VMworld Next Week

August 27, 2010 · Filed under Patch Management, Tips, Virtualization

Hey All,

Next week Shavlik will be at the VMworld show.  Stop by the booth and you can see a demonstration of new features for NetChk Protect that will be coming in early 2011. Booth #126.

These features include:

  • Snapshot VMs pre and post patch deployment
  • Patching Templates
  • Automation of patching offline VMs (push patches down, power on the VM in a disconnected state, execute, power back down)

For those who are not already a member stop by the booth and sign up for IT.Shavlik through the VMworld show signup link (must stop in to get this special signup link) you will get entered in for a drawing for an Apple iPad.

If you stop by the booth and are already an IT.Shavlik member ask about a special drawing for those of you who are already part of the Shavlik Community. 

Hope to see you there! 

-Chris Goettl
Shavlik Technologies

Leave a comment »

Agentless Patch Deployment

August 10, 2010 · Filed under Patch Management, Troubleshooting

Since the Agentless Patch Scan post was such a hit I am continuing the discussion on to Agentless Patch Deployment. 

1.Console: We look to make sure the download URL is present (the download Icon is present, either grayed out or solid colored).  We download the patch if not present. Also check the deployment status if using Shavlik or Rebranded GUI and verify the patch has not already been pushed.  If the patch has been pushed from this scan result we will not allow it to be pushed a second time without rescanning to verify the status of the patch.

2.Console: Once we have all patches downloaded we build the enforcement files for each machine.  This is the Bat file and XML with all the data per machine to install the patches that are missing. 

3.Console: Once all machines enforcement files are configured we begin copying the enforcement files to each machine (c:\windows\propatches) along with the patches required.  (if dist servers are being used the dist serv config is sent down instead of the patches, the patches will be downloaded at the time of execution).

4.Console: After all config\patch files are deployed to a target we schedule the job.   The first time a deployment occurs on a machine the Shavlik Scheduler is installed.  In 7.x and later this includes certificates as part of the communication.  If you are running multiple consoles contact support for details on signing all console certificates from a console designated as the Master Console for the environment.  (See Shavlik Scheduler section for more details on the scheduler and how to view jobs and interact with it through the console and locally on the target.)

5.Target: The Scheduled job kicks off at its scheduled time.  Shavlik scheduler immediate jobs run as soon as scheduled, MS scheduler immediate jobs have a 3 min lag time due to MS scheduler issues with trying to do immediate. 

6.Target: Deployment Bat file is executed.  (located in c:\windows\propatches\install) Executes each patch and returns to the bat then executes the next until the list of patches have been applied.  Safereboot kicks off with options configured in the deployment template. Reboot occurs.  Rescan kicks off to try and verify the patches have been installed and respond to the Netchk Patch Service with results.  If no reboot was chosen the deployment would call for Rescan immediately (high potential for false negatives on the status returned as the reboot did not occur and the pending file replacements have not occurred).   Bat file renames itself to .his to finish off. 

Distribution Servers change the overall process slightly and have additional things to verify when troubleshooting.  First thing to understand in troubleshooting Distribution Servers is to understand exactly how they work.  See the help index on configuring a distribution server for a basic overview, but here is the behind the scenes.

1.When a deployment occurs that uses Distribution Servers the config files are created and copied down the target.  Instead of the patches we send down a configuration for the distribution server (encrypted of course) and the deployment is scheduled. 

2.At the scheduled deployment time the bat file kicks off and grabs the config and goes to the dist serv to find the files it needs for deployment and downloads them.  If you have this configured in the deployment template to pull from the vendor it would go to the vendor and download at this point.

3.Deployment occurs same as normal at this point.

•Any time the Dist Servs are used in an agentless deployment a log file is created in c:\windows\propatches called shavlikdistributionserver.log.  If you encounter deployment issues with dist servers this is your best resource if the normal deployment troubleshooting steps do not resolve the issue. 
•If the Shavlikdistributionserver.log is showing files not downloading make sure the customer has the patch in question downloaded and that they have synced their dist serv.
•If the file is present on the dist serv but still will not download verify the dist serv config is using an account that has at least read rights to the share on both the permissions and security level.  This is the top half of the configuration in the distribution server. From the target machine Net Use to the Share using the credentials specified to verify you can pull files down in this way.
•If the console errors out copying files to the dist serv verify the dist serv config is using credentials with full rights on both security and permissions level to the share.  This is the bottom half of the config for the dist server. From the console machine Net Use to the Share using the credentials specified to verify you can copy files to the distribution server.

