Software Distribution Options in Shavlik NetChk Protect

Ever do a comparison between a Shavlik scan and Windows Update?  If you just used the Shavlik Security Patch Scan you will see some differences.  We will catch 3rd party products like Adobe, Firefox, Apple, etc, but WU will only tell you that you are missing and need to install Microsoft products such as IE8 and .Net frameworks, Microsoft Silverlight and all sorts of other fun stuff you may not really need or want installed on your network, and ignoring critical non-Microsoft applications on your system.  Shavlik can scan for all of these as well, but choose to separate them from security patch reports as most of our customers are focused on Security Patching first, and other items as needed or when critical testing is complete. 

However, if you find that you require additional software to be installed on your network, Shavlik can help.  Out of the box, Shavlik can deploy IE 7 or IE8, .NET frameworks, Acrobat Reader, Flash Player, Firefox, etc.  Here are quick and easy directions to scan for and install software using Shavlik NetChk Protect:

  1. In the console go to Patch Scan Templates and create a new patch scan template. 
  2. Name it Software Distribution
  3. In the Patch Type Filter just uncheck Security Patches and check Software Distribution. 
  4. Save.

Scan a machine with this template and you will find Firefox, Quick Time, Flash, .Net 1.1 – 3.5 SP1, Silverlight, windows desktop search, and much more.  You can deploy any of these items as easily as a patch.  The one thing we recommend is to scan for these separately and choose what you want to deploy to prevent unnecessary software from being deployed to systems like servers.  If you plan to make a product in this list standard, it is highly recommended to use a Patch Group to enforce only what you want and nothing else. 

- Chris Goettl

Leave a comment »

New Hotfix for Shavlik NetChk Protect 7.2

Shavlik has released a stability hotfix for NetChk Protect 7.2.   This will update your build from 155 to 346 when applied.  Shavlik customers running NetChk Protect 7.2 can download this patch manually and apply it to their consoles.  For a complete list of issues resolved you can go to the forum link where they are listed out in detail.

http://forum.shavlik.com/viewtopic.php?f=10&t=15865

If you are on a previous 7.x version and would like to utilize these performance enhancements you can go to www.shavlik.com\downloads.aspx to get the latest 7.2 install (there is also a link to the hotfix just below the 7.2 download link).  

- Chris Goettl

Leave a comment »

Using Shavlik NetChk Protect to do a Discovery Scan of your environment

One of the biggest advantages of Agentless Technology is the ability to discover machines in an environment.  It would be nice to say that you know exactly what machines are in your environment at any given time, but it is not a claim that many can make with 100% confidence.  In most cases, there is simply too much activity happening on the network that is not in the IT administrator’s control, so they are often left to guess how many machines are in their environment.  The larger the environment, the more teams involved with staging of machines, the addition of virtual technology making it easier and faster to roll out machines, Dev and QA environments where employees hold the power to build and rebuild machines on a regular basis, the list goes on.  The result, however, is the same.  Machines slip through the cracks and go unmanaged as far as Patch, Threat, and Asset Management are concerned.  How do you manage this type of issue?

In NetChk Protect you can do this by doing a discovery scan using Patch or Asset agentless scan technology.  I typically do this with the Default Security Patch Scan template.  Create a new machine group.   Click on the IP Address\IP Range tab and enter the IP range of your entire environment.  Add multiple ranges for multiple subnets depending on how your environment is setup.  Then set credentials on the group.

Select your Discovery Machine Group you created and in the ‘Scan With’: drop down you should see Security Patch Scan.  Click “begin scan” and then “scan now.”  Depending on the size of the environment this could take a while, so let it run and once complete you can look at all the machines discovered and for those that failed to scan you can evaluate which are machines and which are not likely machine at all. 

In the scan result you can click on the Machines not Scanned and sort by the Reason Column.  Best way to determine what items are worth investigating further is by the error code.

Understanding the Scan Results:

200, 201, and 235 – Pretty much no machine was on that IP during that scan.

261 – Something is listening, either non MS or firewalled.  Likely try nslookup or rdp to the box to determine if it is something you can connect to.

300s – Admin shares were removed, go to tools options authentication and check Create a temporary system drive if none exists and next time you should be able to scan this machine.

451, 452 – Machine is definitely there but admin creds or another prerequisite prevented us from scanning.  Go to Forum.Shavlik.com and do a search of the 3 digit error code in the Shavlik Knowledgebase for detailed instructions to resolve.

