This document includes instructions on how to increase the deployment timeout for offline hosted virtual machines. Performing the steps in this document will be required when a deployment to an offline hosted virtual machine requires more than 120 minutes to complete. The typical cause would include a deployment of a large number of patches to a single machine.
Symptoms
You will see the following error message in the Deployment Tracker approximately 120 minutes into the deployment process.
A subsequent scan of the target offline hosted virtual machine will show fewer patches missing indicating some of the patches installed within that 120 time-frame.
Resolution
Manually increase the deployment timeout by editing the STEnvironment.config.
1. Close Protect.
2. Stop the Shavlik Protect Console Service.
3. Navigate to the Protect installation folder. (C:\Program Files\LANDesk\Shavlik Protect by default)
Following upgrading to Shavlik Protect version 9.1.4446 some users may encounter an error "The e-mail service is currently not available", and some users may find that their automated email reports are not sending. The purpose of this document is to provide a workaround for those who may encounter this issue and for those affected help restore proper function of automated email reports in Protect.
Symptoms
Following the installation of the Patch upgrade for Protect that takes the application from version 9.1.4334 to 9.1.4446, some users after completing a scan or initiating a deployment may receive a dialog box popup in the application containing the following error:
"The e-mail service is currently not available."
The Protect.Managed log should show the following exception:
2014-XX-XXTXX:XX:XXXXXXX E EmailRecipientSelector.cs:205|ST.UI.UserViewableException: The e-mail service is currently not available. ---> System.ServiceModel.ProtocolException: The .Net Framing mode being used is not supported by 'net.pipe://localhost/ST/Console/Messaging/ResultsNotification'. See the server logs for more details.
at System.Runtime.AsyncResult.End[TAsyncResult](IAsyncResult result)
at System.ServiceModel.Channels.ServiceChannel.SendAsyncResult.End(SendAsyncResult result)
at System.ServiceModel.Channels.ServiceChannel.EndCall(String action, Object[] outs, IAsyncResult result)
at System.ServiceModel.Channels.ServiceChannelProxy.TaskCreator.<>c__DisplayClass2.<CreateTask>b__1(IAsyncResult asyncResult)
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at ST.UI.Controllers.Configuration.MailController.<SendNotificationEmailAsync>d__d.MoveNext()
--- End of inner exception stack trace ---
at ST.UI.Controllers.Configuration.MailController.<SendNotificationEmailAsync>d__d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
at ST.Protect.Forms.Email.EmailRecipientSelector.<SendEmailClickAsync>d__13.MoveNext()
Cause
Users should only see this error message after upgrading using the patch, not the full 9.1.4446 install. It appears that during the patch upgrade process, some of the necessary components may not upgrade successfully in some environments.
Resolution
We are working on the upgrade issue, and this will be fixed in an upcoming patch release. In the meantime, to correct the issue uninstall Shavlik Protect, download and re-install Protect using the full 9.1.4446 installer. Note: Uninstalling and re-installing Protect will not lose any user data or configuration, as this data is all contained within the database. Before re-installing Protect, to help ensure the product can point back to the database it would be a good idea to open the Database Setup Tool and verify the path to the SQL database and the credentials used. These will need to be entered after re-installation is completed.
The full installation package can be downloaded from the following link:
Microsoft patches fail to deploy on the following operating systems:
-Windows Vista
-Windows 2008
-Windows 7
-Windows 2008R2
-Windows 8
-Windows Server 2012
When attempting to manually run a patch file copied to a target machine in C:\Windows\Propatches\Patches you receive an error that the Windows Update service was not able to start or is not started.
Resolution
The Windows Update service must not be set to 'Disabled'. It does not explicitly need to be started, but it must be enabled - it can be set to 'Manual', 'Automatic-Delayed Start', or 'Automatic'.
Windows Vista/2008 changed patching behavior. Windows Vista and later patches are of a file type .MSU and this file type requires the Windows Update Service to be enabled to execute. The Windows update application is not required, but the standalone service handles extraction and execution of MSU patches and must remain enabled. For more details regarding this change go tohttp://support.microsoft.com/kb/934307/en-us
Windows update can be disabled as long as the Windows Update Service remains enabled. You can configure this using GPOE under Computer Configuration\Administrator Templates\Windows Components\Windows Update.
From the workstation the automatic updates setting can be set to "Never check for updates" under Control Panel\All Control Panel Items\Windows Update\Change settings
The Window Update Security message can be turned off using by unchecking "Windows Update" Control Panel\All Control Panel Items\Action Center\Change Action Center settings
This document is meant to provide a full overview of how credentials are entered, used, and work within the Shavlik Protect product.
Description
Credential Precedence for Physical Machines and Online Virtual Machines
Initiating actions from the home page, from a machine group, or from a favorite
The home page, machine groups and favorites can be used to initiate actions, patch scans, asset scans, power management, and to execute scripts. When performing these actions, Shavlik Protect will attempt to authenticate to each machine using a variety of credentials and will do so using the following strategy:
If one or more of the following are available, the credential with the highest precedence will be used. The precedence order is as follows:
a. Machine-level credentials
b. Group-level credentials
c. Integrated Authentication (Kerberos)
Example: If machine-level credentials are not available but group-level and default credentials are available, the program will use the group-level credentials.
If the credential used above does not work, then Integrated Windows Authentication (the credentials of the person currently logged on to the program) will be used.
If neither of these credentials work, the scans and the power management tasks will fail.
One suggestion is to make your default credentials the same as the account credentials you typically use to log on to the program. This will eliminate problems that may occur if you forget to assign credentials.
Initiating an agent installation from a machine group
When using a machine group to push install the Shavlik Protect Agent service to connected target machines, the credentials used by the program follows the same strategy as above with one major exception -- integrated credentials will not be used. So the agent installation must be successful using machine-level, group-level, default, or explicitly supplied credentials.