Leave a comment »

Microsoft Announces Upcoming Out of Band Release

July 30, 2010 · Filed under Patch Management · Tagged ,

Microsoft has announced that it will issue an out of band release on Monday, August 2, 2010 to address Microsoft Security Advisory 2286198.  More information is available on the Shavlik Patch Patrol blog at http://securitycenterblog.shavlik.com/.

- Jill Teut
Shavlik Technologies

Leave a comment »

NetChk Protect 7.5 Patch 2 Released

July 29, 2010 · Filed under Shavlik General

Shavlik has released a patch for NetChk Protect 7.5.  This patch resolves five known issues.  To read more on this patch release you can click on the Forum link below. 

http://forum.shavlik.com/viewtopic.php?f=10&t=16359

The hotfix will require NetChk Protect and the Shavlik Console Service to be closed and stopped (it will do this for you) otherwise a reboot may be required.  If you have any questions you can contact support@shavlik.com.

-Chris Goettl
Sales Engineer, Shavlik Technologies

Leave a comment »

Agentless Patch Scans

July 21, 2010 · Filed under Patch Management, Shavlik General, Troubleshooting

I have seen several hits on the support blog regarding searches for scan error codes.  So, today we will discuss what exactly happens during an agentless patch scan.  This is similar to what I would teach in our classroom training.  The goal is to give you a better understanding of what is happening under the hood.  At each step I will describe what the engine is doing.  Where possible you will see validation options which show you how to test equivalent functionality outside our product for troubleshooting and validation purposes.   You will also see possible error codes that would result at that point in the scan.  Each will include troubleshooting steps and possible SKBs that show steps on how to resolve them.  Steps 1-3 have this information.  Step 4 and beyond are written to the DB and tracked via logs.  I will not be stepping into that level of detail in this particular write-up.  

Step 1: Machine Resolution – How the machine is added into the machine group determines how resolution of the target occurs.  If we add a machine by Hostname we would discover the machine in the network using its name through NetBIOS (TCP 139) or DirectHost (TCP 445).  If we add a Domain or OU we will query AD and determine a list of names to resolve and once we have the name we will resolve via NetBIOS or DirectHost.  If we add IP addresses or ranges we will resolve via IP to discover machines.  Each method may be useful in different ways. Examples: IP range can be used to do a discovery scan to find machines you may not be aware of.  Using Domain, OU, and IP Range are methods that are dynamically updated each time you do a scan to reduce Machine Group maintenance.   

Validation options: Ping, NSLookup

Possible Protect Errors and Troubleshooting options at this step:

–Level 200 Error codes

  • System Pre Reqs.  This is usually a prerequisites issue, although it can be network related as well. 
  • Can you PING the machine or NSlookup by the method you added the machine to the group? 
  • NET USE \\MACHINENAME\C$ /user:DOMAIN\USER PASSWORD

 

Step 2: Connect to Admin Share – Once we have resolved the machine we will connect to its Admin share by connecting to C$ (or whatever the default system drive is.  In 6.0 and later you can also utilize a feature to create an admin share on the fly if they have been removed or hidden).  This connection would be equivalent to doing a Net Use \\machine\C$ and browsing the target machines files system. There are a few different errors that could result at this point:

Validation Options: Net Use \\machine\C$ /user:domain\username password

Possible Protect Errors and Troubleshooting options at this step:

–Level 300 Error codes

  • 6.x and 7.x: go to tools > options > Authentication and check the box to Create a temporary systemdrive share if none exists.
  • 5.x: Set the value for the following keys to from 0 to 1 HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\paratermers\AutoShareServer             HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\paratermers\AutoShareWks
  • MS Articles on Admin Shares that may be of help.
    http://support.microsoft.com/kb/318755
    http://support.microsoft.com/kb/314984

–  Error code 451

–Error code 452

 

Step 3: Connect to Remote Registry – Registry values play a big part in the detection process so we connect to the registry on a machine so we can validate this information.

