Hi All,

after last patch rollout, our test group got Windows Life Essentials installed with Windows Family Safety, Windows Mail, Windows Writer, Windows Messenger, etc..

Does anyone know how to get rid all of them at once? I tried to create a batch file and a deinstall package but the status when assign task to a machine stays as "Pending"

my test batch file is very simple :

MsiExec.exe /uninstall {CB3CA48C-95CB-412B-B7AE-6F2EA8F89907} /passive

MsiExec.exe /uninstall {04BE4035-3C8E-4B48-BFB8-1655849C0C8B} /passive           

MsiExec.exe /X {BAD984EE-790E-4513-A428-3BE2D426DCA7} /passive

I recently updated the Core Server with .NET Framework 4.5.2.  I didn't notice any problems until I tried to run Patches on a Test Group.  In the test group; there are 10 machines, each of the machines seem to fail downloading the patch from the server.  It hasn't had problems in the past.  We sent out patches to a set of 300 Servers, and the patches downloaded fine and we had a 96% success rate.  I'm not positive that is has to do with .NET update, it just so happens that it was updated after the patches were sent out to the Servers.  If there is any other ideas as to why it's failing, please point me in a direction.  We're trying to send out any patches that the machines are missing... I saw some posts about a similar issue in 9.5 SP2 that there was a beta patch and a fix in 9.5 sp3.  I'm not sure that is the answer, I just know that in other environments that I've been in, .NET updates was a culprit in a lot of "Weird" issues.

Let me know your thoughts; please!!

Thanks,

Kevin

I am showing this patch for one of my desktops:    EOL_JREJDKv1.6

She had several versions of Java running. I uninstalled all versions of Java from her machine and rebooted it. I then installed the most current version of Java.

I ran a LANDesk scan and it still shows this patch:   EOL_JREJDKv1.6

It's my understanding that LANDesk is detecting this older version of Java on her machine that has reached end of life. When we see these we uninstall the old software, scan and the EOL patch no longer shows up.

Why won't this go away on this particular machine?

I have been checking log files directly at their actual locations. However I see this a lot and wondered if anyone else gets it or has a solution?

When you get a failed task in the console. Be it a Repair job or a deployment if you right click the machine and choose 'view log file' it opens a blank log.

Anyone know a solution to this? Or as to why it happens?

As i said I will then just go direct to the log in question on the target machine but surely the view log file should work first.

Environment

LANDesk Management Suite 9.5

LANDesk Management Suite 9.6

Error Message in Vulscan.log

Last status: Done
ProcessRules: detected compliance=0
Sending scan results to core LDMSCORE
PutResultsAsFile uncompressed length: 2014088
compressed length: 55626
HTTP POST: http://LDMSCORE/incomingdata/postcgi.exe?prefix=vulscanresults\&name=ScanResults_{FC50D599-697B-5143-A3AA-7D4E3F74134A}_03456.vrz
Setting a proxy...
Setting socket timeout to 1000 * 60 * 4
Failed http://LDMSCORE/incomingdata/postcgi.exe?prefix=vulscanresults\&name=ScanResults_{FC50D599-697B-5143-A3AA-7D4E3F74134A}_03456.vrz on server (0), server status: 406.
HTTP Error 406.  Giving up.
Last status: Failed: No response from core
Failed to put vulnerability results to core as file: 8DB301B1
Skipping repair step because scan errors occurred.
Exiting with return code 0x8db301b1 (433).

Solution / Workaround

1. Give the IUSR account Full Control permissions to the Managementsuite\Vulscanresults folder on the Core Server.
2. Run IISRESET on the Core Server.

Adobe Flash Player was last updated in my patch and compliance list at v16.0.0.305.  Why am I not getting the updates to v17?

Target: Windows 2008 Standard - SP1

When patch is manually run it says SP1 is required. (No pending reboot flag)

Anyone else seen this?

We do not have any Windows 8 machines on our network. All desktops are Windows 7.

We have some new servers with Server 2012 on them.

I am showing patch 3025417_MSU as being needed on my Server 2012 machines. This patch is an update for Windows Defender. The odd thing is that you cannot put Windows Defender on a server.