Initiating actions from Machine View or Scan View
When initiating a scan, a patch deployment or a power management action from Machine View or Scan View, the program will attempt to authenticate to the target machines using a variety of credentials and will do so using the following strategy:
If one or more of the following are available, the Protect console will try to authenticate using the credential with the highest precedence, where the precedence order is as follows:
Any manually or automatically assigned managed machine credentials (see the To Individual Machines in a Machine Group section in Supply Credentials for Machines (used if the scan credentials are invalid or missing, for example, if an agent performed the scan rather than the console)
If the credential used above does not work, then Integrated Windows Authentication (the credentials of the person currently logged on to the program) will be used.
Note: Integrated credentials will not work for deployments to offline virtual machines or for rescans.
If neither of these credentials work then the action will fail.
Initiating an agent installation from Machine View or Scan View
When using Machine View or Scan View to push install the Shavlik Protect Agent service to connected target machines, the credentials used by the program follows the same strategy as immediately above with one major exception -- integrated credentials will not be used. So the agent installation must be successful using managed machine credentials, default credentials, or explicitly supplied credentials.
Credential Precedence for Offline Hosted Virtual Machines
Initiating actions from the home page, from a machine group, or from a favorite
The home page, machine groups and favorites can be used to initiate patch scans, asset scans, and power management actions and to execute scripts. When performing these actions, Shavlik Protect will attempt to authenticate to each offline hosted virtual machine using the browse credentials.
Initiating actions from Machine View or Scan View
When initiating a scan, a patch deployment or a power management action from Machine View or Scan View, the credentials that will be used to authenticate to an offline virtual machine depends on the power state of the machine when it was initially scanned.
If a machine was originally scanned in offline mode
The program will attempt to authenticate using the browse credentials.
If a machine was originally scanned in online mode
The program will attempt to authenticate using a variety of credentials and will do so using the following strategy:
Try using any manually or automatically assigned managed machine credentials
If the following are available, try to authenticate using the credential with the highest precedence, where the precedence order is as follows:
The administrator credential from the machine group. If the administrator credential exists but fails, the default credentials will not be tried.
Default Credentials (used if the scan credentials are invalid or missing (for example, if an agent performed the scan rather than the console))
If the credentials used above do not work, then Integrated Windows Authentication (the credentials of the person currently logged on to the program) will be used.
Note: Integrated credentials will not work for deployments to offline virtual machines or for rescans.
If none of these credentials work then the action will fail.
Defining Credentials
The Define Credential dialog can be accessed anywhere a credential is used within the Shavlik Protect interface (for example, from a machine group, from the Credentials Manager, etc.). It is used to specify a new user name and password pair that collectively define one credential. The credential is stored with strong encryption techniques. Only the administrator that creates the credential will be able to decrypt the credential and access it from within the program. If you elect to share the credential, however, it will be made available to other administrators as well as to Shavlik Protect service components.
Note: Credentials may be automatically defined for you during a product upgrade or when importing a machine group. Any credentials that are found during these processes are preserved and will be assigned friendly names according to their usage. The term Discovery filter is the friendly name assigned by the program to a machine group credential that it identifies during an upgrade or import process. Feel free to change the name to something that more closely reflects the usage of the credential in your organization.
Name this credential so it can be used elsewhere
Provide a friendly name for this credential that describes exactly where it should be used.
User name
Type a user name that has access to the machine(s). When specifying the user name:
If you need to specify a domain as part of the credentials be sure to include the domain name as part of the user name. For example, if you enter User@<Domain>, <Domain>\User, or a fully qualified user name, Shavlik Protect will use the domain account rights.
If you enter <Target Machine>\User, Shavlik Protect will use the target's local account rights.
If you do not include a domain or machine as part of the user name, the name will be qualified to the target machine (<targetmachinename>\User).
Microsoft Windows .alias name formats (for example: '.\username') are supported by Shavlik Protect.
Password
Type the password for the user.
Verify password
Retype the password to verify you specified it correctly.
Share this with background tasks, agents, and other features
If enabled, this credential will be available to all Shavlik Protect administrators and can be used to specify credentials for service components within the program. The service components within Shavlik Protect that require a shared credential include the following:
Proxy service
Email service
Agent internet proxy
Distribution servers
TrustedHost list access when running remote scripts
Why is it necessary to share a credential? Credentials are encrypted, so you must share a credential so that the service components can decrypt and access it when needed.
Example: If you select Tools > Options > Proxy and attempt to assign Service credentials, only shared credentials are available for selection. The service must have a copy of the credential in order to decrypt it.
Note: It is recommended that you create a service account to perform these service functions rather than using a domain administrator account. See Potential Security Implications When Sharing Credentials for more information.
Supplying Scan Credentials for Target Machines
Note: Browse credentials are slightly different from the scan credentials described in this section. Browse credentials are used by servers, domains, and organizational units to enumerate machines but do not actually authenticate to the individual machines.
This section provides information on how to define new scan credentials and how to assign the credentials to target machines. Credentials consist of a user name and password pair used to authenticate the program to specified target machines. One credential can be associated with any number of operations or entities. The credentials are stored with strong encryption techniques and are not available to anyone except the user who provided them.
The scan credentials you supply will be used to access remote machines, perform any scans, and push any necessary files. The supplied credentials will NOT be used to:
Authenticate to the local (console) machine
Rather, the program uses the credentials of the currently logged on user to authenticate to resources on the local machine. Therefore, in order to perform tasks on the local machine, make sure you log on using an account that has administrator and local machine access rights.
Perform a patch deployment
The machine credentials that you supply are used to provide access to the remote machine and to push the necessary patch deployment files. The actual deployment, however, will be run under the remote machine's Local System account.
You use a machine group to initially assign scan credentials to target machines. You can assign credentials to individual machines, to all machines in a machine group, or both. After a machine has been scanned and is contained in Shavlik Protect 's database of managed machines, you can use the Machine Properties dialog to assign different credentials if desired.
Important! If there are two or more administrators using Shavlik Protect, each administrator should provide their own machine credentials.
Assigning Credentials to Individual Machines in a Machine Group
To assign credentials to one or more machines in a machine group, in the bottom pane select the machines and then select Credentials > Set Admin Credentials.