Validation Options: From the console open Regedit > click on file > Connect to Remote Registry.  When prompted supply the credentials you are trying to scan with.

Possible Protect Errors and Troubleshooting options at this step:

–Level 500 Error codes

 

Step 4: Determine OS\SP\Language – Once we have established the connection to the machine we can begin the process of detecting what is on the machine.  The first step is to validate what OS edition is running and what service pack level it is at.  This will begin to filter down the scope of what could possibly be required for this machine.  We do a few tests to confirm this information such as checking DLLs\Reg keys etc. 

Step 5: Determine Installed Products and versions – Note for a Patch Scan this is not a WMI scan.  We have scripted product detection for each of the products we support including Registry, Service, and File level checks.  With these Product Detection scripts we determine what products are installed that Shavlik supports scanning for.  The engine knows what products are potentially applicable to the OS\SP that it determined in Step 4.

Step 6: Determine Patch Status – At this point we know what OS\SP is on the machine and what products are installed.  The Patch Engine now has all the info it needs to determine what patches apply to the machine in question.  We can now build the list of vulnerable patches based on information gathered in steps 4 and 5.  Scan against Registry and File checks for each potential vulnerability.  (note our engine prunes out patches that are not necessary such as superseded and effectively installed patches prevent scanning of patches we are not concerned about.  There are options to show superseded patches and effectively installed patches if you choose.  This is in the scan template general tab, check include effectively installed.)

Step 7: Send result to arrivals – Once the result for a machine is completed we drop it into the arrivals folder to be processed.  The arrivals folder is located under NetChk\DataFiles and is processed by our importer utility into the database on a regular interval.  Agent results are also processed this way.

-Chris Goettl
Sales Engineer, Shavlik Technologies

Comments (3) »

Continued support for patching Windows 2000 SP4 and Windows XP SP2

July 15, 2010 · Filed under Patch Management, Shavlik General, Tips, Top of the News

If you are in a situation where you need continued support for Windows 2000 SP4 or Windows XP SP2 have no fear.  Shavlik will still support scan and deployment to these platforms.  Both have been officially EOLed by Microsoft this month, which leaves many companies in a tight spot.  Whether it is because you need a legacy app to run or need just a little more time to upgrade or migrate systems to newer Operating Systems you are not alone.  I actually just got off the phone minutes before starting this post with a current Shavlik customer with several thousand machines under management.  They need an additional six months or so before they will be able to move entirely away from Windows 2000 SP4. 

So, how can Shavlik continue to help you ask? 

1 We will continue to scan and deploy publically available patches and SPs for both of these OS\SP levels with no current end to supporting them in site.  (We still scan NT4, so rest assured, not going away tomorrow. And yes, we still have customers running NT4.)

2 If you have a continued support contract in place with Microsoft to get additional security patches for either of these OS\SP levels you can use Shavlik NetChk Protect’s Custom Patch feature to build in support for these privately released patches in short order.

3 Resources available to show you how to use Custom Patch: What flavor would you like? 

  • Video Training On-Demand - Look in the SOS column on the right and click on the 6.5 and Previous and #8 is a Custom Patch tutorial.  This interface has not undergone much as far as changes since this video was recorded.  I will try to have a new video available soon.
  • In Product go to Help > Index > Custom XML and you will find two articles discussing how this functionality works. 
  • Samples! Everyone likes samples.  Especially free samples.  We have a repository of sample files on the forum. (If you have a custom patch you have created please share, instructions on how in the post)
  • Professional Help!  Contact your sales rep and you can line up Rapid Results Web Training to have a Shavlik Engineer assist you in creating a Custom Patch file.  Typically a one to two-hour block will give us plenty of time train you up on how this functionality works and in the case of a patch from Microsoft, once you are familiar with how Custom Patch works it will take you maybe 20-30 minutes to add a new patch in and test it. 

