUS, the client systems will now accept any updates that are signed with the new digital certificates, but you may have older updates already published which are still signed with the previous digital signature.  In this scenario, the updates will fail to deploy on the client systems as the client does not recognize the digital certificate.

The Shavlik Patch plugin currently does not have a feature to re-sign updates when publishing, however, this can be done via System Center Update Publisher (SCUP).

Here's how to do it:

1) In SCUP, ensure you have the latest .cabs from Shavlik imported. You can manually download the .cabs by loggin into https://protectcloud.shavlik.com/.

2) Select any updates you need to re-sign, then choose to Publish.

3) On the 'Publish Options' make sure to select 'Full Content', and make sure to check the box for 'Sign all software updates with a new publishing certificate when published software updates have not changed but their certificate has changed.'

4) Finish through the steps of publishing to complete the process.

Additional Information

Microsoft has a video on how to re-sign updates, here.

SCUP 2011 can be downloaded here.

Affected Product(s)

Shavlik Patch for Microsoft System Center

(Formerly SCUPdates)

Symptoms

You add exceptions via the agent policy, but when viewing the Agent UI on one of the client systems you don't see the exception listed in the Always Allow or Never Allow sections.

Example:

Policy exception:

Agent UI - Always Allow tab:

Cause & Resolution

This is the expected behavior. The 'Always Allow' or 'Never Allow' tabs in the Agent UI are currently intended to only show exceptions for each individual agent that have been set via the agent using the 'Add..." function on each tab.

If you would like to see this behavior changed in any way, please submit a feature/change request at our Feature Request Site.

Affected Product(s)

Shavlik Protect, All Versions

Purpose

This article provides information about how patch scans with Protect may differ from Windows Update scans, specifically concerning patch severity.

Overview

Microsoft publishes severity information with each bulletin. The Shavlik Protect interface displays the Microsoft severity for each individual patch by Qnumber. Each Microsoft Bulletin includes an overall maximum severity rating listed at the top of the bulletin and it is displayed in the Security Bulletin Search page. For example, for MS05-001, the maximum severity rating is Critical.

Within each bulletin, the severity ratings are further assigned by the underlying operating system. The severity rating for the issue may be different, based on which operating system is involved. These specific settings may be viewed by expanding the Executive Summary of the security bulletin. For example, for MS05-001, the severity rating for NT4, Windows 2000, and Windows XP is Critical. The severity rating for Windows Server 2003 is Moderate.

In the Protect GUI, the vendor severity rating is displayed for each patch and it is specific to the operating system or application that is installed. For NT4, Win2K, and XP systems the vendor severity rating for MS05-001 is displayed as Critical, while the same issue for WS03 is displayed as Moderate.

Microsoft Windows Update (including Microsoft Update) categorizes updates in two buckets: High Priority and Software-Optional.

The High Priority bucket includes both security-bulletin related patches and non-security patches. The Software-Optional bucket usually includes new software applications that can be installed (such as Windows Powershellv and Windows Search).

Protect scans for and deploys all Microsoft security bulletin related patches. Each Microsoft security bulletin related patch is assigned a Microsoft severity rating (Critical, Important, Moderate, Low) as detailed in the security bulletin.

The severity rating in Protect properly reflects the rating assigned to the individual patches for the specified products, rather than the overall severity rating assigned to the bulletin as a whole.

Protect also scans for and deploys many of the Microsoft non-security related patches. These patches are for issues such as performance and scalability-manageability. In Windows Update, these patches are included in the High Priority bucket alongside their security counterparts. In Protect, these patches are included as non-security patches available to be scanned via the WUScan scan template, or in a custom template when non-security patches are selected.

Non-security patches, whether scanned from Windows Update or from Protect are NOT assigned severity ratings. (Severity ratings are only assigned by Microsoft for security patches referenced in security bulletins.)

Microsoft includes both security and non-security patches in their High Priority bucket. This sometimes leads to confusion when prioritizing the patches that need to be installed. Shavlik recommends that all security patches be considered for installation (after appropriate internal testing). Shavlik recommends installing non-security updates as required by the business situation. Non-security updates are not necessary to maintain the security posture of your system.

Another point of common confusion is the Update Type attribute that is displayed in Windows Update. This column displays Important or Recommended. This is commonly mistaken for the patch severity, however this is not related to security patch severity (Critical, Important, Moderate, Low). To see the security patch severity, click the update title on Windows Update, then click the corresponding More Information link to view the security bulletin and associated patch product severity rating.

FAQ

Why does Microsoft show some non-security updates that Protect does not show?

While Shavlik strives to maintain consistency with Windows Update non-security patches, there may be times when Microsoft has released a non-security patch and Protect has yet to support that patch. Protect prioritizes patches to include support for security patches first, then non-security patches. If you see a non-security patch on Windows Update that is not listed in the Protect product, submit a request at http://shavlik.featureidea.com/ and request that the patch be added.