500s – Definitely a windows machine but remote registry access is denied.  Win 7, Vista, and 2k8 disable this service by default.  Older OSs could have had it disabled or winreg permissions modified.  Forum search of 3 digit code will give additional steps to troubleshoot.

600, 700, 800, 900 – Level codes could come up but not likely under these circumstances as they pertain to other types of scanning.

You can run a report of Machines Not Scanned in a date range to get a list of all error codes for a time period.  In the report gallery select the Machines Not Scanned report and check the advanced filter and set a date range to capture the latest discovery scan you have run.  This can then be exported into different formats so you can work with the information easier.  Set up a Discovery Scan on a reoccurring basis and see what comes up.  Some people are very surprised at the findings.

Leave a comment »

Concerns Regarding MS10-015

There is rising concern regarding MS10-015 causing BSOD on machines.  According to Microsoft and other sources in the Security world the issue is linked to Malware already on the machine when the patch is applied.  Microsoft has pulled the patch from WU likely to reduce impact to home users who are more likely to have Malware on their machines that could cause this, but the patch is still available in WSUS, SUS, and SCCM.  The patch is still available to Shavlik Customers as well.

Shavlik Recommendations:

  • Adequate Patch Testing in place – Microsoft tests patches before release and Shavlik does additional testing in our environments to ensure detection logic is correct and there are no widespread issues encountered with patching the machine.  Lab testing can only do so much.  It is highly recommended to implement any level of testing in your environment as well.  This will ensure environment specific variables we cannot reproduce will not cause you issues.  Your testing could be a group of Virtual machines representing a cross section of machines in your environment or it could be IT and a select group of users and servers. 
     soft break 
  • If you are concerned about the patch, are aware of recent Malware outbreaks in your environment, and\or patch testing resulted in machines encountering the BSOD, you can setup a template to scan for all other Security Patches except MS10-015.

              Steps to do this:

                     1. Go to Patch Groups on the Navigation Bar and create a new
                          patch group.  Call it MS10-015 and click Add Patches.

                     2.  Scroll down to MS10-015 and check the box and click select then
                           click Save. 

                     3. Create a New Scan Template.  Call it something like
                          “Security Patches Except MS10-015″.  This by default is setup to
                          scan for all security patches. 

                     4. In the Patch section select the Skip Selected and next to Patch
                          Groups click … to browse and select your new patch group. 

                     5. Scan using this new template and you wills can for all security
                          patches except MS10-015. 

  • If customers are experiencing a BSOD as a result of pushing MS10-015 they can contact Microsoft directly for support using the country specific numbers provided at support.microsoft.com/security. In North America, customers can call 1-866-PCSAFETY for this support.

- Chris Goettl

Leave a comment »

Answering Tough Questions with Confidence

Even though it’s been over a year since it was released into the wild, I think everyone still remembers Conficker.  I recall it well.  In fact only about two months or so ago I just worked with another prospect who was infected quite severely with Conficker.  Windows Update Services (WUS) had not installed the patch correctly to their environment and their AV was blocking around 15k infections per day.  Needless to say, they were struggling to protect themselves as the WUS was disabled by Conficker on their machines.  One deployment using Shavlik to rollout MS08-067 and they were down to their AV blocking only 12 infections the following morning across a handful of machines that were not available during the previous nights’ deployment.  A PO followed shortly after, of course, and they are now patching using Shavlik.  A great success story, but the part that was most effective in reassuring management that they were protected was the report they ran after the deployment was complete. 

It’s been two weeks after the release of MS10-002.  Do you know where you stand currently?  If not, and you are a Shavlik NetChk Protect user, try this report using the advanced filter and see if it helps you gain an understanding of how close you are to fully protected vs MS10-002.  Complete the following steps:

  1. In the report gallery choose the Condensed Patch Listing. 
  2. Check the use advanced filter box. 
  3. Under scans and deployments choose the radio button for View Current Status. 
  4. Under Patches Bulletin IDs scroll down and check just MS10-002. 
  5. Generate this report and you will have a report of each machines status of MS10-002.   Depending on the number of machines you could also do a variation of this filter and under Patch Properties you can choose Missing.  This will give you the latest on all machines that are still missing the patch. 

It is great to know the overall patch status of your machines, but there are times when you need to answer very specific questions very quickly.  The advanced filter is a great way to do this.   