-Chris Goettl 
Sales Engineer, Shavlik Technologies

Leave a comment »

The Sun Sets on XP SP2

July 12, 2010 · Filed under Patch Management, Tips, Top of the News

At least from the Security Patch perspective.  As you may already be aware, XP SP2 x86 receives its last round of Security Patching tomorrow.  So how many of you are still running SP2 systems?  Well, I visited a couple of customers this month alone that still have XP2 systems in their environments.  One was just getting started with Shavlik and found out how many systems they have that need to be upgraded to SP3.  Not a huge deal.  You can deploy SP3 from NetChk Protect easily.  Just scan a group of machines and instead of looking at missing patches look at missing Service Packs.  Select XP SP3 and right click and say deploy latest SP.

When you deploy a major SP you do want to keep a few things in mind:

  • Disk Space Required: XP SP3 is 316mb.  To deploy using NetChk Protect we use 5x the size of the total data size being deployed to prevent space issues upon deployment.  So in this case around 1.5 GB is recommended.  The size required to push the SP is figured by taking into account the size of the SP, temp files as it is unpackaged, the files that get copied in place, then allowing for the possibility of user downloads etc to ultimately protect the machine from reaching the dreaded you are down to 100mb of space remaining do you want to clean up your system message.

Tip: Did you know that you can change the “Patch Drive Path” for a machine that has low disk space?  To do this go to any machine in the Machine View or Scan View, right-click and go to properties, under general add a new drive:\path for where you want  Protect to place the ProPatches folder that is created upon deployment.

  • Allow for a longer maintenance window:  Service Packs in general will take longer than patches to install.  After the SP you want to ensure a reboot occurs.  The next step is to scan and deploy Missing Security Patches to the newly upgraded system as Security Patches may now apply that did not previously.  Also, some Security Patches that had been applied previously may now be missing again since the SP may have overwritten some of the files.

Tip: Schedule the Deployment of SP3 to run at a later date and time.  This will copy the SP out immediately and schedule execution to begin at the date and time you choose.  Schedule a follow-up scan and auto deploy using the Security Patch Scan template or a Custom Security template you have created that utilizes a Patch Group.  This can follow-up the SP and reboot that you have scheduled by an hour or two.  In this way you have configured everything to run unattended.

  • Utilize the Remote Dialogue in the Deployment Template: You can create a message dialogue that will notify the end-user that their machine is being patched.  Normally I am all for this process being transparent except for the reboot, but in this case that last thing you want is a user rebooting in the middle of an OS SP.  Create a deployment template or modify an existing one and under the general tab you can check the Remote Dialogue box and type in a message.  Something to the extent of “Service Pack Installation” with a caption of “Please do not reboot your machine.  For any questions contact the Helpdesk” and add an extension or contact number etc.

Now, there are cases where the deployment of XP SP3 is just not an option yet.  If you are in a case like this there are things you can do to protect yourself further.  This article from NetworkWorld.com talks about a few of these steps on page 2.

There are risks in not getting up to SP3.  The good news is targeted attacks are more prevalent than OS attacks in recent years so by switching your browser to Firefox or Opera (both supported by Shavlik) you can reduce the risk of IE letting something in.  Other vendors like Adobe can still be patched going forward as well.  Keep those up to date regularly.  Shavlik will still scan XP SP2 machines and will be able to patch the 3rd party products on them.  This reduces the risk, but will not eliminate it.  If the machines in question are for a specific function you may choose to take other steps like virtualizing using a PtoV tool (Free tool from VMware) on these systems and upgrade the users physical machine.  The SP2 machine can be virtualized and at that point you can take additional steps to separate it from the regular user environment.  Users who need these machines can remote into them for what they need and nothing more.

Another alternative is Windows 7.  Windows 7 has an emulation mode that can run different apps or web pages in older OS\SP levels or IE versions.  You can try testing out the apps in question on Windows 7 with XP SP2 compatibility mode enabled.  This is a XP VM running on Windows 7 so it is a lot more effective than previous compatibility mode options that existed in windows before Windows 7.   Check out this post from the Windows 7 Forums for more details on how to enable this.

-Chris Goettl

Leave a comment »

Custom Actions and Custom Patch Examples

June 28, 2010 · Filed under Patch Management, Shavlik General

I am a little behind on my video content, but I wanted to let everyone know about a couple of sticky posts on the General Shavlik Product Support Forum.  I will try to have some videos to go with these examples in the near future.  Each comes with a doc with steps to implement.