I'm curious why its detecting my servers and wants to be installed. I did try it on one and it failed. I tried to manually install it and it says 'does not apply to this system.'

Applies to LANDesk Management Suite 8.8 and LANDesk Management Suite 9

LANDesk provides data about if a patch has been superseded by another patch. When this is true, the previous patch is no longer needed because the newer patch contains all the needed fixes. However sometimes this is difficult to manage.

Problem

It is difficult to tell what Vulnerabilites are no longer needed because a newer Vulnerability has replaced it.

Solution

1. Open the LANDesk Management Suite console.
2. Open Security and Patch Manager (Patch and Compliance in 9.0)
3. Click on All Items.
4. Scroll over to the "Replaced" column. Click on the heading to sort by this column.
5. Drag all the Definitions that Say "ALL" to the "Do Not Scan folder".

Depending on the number of end points that are being managed this could take along time to complete. If you would like to avoid the long delay move the superceded patches over in smaller groups.

Additional Information

The following SQL statements will move all Vulnerabilities that have been completely superceded by a newer Patch to the Do Not Scan Folder. This will only work in LANDesk Management Suite 8.8

Assigns the Vulnerability to the Do not scan folder:

UPDATE vulnerability SET Status=0 WHERE SupercededState='2'

Removes client specific scan information for the vulnerabilites:

DELETE FROM ComputerVulnerability
INNER JOIN Vulnerability ON ComputerVulnerability.Vul_ID = Vulnerability.Vul_ID
WHERE(Vulnerability.Status = 0)

What is Patch Supercedence?

Patch supercedence is when a newer patch completely replaces an older patch.  It is usually the best practice to only apply the latest patches rather than all of the patches.  This is mostly due to the time needed to scan for older patches, install, reboot, and re-scan if you were to install all the patches.

Why scanning only for the latest patches is a good thing

It is much quicker and easier to only apply the latest patch that will contain all the fixes in the replaced patches.  In tests, disabling replaced rules has cut the scan time in half.  Another benefit is that you will have fewer patch install failures if you only install the latest patch.  Many Microsoft patches will fail to install if there has been a newer patch installed.

Viewing replaced patch definition rules

To view which patches have been replaced or replace other patches:

• In the LDMS Console go to Tools - Security and Compliance - Patch and Compliance
• Expand Scan
• Click on Replaced

The Replaced group shows patches that have been replaced by a newer patch.

You will see which patch replaces it by looking at the "Replaced by" column.

It is also possible that the replaced patch itself had replaced a previous patch.  You will see that by looking at the "Replaces" column.

For example, in the above screenshot the patch 2661254v2 replaces patch 2661254 and all of it's rules are replaced by MS13-095.

You can move all of these rules to the "Do Not Scan" group and this would be the as effective as disabling the individual rules inside these patch definitions.

Partial Replaced patch definition rules

It's also possible that only some of the rules in a definition have been replaced.

To view the partially replaced patches, click on the "Partially replaced" group

In the above screenshot you will see that the "Replaced by" column now says "Some:" instead of "All".  This indicates that only some of the rules in the definition have been replaced.

Viewing rules inside a patch definition

If we double-click MS14-035 it will open and we can view the rules inside the patch definition.

Here we can see the three rules have not been replaced and six rules have been replaced by MS14-037.

Until all the rules are replaced it would be best to leave the patch definition for MS14-035 in the scan group.

Manually Disabling replaced rules

There are two ways to manually disable replaced rules.

First, you can open a definition and right-click on the replaced rule and disable it.

Right-click on the replaced rule and click "Disable Scan"

This will change the Icon on the rule to a red cross on it.

You can also multi-select the rules and disable them all at once.

Using the Disable replaced rules tool

The other way to manually disable rules is to use the disabled replaced rules tool.

Click on the icon highlighted in red.

This brings up the Disable replaced rules tool as seen in the above screenshot on the right.

You can either select patch definitions or have the tool run against all rules.