On the Assign Credentials dialog, select from the list of available credentials or click New to define new credentials.
When credentials are applied to the selected machines, the icon in the Admin Credentials column will become active. In addition, the name of the assigned credential is displayed next to the icon.
Assigning Credentials to All Machines in a Machine Group
To assign credentials to all machines in a machine group, in the top pane select Credentials > Set Credentials.
On the Assign Credentials dialog, select from the list of available credentials or click New to define new credentials.
When credentials are assigned the icon will contain a check mark:
In addition, the button name will change to the name of the assigned credential.
Assigning Credentials to Virtual Machines
There are several different tabs that can be used to add virtual machines to a machine group. The credentials that will be used to scan and/or deploy patches to these machines depends on how the machines are defined to the group and on the current power state of each machine.
Hosted Virtual Machines tab: Used to add virtual machines that are hosted by a server. The credentials used to scan each machine depends on the current power state of the machine.
A hosted virtual machine that is offline at the time of a scan will be accessed using the server's browse credentials. Any individual credentials supplied for the machine are ignored.
A hosted virtual machine that is online at the time of a scan will be accessed using scan credentials for that machine. See Assigning Credentials to Individual Machines in a Machine Group, above.
Workstation Virtual Machines tab: Used to add offline virtual machines that reside on individual workstations. You should assign individual machine credentials for each virtual machine defined using this tab. If appropriate, credentials can also be assigned at the machine group level. The credentials are used during the mounting process and provide permission for Shavlik Protect to access the virtual machine files on the workstation. See Assigning Credentials to Individual Machines in a Machine Group, above.
Machine Name tab, Domain Name tab, or IP Address/Range tab: Used to add virtual machines that reside on individual workstations and that are online at the time of a scan. See Assigning Credentials to Individual Machines in a Machine Group, above.
Assigning New Credentials to Machines After They Have Been Scanned
After one or more machines have been scanned and are contained in Shavlik Protect 's database of managed machines, you can use the Machine Properties dialog to assign different credentials or to remove credentials.
There may be several reasons for providing different credentials to machines after a scan has been performed. If you have multiple administrators in your organization and each is responsible for a different domain, they will need to set their own credentials before performing an action. Or, your organization's policy may be to separate scan (assessment) duties from deployment duties, in which case different credentials are probably required.
Managing Credentials
Important! If there are two or more administrators using Shavlik Protect, each administrator should provide their own machine credentials.
The Credentials Manager is used to manage all credentials used within the program. It is also used to set the default credential for the program.
Although you can supply new credentials from several different areas of the program, all of the credentials can be edited and deleted from this single location. This greatly simplifies the credentials management process. For example, if a password that is used to authenticate a specific group of machines changes, you simply use the Credentials Manager to update the associated credential. All items assigned to that credential are automatically updated with the new password.
To manage the credentials used by the program, select Manage > Credentials.
Add
Enables you to add a new credential.
Edit
Enables you to modify the selected credential.
Delete
Deletes the selected credential. You can delete multiple credentials at the same time.
When you delete a credential the following occurs:
The credential itself is deleted
All usages of the credential throughout the program are deleted
If it is a shared credential, the shared credential and all its usages are deleted
Caution! Any items using the deleted credential will no longer be assigned a credential. Before you delete a credential you should browse your machine groups to verify the credential is not being used.
Merge
Tip: This credential cleanup tool will typically be used immediately following an upgrade from an earlier version of Shavlik Protect that does not contain the Credentials Manager.
Enables you to merge one or more credentials that contain the same user name and password with another credential entry that also contains the same user name and password. Or you can merge several different credentials into one new credential that is effective in all situations. By eliminating duplicate and unneeded credentials you reduce confusion and lessen the chance for human error.
On the Credentials Manager dialog select the credential(s) you want to merge with another credential.
Click Merge.
The Merge Credentials dialog is displayed. For example:
At the bottom of the dialog do one of the following:
Select an existing credential: The credential(s) specified in the Confirm credentials to merge list will be merged with the credential you select here.
Create a new credential: The credential(s) specified in the Confirm credentials to merge list will be merged with the new credential you create here.
Note: A shared credential can only be merged with another shared credential. Therefore, if any of the credentials in the Confirm credentials to merge list are shared, then (1) only shared credentials will be offered for selection in the Existing box, and (2) any new credential you create will automatically be defined as a shared credential.
Click Merge.
Read the message on the confirmation dialog and if you agree with the merger, click Merge.
View usages
Enables you to see how and where the selected credentials are being used in the program. Only those credentials that are currently being used in the program will be displayed in the Credential Usages dialog. A credential may be listed multiple times if it is used in different areas of the program.
You can right-click on any list item and perform a number of different actions.
Assign different credential: Enables you to assign a different credential to the selected item(s). You can assign a different credential to multiple items at once but only if they all have the same Shared Usage value (Yes or No).
Expand all: Expands all lists.
Collapse all: Collapses all lists.
Export selected credential usages to CSV: Export information about the selected items to a Comma Separated Values (CSV) file. The CSV file can then be used within a spreadsheet program.
Set as default
Assigns the selected credential as the default credential. The program will use the default credential if other credentials are missing or invalid.
Clear default
Removes the default credential assignment.
User Name
Displays the user name portion of each credential.
Name
Displays the unique name assigned to each credential.
Shared
Displays whether the credentials are shared credentials. The information in this column is directly related to the Share this with background tasks, Agents, and other features check box on the Define Credential dialog.
You can set explicit credentials for machines via View > Machines > Right Click a machine > Machine Properties.
Credential: Specifies the credential used when authenticating Shavlik Protect to the machine. The credential you supply here will override credentials specified in other areas of the program. If you select None you effectively remove the credential currently assigned to the machine.
There may be several reasons for providing different credentials to a machine after a scan has been performed. If you have multiple administrators in your organization and each is responsible for a different domain, they will need to set their own credentials before performing an action. Or, your organization's policy may be to separate scan (assessment) duties from deployment duties, in which case different credentials are probably required.