Custom Patch Examples - Currently there is a Shavlik Agent as a Custom Patch and a Java Removal Tool example.

Custom Action Examples - Currently there is a Delete old propatches data example.

If you have some good examples please let us know.  We will have to go through submissions and validate them, but we would like to get examples of how our customers are using these features to share them with others.  You can submit any example to support@shavlik.com attn: Chris and I will review them as soon as I can and post them. 

-Chris Goettl

Leave a comment »

Scan View: New vs Old

June 18, 2010 · Filed under Shavlik General

This is a call for feedback to those of you who started on older versions of Shavlik and have upgraded to NetChk Protect 7.5.  I have been in a continual debate with support techs over this issue and we have reached a stalemate.  Neither side fully able to win the other over.  

The New Scan View in NetChk Protect 7.5 was made with operational efficiency in mind.  The interface allows you to scan any number of machines you want and scan and deploy to any combination of said machines in as many or as few deployments as you want.  This increases the operational efficiency of working through the product in this way and decreases the  number of groups you would have to manage in complex environments. 

Ex. In the old version if I wanted to scan DCs, Fileservers, App Servers, and clustered servers and deploy to them all using separate scheduled times I would have had to use multiple machine groups.  Clustered servers broken into as many groups as the deployment times, tiered apps broken into separate groups depending on reboot order (ex application, DB, and presentation layer each needing to reboot in a certain order or things will not come up right).  So instead of needing to manage this with many different machine groups we now allow for you to scan all of these servers at the same time and from there you can choose any combination of machines at the top-level, the selection of patches in the middle, and then deploy all missing or selected patches or service packs.  For a very complex server environment this simplifies the operational workflow greatly. 

Along with this came the tracking of actions taken against missing items.  So if I deploy to any machines from the new Scan View it would update the missing patch with the deployment status as it progresses, again increasing operational visibility.  Any scan I open shows me specifically what I have deployed.  Now the actual scan data does not change as these status’ update.  A report would still show any missing patch as a missing patch for that result.  Also, if I look in the middle pane the combination of Missing, Scheduled, Executing, Pending Reboot, etc, items all started as a missing patch so I can still see all information I need from this one view without wondering if that missing patch was deployed and having to go search for a related deployment and\or try to locate it through the tracker.  Done from an operational perspective.

So the argument is that the Scan View in 7.5 does not allow the user to click on a scan and immediately know what was originally missing in the scan.  The data is all there, but as things deploy a patch may jump from state to state at times.  So if the user wants to just go back to a scan they sometimes have to dig for the data.

My question to you (the user) is does this new operational workflow improve your experience or confuse it?  Please send in your comments on what you like or dislike about the new View and suggestions as well. 

-Chris Goettl

Comments (1) »

SQL 2008 R2 Express Edition

June 9, 2010 · Filed under Shavlik General, Tips

For those of you using the Express edition of SQL there is some benefit to the new SQL 2008 R2 release.  2005 and 2008 Express editions have a maximum DB size limit of 4gb.  The R2 release has increased this DB limit to 10gb which allows for much more historical data to be stored.  I know we are looking to have the R2 edition as our default install in a future release, but for those of you currently on Express you can look into upgrading to the R2 edition.

Now just having a larger DB size limit and allowing it to grow is not recommended.  You do want to keep your DB clean and regularly maintain it.  The health of your DB will keep performance of the product where it should be.  Most customers I work with who start to get to 4gb and larger DB size really are just storing data that is unnecessary.  You can go to our online documentation and look to the Implementation and Planning Guide for recommendations on what SQL edition to use depending on your environment.  This guide also includes DB maintenance recommendations and a command line tool to use with Express editions.  I always recommend people clean up any older data that is not required for audit purposes.  If the data is stagnant it is just taking up space.  You can also do things like run reports and export them to pdf and store them as well as keep regular backups for archive purposes and keep only enough data live that is really necessary.  For most companies 90 days worth of data live in the DB is more than would really be necessary, but that will depend on your needs.

Oh and Happy Patch Wednesday!  XML release is out and I am installing my patches as I type this.  Adobe has announced a release coming soon. Read here for more details on the upcoming Flash, Reader, and Acrobat releases Adobe has announced for later this month.

-Chris Goettl

Leave a comment »