Video: How to use the Disable Replaced Rules tool in Security and Compliance Manager

Automatically replacing disabled rules

It is also possible to disable all replaced rules when a new patch definition is downloaded.

Click on the Download Updates icon from the Patch and Compliance toolbar.

From the Download updates tool, click the "Definition group settings" button.

This will open up the Definition group settings tool.

Click on New.

Set the Definition Type to Vulnerabilities

Set Severity to Any

Leave Comparison at None

Under Action, check Set status to Scan

Check "Disable any rules this definition replaces"

Click OK.

This rule will cause any replaced rules to be disabled when their replacement is downloaded.  This way the replaced rules are automatically handled and only the latest patch definitions are used.

Applies to LANDESK Management Suite 9.0 Service Pack 2 and earlier

LANDesk provides a large number of vulnerability definitions for a large number of products going back quite some time. Because newer patches sometimes replace older patches, LANDesk provides this information as part of the definition. When a newer patch or vulnerability becomes available, the previous version will be marked as replaced, either partially or completely. This information can be used to improve the performance of Security Scans on client machines as well as provide more accurate information about the vulnerability status of machines. Some other symptoms that are seen and can be resolved include:

• Vulnerabilities keep getting detected on computers and the patch will not install
• Patches are stuck in loop continually trying to install on the clients

While this process will not resolve all cases with the above symptoms, it can resolve some issues. It is recommended that all customers review this information to help keep the Patch Content up-to-date.

Issue

• Vulnerabilities keep getting detected on computers and the patch will not install

• Patches are stuck in loop continually trying to install on the clients

• Security Scans (VULSCAN.EXE) takes a long time to run

Solution

Quick Reference

The general overview of the steps required is outlined below. Continue reading for more detailed information, or select the step in question for more details.

1. Download the latest patch content
2. Make sure all neccesary vulnerabilities are in the Scan folder
3. Sort the items in the Scan folder by the Replaced column
4. Move superseded vulnerabilities to Do Not Scan
5. Verify vulnerabilities were correctly moved to the Do Not Scan folder
6. Disable replaced detection rules
7. Delete superseded vulnerabilities from custom groups
8. Run deleteOldPatches.exe on the Core Server

Download the Latest Patch Content

The Download Updates tool is accessed from the Patch and Compliance window.

LANDesk® Management Suite 8.8

To get to the Download Updates tool, select Tools > Security > Security and Patch Manager. Then select the Download updates button from the toolbar. It is the first button on the left.

For more information about updating defintions see: Getting started with Patch Manager in LANDesk® Management Suite 8.8

LANDesk® Management Suite 9.0

To get to the Download Updates tool, select Tools > Security and Compliance > Patch and compliance. Then select the Download Updates button from the toolbar. It is the first button just to the right of the drop-down menus.

For more information about updating defintions see: Getting started with Patch Manager in LANDesk® Management Suite 9.0

Verify Vulnerabilities are in the Scan Folder

After the Patch Content has downloaded, move any new vulnerabilities that should be scanned from the Unassigned folder to the Scan folder. Only put vulnerabilities in the Scan folder that should be scanned for on the computers to help speed up the security scans on clients.

Sort Items in the Scan Folder by the Replaced Column

1. Open the Patch Manager tool in the LANDesk Console
2. Select All Types in the Type box
3. Select All Items in the Filter box
4. Click the Scan folder under All Types on the left pane
5. Click the Replaced column to sort by the Replaced value

Move Superseded Vulnerabilities to Do Not Scan

There are 2 methods to complete this step. One is using a SQL query and the other is through the LANDesk Management Console. Only one of the options needs to be completed for this step.