- Chris Goettl

Leave a comment »

Shavlik NetChk Protect Scans coming back with 0 missing 0 installed patches

A number of forum posts have come up in the last week regarding this issue.   Symptoms are getting a result back for machines but Installed, Missing, and Missing SPs are all 0.  This is a result of a hotfix we released last Friday with changes to the import process.  Only specific upgrade paths could have resulted in this issue.  If you are getting these symptoms go to the Shavlik Forum to see if you are running into this issue at: http://forum.shavlik.com/viewtopic.php?f=10&t=15823.

If you are having this issue please contact support (contact info is at the bottom of the Shavlik Forum page) and we will get you back up and running.  The patch is in testing and will be re-released soon.

-Chris Goettl

Leave a comment »

When are you upgrading to Windows 7?

In a recent blog posting by Kristen Caretta for SearchCIO-Midmarket.com, she points out that many mid-market companies are holding off on migrating to Windows 7, mostly due to the clean-install process and costs to upgrade. 

After seeing this article, one of my associates asked me how many Shavlik users have migrated or are planning to migrate to Windows 7?  If the majority of you are holding off on the migration, this would not surprise me for many reasons.

1. Isn’t Windows 7 built on the same technology as Vista? For those who tried Vista and really struggled, thinking about going to Windows 7 probably had you a bit gun-shy.  Who could blame you?  My personal experience on Windows Vista x64 (to take advantage of the RAM, I run a lot of VMs locally)… My domain profile blew up 4 times causing authentication issues with Exchange, SQL, etc resulting in time spent with IT to remove me from the domain and re-add me.  I downgraded to Windows XP x64 which I cannot say was much better, but I was able to use the additional RAM and did not have to spend quality time with IT once a month.  

2. Time and money. IT is already strapped for time and do not have budget to bring on temps, add head count, or pay out overtime to do the upgrade.  It also takes time and money to provide user training on this new operating system.

3. Complexity. I have been through a number of OS migrations.  On my personal machines I started back in the Windows 3.1.1 days.  95, 98, 98 SE, 2000 workstaion, Mellenium (I skipped this one, but my roomate in college had a great time installing then reverting back to 98SE), XP, Vista, and now Windows 7.  I have also been part of Windows Server and Novell migrations at a former company.  No OS migration is smooth.  Upgrade installs almost always result in short term gain, long term loss.  Fresh installs take longer, but are cleaner in general.  For XP to Windows 7 it is a Fresh install, but the install of Windows 7 lets you keep the old OS on the hard drive so you can access files.  This takes up drive space, but you know you have all the data just in case.  Upgrade or Fresh install you will encounter product or hardware incompatibilities.  There could be a long road of support issues to get everything back to normal even with adequate testing in advance. 

So for those of you in the Shavlik Community, what are you doing today regarding Windows 7?

-Chris Goettl

Leave a comment »

SQL Database Maintenance

If you are at a company that is running Shavlik products on a full SQL environment and have a DBA on staff with SQL maintenance and backup policies already running against our DBs, great!  If you are running SQL Express or full SQL but don’t have a maintenance and backup plan in place, please keep reading. 

DB instability and corruption is the single biggest cause of an upgrade issue that is encountered and the root cause of many GUI performance issues that can be mitigated and, in many cases, resolved by proactive maintenance on the DB.  Below are our recommendations for good regular maintenance on your DB so you keep it running slim and clean for good performance and to reduce issues. 

Keep in mind this is a starting point.  If you have regulatory needs that require more data kept live you should adjust to keep more data live.  If that is the case you may want to analyze how frequently you are scanning.  1000 agents scanning 8 times a day will grow your DB at a much more rapid rate than once per day or once per week.  And in most cases, you don’t really need all of that data.

Recommendation for regular DB maintenance: 

Data Retention: Determine the amount of data that needs be kept on hand for operational purposes.  Typically 60-90 days is acceptable for operational purposes.  Configure PurgeOldProtectData utility to cleanup anything older than that number of days and schedule task to run monthly to clean up the DB. 

http://supportteamblog.shavlik.com/2009/12/31/new-use-netchk-protect-7-2-to-purge-old-data-using-a-powershell-script/

Reporting: Determine what report data is required for audit\regulatory requirements.  Run monthly reports fulfilling these needs and keep on file as far back as policy requires.  Typically 13 months is acceptable.

DB Backups: It is recommended to run weekly incremental and monthly full backups.  The backup should be run just before your scheduled purge.  Keep backups as far back as the reporting data. 