How Shavlik Protect Manages Multiple Administrators
Shavlik Protect contains a number of built-in checks to guard against simultaneous and conflicting commands from different administrators. For example:
The program will not allow duplicate group names or template names
The program will not allow simultaneous updates to any groups, templates, distribution servers, or agent policies by different administrators. If this situation should occur the second administrator will receive a warning message similar to the following:
Only one console will be authorized to use the Database Maintenance tool. If an administrator at another console wants to perform maintenance on the database, that administrator must take ownership of that task before the program will allow the administrator to continue.
Note: The 'Take Ownership' button is only displayed if you have two or more consoles that share one database. If your organization uses multiple Shavlik Protect consoles that share the same database, only one console will be authorized to use the Database Maintenance tool. If an administrator at another console wants to perform maintenance on the database, that administrator must take ownership of the task before the program will allow the administrator to continue. Any existing maintenance tasks will be allowed to complete before ownership is transferred to another administrator.
Best Practices When Using Multiple Administrators
Recommendations
You should upgrade your hardware platform by increasing the number of processors and the amount of installed memory on the console machine. This will increase performance in those instances when two or more administrators are logged on at the same time and performing tasks.
Minimum suggested hardware requirements for two administrators: 2 processor cores and 4 GB RAM
For each additional administrator, add 1 processor core and 1 GB RAM
For a high performance system, use 16 processor cores and 32 GB RAM
When two administrators log on to the same console they must use different accounts. The same account can be used only when logging on to different consoles.
If you edit a group that is typically used by another administrator you should notify that person about the change.
Each administrator should create their own credentials and assign them to machines.
Each administrator should define default credentials that are the same as their logon credentials. This will eliminate problems that may occur if the administrator forgets to assign machine credentials.
Potential Issues When Using Multiple Administrators
Usage Issues
You must take a few common sense precautions when using multiple administrators. Even though Shavlik Protect contains a number of built-in safety checks, it cannot guard against all possibilities. The program may act in unpredictable ways if the following occur:
If two administrators try to scan the same machine group or ESXi Hypervisor at the same time.
The machines will be scanned twice, causing potential performance issues. In addition, there may be administrative rights errors due to the multiple connections.
If two or more administrators try to deploy patches or bulletins to the same machine at the same time.
The most likely result is that one deployment task will succeed and the other will fail. But because the deployment that succeeds will likely perform a restart of the target machines, the machines may be in an unknown state when the other deployment fails.
Credential Issue
When you create credentials and assign them to machines, those credentials belong to your administrator account. If a different administrator (Administrator B) logs on and uses Shavlik Protect, they will not have access to the machine credentials you provided. The second administrator must provide their own machine credentials.
One of the ways this can be confusing is if Administrator B fails to provide their own machine credentials and tries to schedule a patch deployment from a scan that was performed by Administrator A. The deployment can be successfully scheduled if default credentials are available, but the actual patch deployment will likely fail because the patch deployment requires machine credentials -- credentials that were provided by Administrator A but that are not available to Administrator B.
Recommendations:
Each administrator should create their own credentials and assign them to machines
Each administrator should define default credentials that are the same as their logon credentials. This will eliminate some of the problems that may occur if the administrator forgets to assign machine credentials.
Virtual Inventory Consideration
Unlike machine groups (which can be viewed by all administrators), vCenter Servers and ESXi Hypervisors can only be viewed by the administrator that added them to Shavlik Protect. If two different administrators want to manage the same vCenter Server or ESXi Hypervisors, both administrators must add the item to the Virtual Inventory list.
Additional Information
More information concerning credentials usage in Protect and possible known issues can be found in the following community documents:
Updates published using Shavlik Patch are not showing up in 'All Software Updates' within the Configration Manager console.
Cause
There are two possible causes.
1) You have not performed synchronization with the WSUS server.
2) In System Center 2012 R2 Configuration Manager you need to update your Software Update Point to ensure you're syncing required vendors and locally published packages.
Resolution
There are two possible resolutions.
1) You need to ensure you've successfully performed synchronization with the WSUS server.
You may just need to perform the sync, or there may be a problem during the synchronization process that is causing the failure.
Refer to the wsyncmgr.log from C:\Program Files\Microsoft Configuration Manager\Logs.
Log on to the WSUS server, go to Admin Tools > Windows Server Update Services. Expand the WSUS server, then click on Synchronizations. You should be able to see a history of synchronizations here. (It may take quite some time to load.)
2) In System Center 2012 R2 Configuration Manager you need to update your Software Update Point to ensure you're syncing required vendors and locally published packages.
To check this:
Within the System Center Configuration Manager console:
Go to Administration
Expand Site Configuration
Click Sites
Right click on your primary site > Configure Site Components > Software Update Point
Go to the Products tab.
Ensure to put a tick next to any newly added products and Local Publisher.
While in here it's worth double checking what you have set up under Classifications, Languages, Sync Settings, and Sync schedule as well.
This document shows how to find the installation and setup logs for Shavlik Protect. This can be useful if attempting to troubleshoot an installation failure.
Description
The setup and install logs for Shavlik Protect can be found by doing the following:
Go to Start > Run (or search) > Type: %temp%
or
C:\Users\*your_user*\AppData\Local\Temp
Either option brings you to the same directory. You will need to search the temp directory for the following naming of files. There may be multiple of each depending how many times you have attempted installation. The newest log files would be the best to collect for support.
ProtectSetup_xxx.log - This contains the logging of prerequisite checks during installation of the Protect console.
ProtectInstall_xxx.log - Protect console main installation log file.
STPlatformInstall_xxx.log - Agent main installation log file.
STPlatformUpdater_xxx.log - Additional logging for agent setup/install.
This document outlines how to gather logs for troubleshooting issues with the Console, Agent, or Target systems.
Description
Here are some basic instructions on how to gather console, client (target) side logs, agent logs, and install logs for Protect. These should work for most console and agent type issues.