Why does Protect show some non-security updates that Windows Update does not show?
Shavlik strives to add support for as many non-security patches as possible. This includes both those listed on Windows Update as well as those available from the Microsoft Download Center (that may not be available via Windows Update). Many times we identify (or customers ask us to support) relevant patches on the Microsoft Download Center that are not on Windows Update (which may or may not be supported by Windows Update in the future). In these cases, you may see Protect scanning for and recommending non-security patches that are not on Windows Update. As with all non-security updates, use your own judgment to determine if the specific patch is relevant to your organization and prioritize deployment of those patches accordingly.

If a Protect Security Patch and/or WUScan scan shows my system as fully patched and Windows Update shows some missing High Priority updates, is my system really \"secure\"?
Yes*. The Protect Security Patch (default) template scans for all security patches. The WUScan scan template scans for all security patches as well as non-security patches. Both of these templates identify any missing security patches that need to be installed on your system to consider it fully patched with respect to security patches. (* Secure in this sense means fully patched for security issues. Configuration settings may still be required to fully secure your system for non patch related items).

Do I need to install all non-security High Priority items recommended by Windows Update?
No. Security bulletin related patches are the most important items to install. You should install all security bulletin related patches (pending your internal testing). Non-security patches can be installed to help address specific non-security issues as the need arises. It is not necessary to install these High Priority non-security patches to be secure.

Shavlik recommends scanning with the Security Patch Scan template and apply the patches that it finds missing. Use the non-security WUScan scan template as needed to find those non-security items that you wish to install.

What if I see a non-security High Priority patch on Windows Update that is not listed in the Protect product?
Submit your request at http://shavlik.featureidea.com/.

Why does Protect show security updates that Windows Update does not show?

The Protect application scans for security updates for both Microsoft and non-Microsoft products that Windows Update Microsoft Update does not scan for. For Microsoft products, this includes items such as Office 2000, Step by Step Interactive Training, Messenger, Services for Unix, FPSE, SQL 2000 (pre SP4), ISA Server.

The Protect application also scans for security patches on non-Microsoft products such as Sun Java, Mozilla Firefox, Apple iTunes, Adobe Acrobat and Reader, Adobe Flash, Citrix, RealPlayer, and others. Windows Update does not scan for or patch these third party products.

Purpose

An explanation of why Shavlik Protect patch scan results may show different patches needed than when running a Windows Update.

Solution

Shavlik Protect uses different detection logic to scan for patches than Windows Update and other patch vendors.A Windows Update scan has the ability to show missing Security Patches, Non-Security Patches, Security Tools, driver updates, and sometimes patches that aren't publicly downloadable.

Depending on what Scan Template you are using in Protect, the results will vary. The built-in security patch scan will only show missing security patches. The built-in WU scan will show missing security patches and non-security patches. And please note - we don't always include all non-security patches in our XML data right away either, as security patches take precedence.

You can always create a Custom Scan Template, and check security patches, non-security patches, and security tools for the most robust scan with Protect.

Shavlik uses a variety of methods to see if a target machine needs a patch.  The process is detailed in the document "Explanation of how patch scanning detection works with Shavlik Protect" which can be found here:http://community.shavlik.com/docs/DOC-2259.

Administrators can view files and registry entry criteria by searching for the patch in View > Patchesof the Shavlik Protect Console main menu.

See this online help file for more information on using Patch View:

http://www.shavlik.com/onlinehelp/Protect90HTMLHelp/Viewing_Patch_Details_(Patch_View).htm

There is also a difference in how Protect displays criticality and vendor severity. See this document for further information concerning this:
Understanding patch severity in a Shavlik Protect patch scan and why it may differ from Windows Update

Affected Products

Shavlik Protect 9.x

Purpose

The purpose of this document outlines the process of using Protect to install Internet Explorer.  You can also view Software Distribution Best Practices and Informational Guide or more information about using the Software Distribution feature.

Steps

To install IE with Protect you will need to use the Software Distribution to do this.

First you will need to create a scan template to detect the version of IE you will want to install.

The first step for this is to create a patch group that contains the installer patch for IE. To do this go to view patches then in the search you will input MSIE-010 (This is for IE10, IE11 would be MSIE-011). Then you will see the QNumber QIE1061N right click on this and create new patch group.

Now you will name and save your patch group.

Next Step is to create the scan template.

Go to New\Patch Scan Template

Under the filtering tab you will need to select the “Scan Selected” under Patch Filter Settings and select your patch group.

Now on the General tab of the scan template you will want to check the box “include effectively installed patches  and leave “Both missing and installed
patches” selected

Now on the Software Distribution tab you will need to check the box “Software Distribution” so the scan template will show results for Software Distribution patches

Now you can scan the machine you want to install IE on and it should either show you the IE version is either missing so you can deploy it or it is effectively installed

Purpose

This document will explain how to view scheduled agent tasks by command line on client machines.