SQL Query Method

For LANDesk® Management Suite 8.8, run the following SQL statement against the LANDesk database:

/* This Query will move vulnerabilites that have
 "All" in the "Replaced" column to the "Do Not Scan" folder.
*/
UPDATE Vulnerability SET Status = 0
WHERE Vulnerability_Idn in (
SELECT Vulnerability_Idn FROM Vulnerability WHERE SupercededState = 2 AND Status != 0
)

For LANDesk® Management Suite 9.0, run the following SQL statements against the LANDesk database:

/* This Query will move vulnerabilites that have
"All" in the "Replaced" column to the "Do Not Scan" folder.
*/
INSERT INTO PatchTask (TaskType, RequestDate, param1, param3, message)
SELECT 2, GETDATE(), Vul_ID, 'False','Remove scan status for vulid: '+ Vul_ID +' , patch'
FROM Vulnerability WHERE SupercededState = 2 AND Status != 0

UPDATE Vulnerability SET Status = 0
WHERE Vulnerability_Idn in (
SELECT Vulnerability_Idn FROM Vulnerability WHERE SupercededState = 2 and Status != 0
)

Note: The SQL statements have only been tested on Microsoft SQL server. They may require modifacation to run on Oracle. The SQL statements can be added to the database maintenance run by your DBMS so that they run on a regular basis. Contact your DBA for help with this.

If you use the SQL statement(s), continue to the next section titled "Verify only superseded vulnerabilities moved to Do not Scan".

LANDesk Management Console Method

1. Click on the first vulnerability in the list that has All in the replaced column It should be the first item in the list.
2. Scroll down the list to the last item in the list that has ALL in the Replaced column.
3. Hold the shift key down and click the last item with All in the Replaced column. This should highlight all vulnerabilities with All in the Replaced column.
4. Click and drag the selected items to the Do Not Scan folder.

For LANDesk® Management Suite 9.0, if the "Update dependent or prerequisite definitions as well" box comes up, click No.

For LANDesk® Management Suite 8.8, if the "Update dependent or prerequisite definitions as well" box comes up, click Yes.

Verify Only Superseded Vulnerabilities Moved to Do Not Scan

1. Click on the Do Not Scan folder under All Types
2. Click the Replaced column to sort by it
3. Verify that all vulnerabilities have All in the Replaced column

Note: This assumes that no other vulnerabilities had already been moved to the Do Not Scan folder. If there were already definitions in the Do not Scan folder only move back definitions that may have been moved inadvertently.

Disable Superseded Detection Rules

Sometimes only part of a vulnerability will be replaced. For example, only the Windows XP part of the previous definition will be replaced by a newer definition. In this case, the Replaced column will indicate Some. In these cases, you can disable the scanning of each replaced detection fule inside the vulnerability

There are 2 methods to complete this step. One is using a SQL query and the other is through the LANDesk Management Console. Only one of the options needs to be completed for this step.

SQL Query Method

For LANDesk® Management Suite 8.8 and 9.0, run the following SQL statement against the LANDesk database:

/* This Query will disable individual detection rules
if they have been superseeded and if the vulnerability they belong to
has "Some" in the "Replaced" column.
This only disables detection rules for vulnerabilities currently in the Scan Folder
*/
UPDATE Patch Set Ignore = 1 WHERE Patch_Idn IN (      SELECT p.Patch_Idn FROM Patch p, Vulnerability v WHERE      p.Vulnerability_Idn = v.Vulnerability_Idn      AND SupercededByVulID IS NOT NULL      AND v.SupercededState = 1      AND v.Status NOT IN (0, 2)
)

Note: The SQL statement has only been tested on Microsoft SQL server. It may require modifacation to run on Oracle. The SQL statement can be added to the database maintenance run by your DBMS so that it runs on a regular basis. Contact your DBA for help with this.

If you use the SQL statement, continue to the next section titled "Delete superseded vulnerabilities from custom groups".

LANDesk Management Console Method

Once you have moved all of the definitions that have been entirely replaced (All) to Do not Scan, some definitions will remain in the Scan folder that have been partially replaced. To deal with these, you can disable any superseded detection rules.

1. Click on the Scan folder under All Types
2. Click the Replaced column to sort it so vulnerabilities with Some in the column show up at the top of the list
3. Right-click the first vulnerability in the list and select Properties.
4. Right-click each detection rule in the list that has an entry in the Replaced by column and select the Disable scan option.
5. Repeat this process for all vulnerabilities that have Some in the Replaced column. This will disable the detection of rules that have been replaced by newer vulnerabilities.