Protect 9.X console logging:
1. Please open the Protect GUI and then go to Tools > Options > Logging and change logging to “All” for both user interface and services.
a. Windows 7, 8, 2008, 2012 & Vista: C:\ProgramData\LANDesk\Shavlik Protect\Logs
b. Earlier OS’s: C:\Documents and Settings\All Users\Application Data\LANDesk\Shavlik Protect\Logs
5. Start the console service and open the Protect GUI.
6. Attempt to reproduce the issue. Please document steps to reproduce.
a. Collect the logs from the Logs folder mentioned earlier in step 4 (please zip if possible)
b. [Deployment issues only] On the target system please zip and send a copy of the entire C:\Windows\Propatches folder and its contents (you can leave out the Patches sub-folder).
7. Zip and send all the logs.
You can also obtain the "ST.FileVersions.log" which contains all file versions relevant to Protect by going to Help > About Shavlik Protect > Export Info.
Protect 9.x agent logging:
1. Open the agent policy assigned to the machine we are gathering logs from.
2. Change the logging level to ‘All’ and Save and update Agents. Choose to update agents if prompted.
3. Go to the target machine, close the agent GUI and stop the services:
o The services start with Shavlik or ST.
4. Delete all the logs from:
o Vista & Later: C:\ProgramData\LANDesk\Shavlik Protect\Logs
o Earlier OS’s: C:\Documents and Settings\All Users\Application Data\ LANDesk\Shavlik Protect\Logs
5. Start services.
6. Attempt to reproduce the issue. Please note the steps to reproduce.
7. Take applicable screenshots.
8. Zip and send all the logs and screenshots. (from the previous specified folders above)
On the machine you are deploying to navigate to C:\Windows\ProPatches
Locate the CL5.log, dplyevts.log, and Safereboot.log and copy to a new folder on the desktop.
Navigate to C:\Windows\ProPatches\Scheduler.
Locate the Scheduler.log and add it to the folder created in step 2 so all logs are together.
Zip and send all the logs.
Additional Logging for Threat Protection/Antivirus Issues:
There is additional logging that can be obtained for Threat Protection/Antivirus related issues, such as detection of false positives. See the following document for the steps to obtain this addtional logging:
The purpose of this document is to provide additional information on the 'Resolution mismatch, found 'machine name x' for 'machine name y' error when attempting to install an agent from the Console.
Symptoms
The following error will be displayed within the Operation Monitor when attempting to install the agent from the Console:
You may see the above error in conjunction with the following string in the ST.Protect.Managed.log file:
2014-06-12T15:26:39.0921766Z 0017 V ResolvableMachine.cs:215|Resolved by FQDN 'FSBXM2.shavlik.com' - 192.168.1.73, 192.168.1.74.
2014-06-12T15:26:39.7785993Z 0004 E ResolvableMachine.cs:644|Name mismatch: expected FSBXM2, found hostname FSBXM1, netbios name FSBXM1
2014-06-12T15:26:39.7785993Z 0004 W ResolvableMachineWorkflow.cs:209|FSBXM2 192.168.1.73 270
Cause
This message is typically caused by a DNS resolution issue. Protect is using .net (System.Net.Dns class) to query the DNS. Upon doing this the DNS is returning two IP addresses for the machine in question. Protect will take the first one and verify it is the correct machine. When we verify using the IP address, the return result is for that of the other machine listed. This is causing the error that is being seen with the machine resolution when attempting to install agents.
Resolution
Based on this information there appears to be a DNS resolution issue related to FQDN. We suggest working with your network team to resolve this issue as it appears to be directly related to the FQDN's returning multiple IP addresses.
This document contains information about the SSL3.0 vulnerability CVE-2014-3566 and whether is affects Shavlik Products or infrastructure.
Details
The CVE-2014-3566 SSL 3.0 (POODLE) vulnerability does not affect Shavlik products or infrastructure directly.
The vulnerability is in the SSL 3.0 protocol. If you disable this protocol on systems running Shavlik products you will effectively resolve the vulnerability. Guidance on how to disable SSL 3.0 is available from OS and browser vendors. Several are listed out inthis blog article. Disabling SSL 3.0 on servers running web services in your environment will prevent exposure to those specific services. You should also disable SSL 3.0 on client machines in your environment to protect them from connecting to services that are still exposed. Again, documentation from Microsoft and other vendors describe how to do this at the OS and browser level.
Finally, the Shavlik team has already taken steps to secure Shavlik content and cloud services to ensure that all web services hosting Shavlik content and resources are protected from this vulnerability.
The purpose of this document is to help to prepare a current Protect console and database for upgrade to a newer version of Protect, and also to provide some information about how to resolve common upgrade issues.
Description
Preparing for Upgrade of Protect
Most issues with upgrading Protect can be avoided by ensuring that you are meeting system requirements and that proper database maintenance has been performed prior to upgrade. The list below can be used as a guide to ensure you have a successful upgrade:
Review the System Requirements for the version of Protect you plan to install. Refer to the document - Shavlik Protect Requirements Guide
Prior to upgrade, it is recommended that you clean out as much old results as possible and perform database maintenance. This document covers the full steps for database maintenance: DOC-23430
The user who will perform the upgrade of the database should either be the SA for the database in SQL, or the user should at least have the following privileges for the Protect database: Privileges required for upgrade purposes: db_securityadmin, db_ddladmin Privileges required for all Protect users: STExec, DB_DataReader, DB_DataWriter
It is worth noting that the Agent Manager has been removed in version 9. All functionality is available from within Machine View.
You can see the full list of changes in each build, here.
What to do if you face an upgrade failure you cannot resolve
If you receive an upgrade or installation failure, and you are not able to use the above resources to resolve the issue it's time to open a support case.
Contact Support with one of the following methods:
This document outlines how to locate the Shavlik Protect license activation key in the console and transfer this key to a new or additional Protect console.