Resolution

1. Open a command prompt as an administrator and then navigate to one of these locations:

32bit OS:

"C:\Program Files\LANDESK\Shavlik Protect Agent\

64bit OS:

"C:\Program Files (x86)\LANDesk\Shavlik Protect Agent\

2. Run this command to see all shceduled jobs for this agent.

STAgentManagement.exe -schedule

Additional Commands

You may also find these switches for STAgentManagement.exe helpful too.

Affected Products

Shavlik Protect 9.x

Purpose

Many of the common Shavlik Protect scan errors can be corrected by changes to configuration or environment. This article lists the most common scan error messages and provides some guidance on correcting the issue.

Cause

Scan errors can occur:

• If one or more of the Shavlik Protect Scanning Prerequisites have not been met 
• If one or more configuration issues are present in Shavlik Protect 
• Due to one or more environmental issues

Resolution

Affected Product(s)

Shavlik Protect All Versions

Problem

You receive a pop-up error when attempting to publish patches in Shavlik Patch.

"Failed to schedule the task using the Microsoft Scheduler. Please verify the user name and password."

Cause

The most likely cause of the issue is a policy is set to disallow programs to store credentials on the server.

The specific policy and path:

\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

Policy Name:

Network access: Do not allow storage of credentials or .NET Passports for network authentication.

Resolution

Set this policy to Disabled.

Affected Products

Shavlik Patch

The purpose of this document is to assist in locating the Agent Manager within Shavlik Protect version 9.

The Agent Manager has been removed. All functionality is available from within Machine View.

From: Shavlik Protect Release Notes

Within Machine View you can install an agent onto machines, you can assign a different policy to machines that already contain an agent, and you can uninstall agents from machines. It also provides a convenient place to determine which machines have Protect Agents installed. You can access Machine View by selecting View>Machines.

How to View Only Agents

In Machine View (View> Machines) set the Smart Filters to 'Has an Agent Policy'. This will filter the Machine View to only show those machines that have an Agent.

Shavlik Protect 9.x

Problem

You receive the following error when attempting to publish content:

Publish: Exception occurred during publishing:

Verification of file signature failed for file: \\<serverName>\UpdateServicesPackages\<AppName_abf10b91-bfa6-44ff-aa54-099e4bf1487d\a7f3d4b2-02b6-4f0c-ab9b-e38c8de9c3f0_1.cab

You may also see this error:
"Exception occurred during publishing: Verification of the signature failed for file" for each of the updates attempted.

Cause

The self-signed WSUS certificate wasn't added to Trusted Publishers Store and the Trusted Root Certification Authorities Store.

Resolution

Add the self-signed WSUS certificate to the Trusted Publishers Store and the Trusted Root Certification Authorities store on the Update Publisher machine as follows:

1. Navigate to Start and type MMC in the run box, this will open Microsoft Management Console (MMC).

2. Click File and choose Add/Remove Snap-in, highlight Certificates and click Add. Select Computer account and then click Next.

3. Select another computer, type the name of the update server or click Browse to find the update server computer, click Finish, click Close and then OK.

4. Expand Certificates (update server name) and expand WSUS then click Certificates.

5. In the results pane, right-click the desired certificate and choose All Tasks then Export.

6. In the Certificate Export Wizard, use the default settings to create an export file with the name and location specified in the wizard. This file must be available to the update server before proceeding to the next step.

7. Right-click Trusted Publishers and choose All Tasks then click Import. Complete the Certificate Import Wizard using the exported file from step 6.

8. If a self-signed certificate is used, such as WSUS Publishers Self-signed, right-click Trusted Root Certification Authorities and choose click All Tasks and then Import. Complete the Certificate Import Wizard using the exported file from step 6.

9. Right-click Certificates (update server name) and choose Connect to another computer then enter the computer name for the Updates Publisher computer and then OK.

10. If Updates Publisher is remote from the update server, repeat steps 7 through 9 to import the certificate to the certificate store on the Updates Publisher computer.

Purpose

We have identified a defect in Protect 9.0 (Gold and Patch 1) where agent patch scan results cause the Shavlik Protect Console service to crash.  You can identify the issue by the following method:

• Agents are being used for patch management and the Shavlik Protect Console service is crashing frequently.
• Enable ‘All’ logging in the Protect Tools – Options – Logging menu and capture the service crash.
• Navigate to the \Logs folder and open the ST.ServiceHost.managed.log file.