Delete Superseded Vulnerabilities from Custom Groups

Now that superseded detection rules have been disabled, it is time to delete the superseded vulnerabilities from custom groups.

1. In the Patch Manager window, expand Custom Groups.
2. Click on each custom group and sort the vulnerabilities by the Replaced column.
3. Select all of the vulnerabilities that have ALL in the Replaced column and delete them.
4. Repeat this process for each custom group under My custom groups and Public custom groups.

Run deleteOldPatches.exe on the Core Server

This tool will delete all patches from the patch folder for the Core Server that are not associated with a vulnerability in the Scan folder.

1. Download deleteOldPatches.zip attached to this article.
2. Extract deleteOldPatches.exe from deleteOldPatches.zip
3. Copy deleteOldPatches.exe to the Core Server.
4. Run deleteOldPatches.exe on the Core Server.

Note: Adding s to the commandline (deleteOldPatches.exe s) will make it run silently so that it can be scheduled. This tool is provided as-is without any warranty, express or implied and is not supported by LANDesk support. If patches are deleted inadvertantly, they can generally be re-downloaded using the Download Updates tool

Applies to LANDESK Management Suite 9.0 SP3, SP4

Issue

• Vulnerabilities keep getting detected on computers and the patch will not install

• Patches are stuck in loop continually trying to install on the clients

• Security Scans (VULSCAN.EXE) takes a long time to run

• How to setup LANDesk to automatically maintain patch content for the Core Server
• How to automate the handling of superseded vulnerabilities

   

Solution

Follow the instructions in the attached document LD90SP3MaintainPatch.

The links below go to the LANDESK Help Center user documentation:

• Patch and Compliance overview
• Patch and Compliance features
• Patch and Compliance main tasks outline
• Understand role-based administration with Patch and Compliance
• Accessing the Patch and Compliance tool window
• Understand and use the Patch and Compliance tool window
• Configuring devices for security management
• Managing security content
  • Security content types and subscriptions
  • Download security content updates
  • View and organize security content
  • Search for vulnerabilities by CVE name
  • Customize item lists with filters
  • Purge unused security content definitions
  • View security information for a scanned device
  • Download patches
  • Uninstall patches (patch rollback)
  • Legal disclaimer for the blocked applications type
• Using custom security definitions
  • Custom security definitions overview
  • Create custom security definitions
  • Delete custom definitions
  • Import and export custom definitions
• Scanning devices for security exposures
  • Security scans overview
  • How Patch and Compliance scans for different security risks
  • Configure security scan contents
  • Create security and compliance scan tasks
  • Configure scan options with scan and repair settings
  • Use custom variables and custom variable override settings
  • View detected security data
  • Secure Content Automation Protocol (SCAP)
  • Forward security scan results to a rollup core
  • About FIPS 140-2 support
• Remediating devices that have detected security exposures
  • Security remediation overview
  • How Patch and Compliance remediates different security risks
  • Remediation methods
  • What happens on a device during remediation
  • View patch and compliance information for scanned devices
• Other Patch and Compliance tasks
  • File reputation
  • Create a scheduled reboot task
  • Use the security scanner command line
  • Configure Patch and Compliance alerts
  • Generate Patch and Compliance reports
• Patch and Compliance help

Hello All,

I've noticed several definitions for for various Landesk Agent components (shown below) and I'm a bit confused about what changes they make and how detection works for them.

There is no description within the properties for these definitions but I assume it simply installs these components if they are missing. Since I use several agents with varying settings, how does detection work? For instance, I've excluded Power Management from the majority of my agents and have it configured on only a certain few. If I ran a repair, would this end up detecting and installing this particular feature on the agents that don't have it configured?

Landesk Patch Mangement shows jre-8u40-windows-i586v2.exe in my latest patch set.

I'm unclear as to what jre-8u40-windows-i586v2.exe is and why it supercedes the original patch as released.

There's no indication in the notes as to why this replaced jre-8u40-windows-i586.exe and there's nothing referred to officially on Oracles site.

Thanks.

We would like to remove all XP patches and just scan for Win7 updates? Is there an easy way to do this? I know there will be times when the updates applies to multiple OS's.