Description
When migrating to a new Shavlik Protect server or setting up an additional Protect console machine- understanding where to find the license key and how to input it in to the new console is vital to maintaining Shavlik Protect functionality through this transition. As this process may not frequently performed by administrators, a reference/guide for this process may prove to be helpful.
Locating the License Key on Existing Protect Console
Follow the process below to obtain your license key from your console machine. After locating the key in order to prepare to transfer the key to the new console machine, copy this 25-digit license key and make it readily available.
In Shavlik Protect 9.x:
Help>About Shavlik Protect Advanced
In the About Shavlik Protect window, the license key can be found in the main text display under
License Key:
Activation Key: xxxxxxxxxxxxxxxxxxxxxxxxxx
In vCenter Protect 8:
This process is nearly identical to the process in Shavlik Protect 9.x. Refer to the images above.
To locate the license key follow this path:
Help>About VMware vCenter Protect
In the About VMware vCenter Protect window, the license key can be found in the main text display under:
License Key:
Activation Key: xxxxxxxxxxxxxxxxxxxxxxxxx
Note: In the event the Protect Console is no longer installed, it may still be possible to obtain the license key from the following registry entry:
The AK Value will contain the Activation Key/License key.
Activating the License Key in New Console
Activation is the process by which the Protect software is validated as having been purchased. In order for the new Protect console to fully function activation is required. Users are prompted after installing and opening Shavlik Protect to input their activation key, through the Shavlik Protect Activation window.
To transfer the license key from your previous console machine follow the directions in the window as ordered by number:
1. Select an activation mode (on left portion of window)
Select "Product or bundle license"
2. Enter your activation key(s) (in center of window)
In the text field below, paste or manually input your 25-digit Protect license key
Click the "Add" button right of the text field.
3. Select activation method (lower-center of window)
Choose "Online activation" if you have an internet connection.
Click "Activate online now"(at the lower-right corner)
This document is meant to help understand why a threat may not have been detected by the Shavlik Protect agent and what actions to take in such a scenario as well as best practices for using/configuring threat protection with Shavlik Protect agents.
While this sounds like a straight-forward question, the reality is there are so many variables that come into play when you try to protect a machine against malware that it is almost impossible to give any one reason.
The most likely cause is improper configuration or outdated threat definitions being used. We will go into how to ensure you've configured everything correctly and how to check the threat definitions version later. First, some background.
The Shavlik Protect agent's Threat Protection engine is based on the Vipre SDK engine and uses threat definitions created by GFI's ThreatTrack Security (formerly Sunbelt Software). At this point there are over 13 million detections in the Vipre signature files. There are hundreds of generic detections that can catch some new malcode before the Vipre analysts even see it. Also the Vipre threat engine has the ability to detect and stop a great deal of virus-like behavior. However, it is worth noting that there may be as many as 50,000 new pieces of malcode arriving somewhere on the Internet EVERY day. The Vipre team see cases in which new malcode does make it through the threat protection defenses, but it is not a common occurrence.
Is there a place I can check if a certain threat should be detected?
Since the Shavlik Protect agent uses Vipre (ThreatTrack) threat definitions you can search the database, here:
How to verify your threat definitions are up-to-date
There are a few places you may need to check to verify the threat definitions in-use by Shavlik Protect agents in your environment are up-to-date.
1. Ensure that the threat definitions downloaded on the Protect console system are current. (This is especially important if you are using distribution servers.)
-Go to Help > About within Protect. If your definitions are current you should see a green check under 'Data versions' next to Threat definitions.
-If the threat definitions displays a red x you should run Help > Refresh Files to perform the update of definitions.
-When running Help > Refresh Files you will see that the 'Threat Definitions download will complete in the background.'
-Make sure to give it a few minutes to update. Then you should see a green check next to Threat definitions in Help > About.
2. You can use Machine View to see some threat definition information from your agents.
-Go to View > Machines.
-You can use the columns 'Threat Definition', 'Threat Definition Age', and 'Latest Threat Scan Date' to help in determining if your agents are current.
-Keep in mind that these columns only update when the agent reports back results of a threat scan. That's why 'Latest Threat Scan Date' is important.
-It is also worth noting that if the agent uses vendor-over-internet download settings the definition number may be slightly off from the console definition version from Help > About. It's nothing to worry about - just a difference in Major vs Minor versions.
-Some of these columns are not shown by default - you can add them by right-clicking on a column title and clicking 'Column Chooser'.
3. If necessary, you can check the definition version on the agent itself.
-Open the agent by double clicking the taskbar tray icon, or by going to Start > All Programs > Shavlik Protect > Shavlik Protect Agent.
-Go to the Overview tab if you are not brought there by default. Here you can see the threat definition version used during the last threat scan.
-If you have not recently run a threat scan this can be misleading. You can run a threat scan via the Threat tab, if configured.
-To update the threat definitions from the agent GUI or run a threat scan, use the tasks in the upper left when on the Threat tab.
-Note: Depending on the settings in the agent policy you may not be able to access the agent or access certain tabs. To change these settings go to the Protect console, and edit the agent policy. The settings are under General Settings > 'Allow the user to'.
*Note: For offline or disconnected environments refer to this document for instructions on manually updating threat definition files:
Why does the console (Help > About) threat definition version differ from the latest threat definition version on an agent?
There can be a slight variation in the version numbers due to a minor and major version number system that the Vipre threat engine uses. The major, or 'Package Version' in the examples above is 27274 where the Minor or 'MinVersion' is 27270. Both versions are the current definition versions. These can be manually found by looking at the latest entry in the ThreatManifest.xml on the console sytem. Before checking this make sure the console threat definitions are up-to-date (step one above).
The ThreatManifest.xml can be found in the Datafiles folder, most commonly:
Generally the latest will be the last entry, but it's best to base it on highest version number found or newest date. The entry in the xml will look something like this:
Notice the MinVersion and PackageVersion numbers. Note the ReleaseDate value - this will help determine the latest entry in the ThreatManifest.xml.
Ensuring the Agent Policy, Distribution Server(s), and other settings are configured correctly
Here are the best practices for ensuring the threat protection is configured correctly. You may need to verify agent policy settings in each agent policy you are using.