Windows 2003/XP: C:\Documents & Settings\All Users\Application Data\Shavlik Protect\Logs

Windows 7, 8, 2008, & 2012: C:\ProgramData\LANDesk\Shavlik Protect\Logs

• Search for FK and verify you see the following error:

FOREIGN KEY constraint "FK_ScanItems_ItemTypes". The conflict occurred in database "Protect", table "dbo.ItemTypes", column 'itKey'. The statement has been terminated..

Cause

This is due to a Service Pack mapping failure which causes and unknown ‘ItemType’ to be used. The crash occurs when the Shavlik Protect Console service attempts to insert that unknown ‘ItemType’ into the ‘scanItems’ table in the Protect database. 

Resolution

Backup the Protect database: You can do this manually or you can use the Database Maintenance in Protect.

Remove the foreign key restraints in the database by executing the following script against the Protect database:

IFEXISTS(SELECT*FROMsys.foreign_keysWHEREobject_id=OBJECT_ID(N'[dbo].[FK_ScanItems_ItemTypes]')AND parent_object_id =OBJECT_ID(N'[dbo].[ScanItems]'))

ALTERTABLE [dbo].[ScanItems] DROPCONSTRAINT [FK_ScanItems_ItemTypes]

Purpose

The purpose of this document shows you how to view agent results using View - Machines in Protect 9.0 and above.

Machine View

You will always want to refresh the view when looking at Machine View to see the most current information.

In Machine view you will be able to determine what is happening with your Agent. The Machine View is an extremely powerful and flexible tool. It enables you to display current information about every machine in your network that has been previously scanned and whose information resides in the database. It organizes all of the scanned machines so they are displayed in one comprehensive view, regardless of when the machines were scanned. Machine View provides an easier method to both view and manage the current security state— across both agent-based and agentless systems. Machine View differs from Scan View, which requires you to first locate the scan in which the machine was assessed before drilling down to view the machine’s scan summary.

You will see the current patch status of the client machine which includes missing or installed patches, Patch Definitions used in latest scan, latest Patch Scan Date, Agent Policy, Agent Version, Latest Check In along with other information at the top of your screen.

Purpose

This article is meant to provide information on obtaining and installing the SCAP Processor for use with VMware vCenter Protect Configuration Management (formerly Shavlik NetChk Configure).

Description

When a customer purchases a Government license for vCenter Protect - Configuration Management (Formerly Shavlik NetChk Configure), they are sent a download link for the SCAP Processor installation file. That link is as follows:

http://rs.shavlik.com/downloads/SCAPProcessor_4.3.17.0.exe

Additional Information

vCenter Protect Configuration Management 4.3 can be downloaded at http://www.shavlik.com/downloads/VMwareProtectConfigMgmtSetup_4.3.19.0.exe.

Affected Products

SCAP Processor

vCenter Protect Configuration Management 4.3

(Formerly Shavlik NetChk Configure)

Purpose

This document is meant to show how to use the features within Shavlik Protect to dynamically manage systems found within Active Directory or a domain.

Description

Within Protect it is possible to dynamically perform scan and deployment on machines managed via Active Directory or within a domain. To set up a machine group that can be used for this, follow the below steps:

Adding an Active Directory OU to a group

1) Create a new machine group by going to the 'New' Menu > Machine Group...

2) Name the group, click the 'Organization Unit' tab, then either type in the specific OU name if you know it, or the easier method is generally to click 'Browse Active Directory'.

3) Expand the containers as necessary, then check the box next to 'Computers' for any domain computers you want to be included in your scans.

4) Click 'Add checked items'.

5) You will now see the OU listed in the machine group.

     Ensure to set credentials that will have admin access to all the machines.

     To do this, right click on the OU listed, then choose Set Credentials > Set admin credentials.

6) Choose the proper credential to use, then click 'Assign'.

7) You should now see the OU listed with Admin Credentials set. Click 'Save' to save your machine group.

8) Try running a scan on the group to test. As you can see in the example below, it should automatically pick up any machines that are part of the OU selected.

This function is dynamic when you check the box to include all computers of a domain. If you later add or remove machines from the OU in active directory, the machine group will automatically pick up on this when being used to run new scans in Protect.

Adding an entire Domain to the machine group

1) In the machine group, go to the 'Domain Name' tab.

2) Type in the domain name, then click 'Add'.

3) Ensure to set admin credentials.

This feature will work dynamically as well. Whenever you use a machine group with a domain specified the scan will only discover machines currently part of the domain records.

Additional Information

1) If you set up a group as shown as the example above (containing a domain name and OU that would contain the same machines), Protect will be able to determine the same machine is being discovered/scanned twice and will only display one scan result for the machine.

2) You can add multiple domains and active directory OUs within a single machine group.

3) When first setting this up, it's likely you will run into some scanning errors (machines not scanned). Generally these happen due to some configuration or environmental problem. Refer to this document on how to fix such scan errors: Troubleshooting Shavlik Protect patch scan error messages

Affected Product(s)

Shavlik Protect, All Versions