DB Maintenance Schedule:

Backups: full monthly, just after patch maintenance for that month.  Incremental weekly, end of each week (after weekend patch windows preferably).

Purge Data: After Full Monthly backup is run

Reindex: After Purge Data is run

Integrity: After Reindex is run

Full SQL Maintenance Guidance:

If you are using full SQL it is easiest to setup maintenance plans using the maintenance wizard.  Microsoft has some documentation around common SQL maintenance at the following link including how to use the SQL Wizard to setup and maintenance plan:

http://www.networkworld.com/subnets/microsoft/110107-ch8-sql-server.html?page=2

If you are using SQL Express the maintenance wizard is not available.  In that case you can use the SQLCMD command line interface to run stored maintenance procedures or you may look into some tools created by DBAs to wrap these commands into an easier interface.  One tool that works very well is ExpressMaint.  Using either of these options you can write a script to handle the maintenance and schedule using the Microsoft Scheduler on the frequency you desire.

http://www.sqldbatips.com/showarticle.asp?ID=29

Example script for SQL Express to do a full backup, reindex, and integrity check using the ExpressMaint utility:

Expressmaint -S (local)\SQLExpress -D ShavlikScans -T DB -R C:\Expressmaint -RU WEEKS -RV 1 -B C:\Expressmaint -BU WEEKS -BV 1 -V -C

ExpressMaint -S (local)\SQLExpress -D ShavlikScans -T REINDEX -R C:\Expressmaint -RU Weeks -RV 1

ExpressMaint -S (local)\SQLExpress -D ShavlikScans -T CheckDB -R C:\Expressmaint -RU Weeks -RV 1

 - Chris Goettl

Comments (4) »

NEW! Use NetChk Protect 7.2 to Purge Old Data Using a PowerShell Script

We have had requests from many of our customers to provide an easy way to purge old data from NetChk Protect, and we now have made it available through a PowerShell Script.  NOTE: To use this script you must be running NetChk Protect v.7.2.  This script enables you to execute a purge of data older than xx number of days.  Below you will find details on prerequisites to run the script and instructions on how to set it up.

Prerequisites:

NetChk Protect 7.2 or later – Download Here.

Windows Powershell – Download Here.

Open Shavlik’s PurgeOldProtectData.zip File – Open Here.

Steps to Setup:
1. Upgrade to Protect 7.2

2. Install Microsoft Powershell 1.0 (link to download page provided above, make sure you download the version for your System OS)

3. Extract PurgeOldProtectData.ps1 to c:\program files\shavlik technologies\netchk
(Link Provided above)

4. Create PurgeScript.bat file – in c:\program files\shavlik technologies\netchk\ and paste the following syntax in the bat file replacing values for SQL instance, DB name, and number of days to purge as necessary:

powershell -command “set-executionpolicy Unrestricted”

powershell -command “& .\purgeoldprotectdata.ps1 -sqlinstance “sqlserver\instance” -database “ShavlikScans” -purgeAfterDays xx -timeout 30″

powershell -command “set-executionpolicy restricted”

5. Testing - For testing purposes I like to throw a pause command at the end of the bat in case an error occurs while testing.  Run the bat on its own first time out to ensure it will execute as expected.  First time it may take a while to purge depending on how much data there is.

Example Result:

GAC    Version        Location

—    ——-        ——–

False  v2.0.50727     C:\Program Files (x86)\Shavlik Technologies\NetChk\ST….

False  v2.0.50727     C:\Program Files (x86)\Shavlik Technologies\NetChk\ST….

False  v2.0.50727     C:\Program Files (x86)\Shavlik Technologies\NetChk\ST….

Delete operation complete.  All data older than

+

48

+

days old was removed from the

+

ShavlikScans

database.

6. Scheduling Reoccurring Task- Once you have tested the bat successfully we can move on to scheduling.  We will use the windows task scheduler to schedule the job.  Create a new scheduled task browse to the bat file, set reoccurrence pattern, set credentials.  Execute the task in the scheduler by right clicking and saying run to ensure the scheduled task will run as well.

(Special thanks to Hazzmat for making this script a reality.)

 

- Chris Goettl

Comments (2) »

Shavlik NetChk Configure 4.2 Now Available

This new release of NetChk Configure has added support for installing and scanning Windows 7 and Windows 2008 R2 systems.  This release also fixes 5 known issues with NetChk Configure.  The NetChk Configure 4.2 release notes can be found here.  NetChk Configure 4.2 can be downloaded here.

- Jason Miller

Leave a comment »