1. Open the agent policy.
2. Go to the General Settings tab.
-Check on how your agent policy is set for the agent to obtain its definitions under 'Engines, data, and patch download location'.
-If this is set to vendor over internet the agent will attempt to obtain definitions directly from the vendor site, so you may need to ensure that the internet connection is working properly and that the vendor site(s) are not blocked.
-Additionally if the agent policy is set to use vendor over internet and you use a proxy in your environment, it is pertinent that you verify your proxy settins and provide any required proxy credentials to authenticate. This can be done under the 'Network' section of the General Settings tab.
3. Go to the Threat Tab
-In the tabs above go to 'Threat Tasks'
-Ensure that you have at least one threat task set up. There are options of quick or full scan.
-Note: Quick scan covers common locations and runs within a few minutes. Full scan will scan all files on the system and may take up to an hour.
4. Once you have your Threat Task(s) set up, go to the Active Protection tab.
-Ensure to have a check next to 'Enable Active Protect'
-Set the file access level that you would like active protection to use. Using the 'limit to high risk file types' or 'on execute' settings will increase performance but not all things will be checked by active protection.
5. Check your settings on all other Threat tabs - Threat Actions, Allowed Threats, Exceptions to ensure they are set correctly.
6. Save the changes to your policy.
Ensuring Distribution Servers are configured correctly and synchronizing
This section only applies if your agent policy is currently set to use a distribution server under 'Engine, data, and patch download location'.
1. Verify the distribution server settings in-use by your agent policy or policies. If you have multiple distribution servers in-use you may need to perform the following steps for each distribution server. If your agent systems have internet connectivity available it's recommended to allow the 'Use vendor as backup source' setting.
2. Go to Tools > Operations > Distribution Servers to verify the setup and sync of your distribution server(s).
3. Make sure to verify the paths to each distribution server is still valid, and verify there are valid credentials set on each distribution server.
4. Make sure that automatic synchronization is set up for each distribution server.
-You can add a scheduled sync by highlighting the distribution server, choose 'Threat engines/definitions' from the drop-down above, then click on the '+ Add scheduled sync' button.
-You will see the scheduled sync added to the list of 'Scheduled automatic synchronization' below.
5. Manually run the synchronization to make sure it completes successfully.
-To do this, highlight the scheduled sync for threat data, then click 'Run now' above it.
6. If you want to manually verify the files are synchronizing properly you can compare the files in your share to what exists on your Protect console.
-The ThreatData directory of the console is: C:\ProgramData\LANDesk\Shavlik Protect\Console\ThreatData
-If the sync has worked correctly you should have a ThreatData folder on your distribution server share with the same files in it as the above directory.
Setting up automatic recurring download of threat definitions
Follow these steps if you would like to set up the automatic download of threat definitions. This will help to ensure your definitions are always at the latest.
1. Go to Tools > Operations > Downloads.
2. Under the 'Schedule automatic downloads' section choose 'Threat engines/definitions' from the drop-down, then click '+Add'.
3. You'll be brought to the Schedule Download screen where you can set up a recurring schedule to automatically download new definitions.
4. Once you have this set up how you like, click 'Save.'
5. You should now see a task for 'Download threat data' showing the next run time and recurrence. You can also highlight this and click 'Run now'.
Other Considerations
1. Use of Protect Cloud Agents
-If you are using the Protect Cloud agent functionality you may need to ensure that your Protect cloud account is set up correctly.
-Go to Tools > Operations > Protect Cloud Sync for these settings.
-Make sure the Protect Cloud account credentials are correct, and you may need to run a 'Force full update now'.
-You may also need to go into your agent policy or policies and ensure the policy is set to sync with Protect Cloud if using this feature.
-This setting is a checkbox found in agent policy > General Settings > Network > Sync with the Protect Cloud.
For more information about Protect Cloud Sync see the following Protect Help articles:
What do I do if I have verified everything appears to be working properly and threat definitions are current, but a threat is still not detected by the Shavlik Protect Agent?
Here is what to do:
1. Obtain as much of the following information as possible to provide to support:
-Threat definition version currently used. (See above on how to find this)
-
-Any applicable screenshots, a link to threat download if from a website, or a zipped copy of files that are suspected to be infected.
-Logs from the agent. Make sure logging is set to 'All' in your agent policy. Follow steps for agent logging in DOC-22921.
The purpose of this document is to provide some Q&A and cover best practices on using the 'Security Tools' patch type filter within Protect.
Description
What are Security Tools?
Within Protect it's possible to enable scanning for a patch type filter of "Security Tools". Security Tools are updates and security advisories such as Windows Defender updates and Windows Malicious Software Removal Tool. This also includes certificate updates and hotfixes for known security risks that are not yet fully supported by a security bulletin.
Scanning for Security Tools is enabled within a custom Patch Scan Template. (Figure 1)
Figure 1: Example of Filtering tab within a custom Patch Scan Template using the Security Tools filter:
Best Practice for Scanning/Deploying Security Tools
The best practice for using Security Tools is to only apply these when necessary and when proper testing has been done in your environment. Most items in set as a Security Tool in Protect apply only for specific scenarios. Make sure to read the corresponding Bulletin or KB article from the vendor prior to applying these updates.
Why do some Security Tools always show as missing?
There are some items classifed as security tools that will always show as missing due to the nature of the update. Please see the following document concerning these updates: http://community.shavlik.com/docs/DOC-23049
This document is meant to describe the best practices for the order in which to apply updates with Protect when using agentless patch scanning and deployment.
Description
When preparing to deploy updates to your systems with Shavlik Protect, it is best to follow the order listed below:
If you wish to deploy software using the software distribution feature of Protect, do so first. See the following document for more information on software distribution: http://community.shavlik.com/docs/DOC-23116
View scan results. How many service packs show missing? These should be applied prior to patches/hotfixes.
Deploy operating system level service packs first.
Run your patch scan again after applying OS level SPs.