We have a certain set of users that have to be running an older version of Java....about 10 computers

Till this point we've always distributed patches with Enable Global Autofix

What's the best way to enable the latest version for Java to get distributed for the entire district (thousands of devices) and exclude these 10 machines only from the Java update

Applies to all versions of LANDesk Management Suite, LANDesk Security Suite and LANDesk Patch Manager.

What is the Problem?

LANDesk Patch Management License includes access to Microsoft Vulnerabilities. The default vulnerabilities will include detection logic and download access to patches for  Windows XP SP3 and newer. They will not detect, or download a patch for Windows XP SP2 or Windows 2000. LANDesk is currently publishing additional definitions to extend detection to Windows XP SP2 and Windows 2000. These definitions will detect the vulnerabilities, but the patch will not download and must be downloaded manually.

This includes some Microsoft vulnerabilties such as :

• MS10-046_WINXPSP2_WIN2000
• MS10-049_WINXPSP2_WIN2000
• MS10-051_WINXPSP2_WIN2000
• MS10-052_WINXPSP2_WIN2000
• MS10-053_WINXPSP2_WIN2000
• MS10-055_WINXPSP2_WIN2000

Why did this Happen?

Microsoft ended mainstream support for Windows 2000 Server and Client and Windows XP SP2 on July 13, 2010.  Due to their support decision, they are no longer making patches available to the public where the operating system is Windows 2000 Server/Client or Windows XP SP2.  To gain access to this patch content customers must purchase or have an Extended Support contract with Microsoft.

Because Microsoft requires their customers to purchase the Extended Support contract, we recognize that the patches released under that contract are also purchased and can not be released freely.  Microsoft will not provide these patches to us, so we cannot provide the patches through the patch management system or from our LANDesk Support group.

Where can I get help?

If you have an Extended Support contract with Microsoft, you can contact them and receive the download link from their support group.  If you do not currently have an Extended Support contract, you can contact them and inquire about purchasing one.  Once you have acquired the patch you can manually place it in your patch location. Once it is placed there, LANDesk Patch Manager will recognized the patch and you can patch systems with the special defintions.

LANDesk recommends creating and pursuing a plan to upgrade all machines in the environment to supported versions of Microsoft Operating systems in order to ensure continued patch availablity and improved security. We recognize this isn't always immediately possible and so will continue to publish anything we can to help customers on Windows XP SP2 and Windows 2000.

The information below covers upgrade options or paths recommended by Microsoft if your desire is to upgrade your Operating Systems rather than purchase an Extended Support agreement from Microsoft:

• Windows Team Blog - Windows 2000 Server, Windows 2000 Client and Windows XP SP2 Support Ends July 2010
• Microsoft - Windows 2000 End of Support Solution Center

Note: Installation of the latest Service Pack is recommended to resolve this issue.

Issue:

The security and compliance scanner (Vulscan) is running repeatedly on client systems after installing Service Pack 1 for LDMS 9.5.

The Vulscan log files will show the scanner repeatedly downloading settings .XML files.

Cause:

This is due to a bug in code that is causing vulscan to loop continuously when installing a patch calls for a reboot, but a reboot is not allowed due to the Scan and Repair or Agent settings.

This issue will only occur when the following conditions are met:

1. The client computer has pending continue tasks
   

   (This is visible in the registry under HKLM\Software\LANDesk\ManagementSuite\WinClient\Vulscan\Continue)
   (It is also written into the local scheduler as a task)

2. Scan and Repair Settings or Agent Settings are set to (Never Reboot)
3. A reboot is actually needed.
4. Vulscan /continue gets launched (usually from local scheduler).

Vulscan will loop indefinitely attempting to trigger the reboot.  A reboot of the client will fix this condition if the patch has been applied to the core.

If a reboot is not possible, terminating the existing Vulscan process will be necessary to allow the client to download the updated vulscan.dll file.

Taskkill or PSKill can be used to terminate the running process.

Resolution:

Install the latest service pack.

Client computers will then automatically update to the new vulscan.dll file the next time a Security and Compliance scan is run.