Deploy any remaining service packs. Take into account that each service pack must be deployed separately, and each service pack will require a reboot. This can seem tedious, however, it's important that you do service packs first. Service packs may update the base code for the application as well as apply currently missing updates during the process. New updates may be required once the service pack is applied as well.
After all service packs have been applied, run a patch scan on the systems once more, and then deploy missing patches.
Additional Information
More information about agentless deployment of service packs and patches can be found in Protect's online Help under "Agentless Patch Management Tasks".
This document is meant to provide the steps on how to perform an offline or 'manual' activation of the Protect application.
Description
If you are unable to activate Shavlik Protect over an internet connection for any reason, you have to option to choose the 'Manual Activation' function. Here is the full process on how to use the manual (or offline) activation function:
1. Select an activation mode (either Product or bundle license or Trial mode).
2. Paste or type your key into the Enter your activation key(s) box.
3. Select Manual activation.
4. Click Create request.
5. An XML file named LicenseInfo.xml is generated and saved to the desktop of your console computer. This file contains the information needed to make an offline activation request.
6. Move the XML file to a computer that has an Internet connection.
9. The web portal will process the license information and generate a license file.
10. Download the processed license file and move it to the console computer.
11. Within Shavlik Protect, select Help > Enter/refresh license key.
12. On the Shavlik Protect Activation dialog click Import manual license.
13. Go to the location of the processed license file and then click Open.
14. Shavlik Protect will process the file and the program will be activated.
If for some reason you are unable to activate using the offline activation portal mentioned above, please open a case with support and send your manual activation file in using the support portal: https://www.support.shavlik.com.
The patch can be applied to Shavlik Protect build 9.1.4334.0 and 9.1.4446.
Resolved Issues
• Updated content feed to allow for new format change for CVE.
• Resolved an issue where deployment email notifications were not being sent if send mail in hours was set to 0 and deployment fails on any system in the deployment.
• Resolved an issue ST.ServiceHost.exe.config is not overwritten on upgrade from previous version if the config file was modified manually resulting in ‘email service is currently unavailable’ error.
This document outlines how to use a Custom Action to remove the ProPatches folder. A Custom Actionmay include executing a specific command or invoking a custom batch file at specified time(s) during the deployment process. You can specify custom files and actions that occur during every deployment that uses the template, or only for those deployments that install a specific patch or service pack.
Configuration Setup
A Custom Action will only run if a deployment occurs. If there are no missing patches selected to deploy to a target machine, the Custom Action will NOT occur.
Create a New Scan Template; enter a Name for the Template, and Save it.
Alternatively - open an existing Scan Template you wish to modify.
Select CustomActions under the Patch Properties tab.
Save and close.
2. Create a new Deployment Template.
- Give it a Name
- Uncheck Send Tacker Status
3. Go to the Post-Deploy Reboot tab and choose "Never Reboot After Deployment".
4. Go to the Custom Action tab and click New.
- Step 1 - Leave default
- Step 3 - Change to 'After all Patches"
- Step 4 - Enter the following: rmdir /s /q %pathtofixes
- Click Ok
5. Save and close the Deployment Template.
6. Use the new Scan Template to scan all your machines
7. Use the new Deployment Template to deploy the QSK2745 MSST-001 patch. This patch is used for Custom Actions.
Following upgrading to Shavlik Protect version 9.1.4446 some users may encounter an error "The e-mail service is currently not available", and some users may find that their automated email reports are not sending. The purpose of this document is to provide a workaround for those who may encounter this issue and for those affected help restore proper function of automated email reports in Protect.
Symptoms
Following the installation of the Patch upgrade for Protect that takes the application from version 9.1.4334 to 9.1.4446, some users after completing a scan or initiating a deployment may receive a dialog box popup in the application containing the following error:
"The e-mail service is currently not available."
The Protect.Managed log should show the following exception:
2014-XX-XXTXX:XX:XXXXXXX E EmailRecipientSelector.cs:205|ST.UI.UserViewableException: The e-mail service is currently not available. ---> System.ServiceModel.ProtocolException: The .Net Framing mode being used is not supported by 'net.pipe://localhost/ST/Console/Messaging/ResultsNotification'. See the server logs for more details.
at System.Runtime.AsyncResult.End[TAsyncResult](IAsyncResult result)
at System.ServiceModel.Channels.ServiceChannel.SendAsyncResult.End(SendAsyncResult result)
at System.ServiceModel.Channels.ServiceChannel.EndCall(String action, Object[] outs, IAsyncResult result)
at System.ServiceModel.Channels.ServiceChannelProxy.TaskCreator.<>c__DisplayClass2.<CreateTask>b__1(IAsyncResult asyncResult)
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at ST.UI.Controllers.Configuration.MailController.<SendNotificationEmailAsync>d__d.MoveNext()
--- End of inner exception stack trace ---
at ST.UI.Controllers.Configuration.MailController.<SendNotificationEmailAsync>d__d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
at ST.Protect.Forms.Email.EmailRecipientSelector.<SendEmailClickAsync>d__13.MoveNext()
Cause
Users should only see this error message after upgrading using the patch, not the full 9.1.4446 install. It appears that during the patch upgrade process, some of the necessary components may not upgrade successfully in some environments.
Resolution
The issue can be resolved by upgrading Protect its newest release, Patch 2 (build 4472). Installing this patch over affected console machines will totally resolve the issue.
Shavlik Protect 9.1 Patch 2 can be downloaded from the following link:
When running the Shavlik Protect Install Program, The following error is returned:
Another version of this product is already installed. Installation of this version cannot continue. To configure or remove the existing version of this product, use Add/Remove Programs on the Control Panel
Cause
Download Version 9.1.4472 - 84 MB full installer for new installs is being used on a machine with an existing version of protect 9.1 or with remnants of a previous Protect 9.1 installation
Resolution
If Protect 9.1 build .4334 or .4446 is already installed, use Download Protect v9.1 Patch 2 - 18 MB (.exe) to upgrade the existing 9.1 version to build .4472
