Issue:

After installing a patch, computer(s) are still showing as vulnerable and that the associated patch is installed.

In other words, it is showing that a patch is installed and also that the patch is missing.

Cause:

This is due to the fact that many patches require a reboot to finish writing files that were in use at the time of the patch installation.

If these patches were manually being installed, the user would be presented with a dialog informing them that the patch requires a reboot, typically giving the option "Do not restart now" or other similar options.   Operations that are waiting for a reboot are typically written to the registry at HKLM\SYSTEM\CurrentControl\Set\Control\Session Manager\PendingFileRenameOperations.

Resolution:

Reboot the computer and run another vulnerability scan.

If the information is still incorrect after a reboot, the data may not have synchronized correctly.

Running the following commands on the client may resolve this situation:

vulscan /clear

vulscan /reset

This will reset the complete patch information on the client as well as in the database.

After this, schedule a "normal" vulscan.

This is the equivalent of forcing an Inventory Scan to run in a "/SYNC" mode.

Further information:

The detection logic for vulnerability definitions often relies on file version or file existence to determine if a computer is vulnerable.

In the following example, the vulnerability definition for MS08-067 will be used.   These screens are opened by right-clicking the MS08-067 vulnerability definition and selecting "Properties" and then right-clicking the Detection Rule called "WindowsXP-KB958644-x86-ENU.exe".

We will focus on three sections: "Detection Logic - Files", Patch Information", and "Detecting the Patch - Registry Settings".

Determining a computer is vulnerable

In our example, the vulnerability definition for MS08-67 uses File Version to determine if the computer is vulnerable.   In the screenshot below if the file version for file %WINDIR%\System32\netapi32.dll is below 5.1.2600.3462 the computer is deemed vulnerable.

Does the patch require a reboot?

Typically, the vulnerability definition will show whether the patch requires a reboot or not.  This is listed in the "Patch Information" section of the vulnerability definition:

Many patches require a reboot before all files can be written to the disk.   However, these reboot options will be ignored if the Scan and Repair settings are set to "Never Reboot", or if the checkbox for "Security and Patch Scan - Global Settings - Never Reboot" in the Agent Configuration is checked.

Determining if the patch is installed

To determine if the patch is installed, in this instance the vulnerability detection logic checks for the existence of the following Registry key:

We are showing Microsoft patch MS15-025_MSU (Severity is Important/high) that is needed on two of our Windows 2012 Servers. When we apply the patch via LANDesk it fails repeatedly with error code 412 (which doesn't tell you anything).

I copied the patch from the Core Server and ran it on one of server manually. It comes back immediately and says "This patch does not apply."

I could move this patch to Do Not Scan but because its rating is Important/High I hate to do that because it might be needed on a future machine we build.

Any advice on what to do?

Applies to LANDESK Management Suite 9.0 SP3, SP4

Issue

• Vulnerabilities keep getting detected on computers and the patch will not install

• Patches are stuck in loop continually trying to install on the clients

• Security Scans (VULSCAN.EXE) takes a long time to run

• How to setup LANDesk to automatically maintain patch content for the Core Server
• How to automate the handling of superseded vulnerabilities

   

Solution

Follow the instructions in the attached document LD90SP3MaintainPatch.

ssue:

Patches failing to download with the message "Skipping old or disabled patch" and the rule is not disabled.

Cause:

The vulnerability publish date is older than the number of days specified in the setting "Also delete patches for undetected rules in definitions published more than xxx days ago" on the Patch Location tab of the Download Updates window and this option is enabled and the patch is not currently detected on any computers.

Solution:

If the patch is ever detected on a client then the patch can be downloaded.

Unchecking the option "Also delete patches for undetected rules in definitions published more than xxx days ago" on the Patch Location tab of the Download Updates window will allow the patch to be downloaded.

On LD 9.6 SP1 client I'm seeing issues with ISSUSER.exe running at 100% of one core and sometimes faulting.

Once suggestion was to replace the jscript.v55 file, but that has not resolved the issue.

Looking at the application errors  in the diagnostic data in inventory I'm seeing the following

So it appears the LIBEAY32MT.dll is where it's faulting at with an exception code of c0000005

Any advice?

Heyho,

I am running in some kind of strange problem here and maybe you can help me.

We have a software that needs its updates to be installed fast and should not interrupt and/or install itself while the old version is running.

The idea was to deploy the .msi file and start installation after next reboot.

Since landesk seems not to be able to check for the boot sequence my choice was the policy supported push method called "Install at next login".

Now the problem: Depending on the settings (see below) the software installs immediatley or does not install at all.

I had no chance to create the wanted delay yet.

I can just guess that I am doing something wrong?

The delivery methods are marked as "(pre 9.60) settings. Are settings within the policies (in some cases) ignored now?

Would not make much sense imho, but asking wont hurt.

I also found some options within the agent settings.

For example at Distrribution-only settings -> When user chooses to defer package installation -> defer until next logon.

However it seems you can not define an automatic delay here.

Edit:

I just read within the configuration that delivery methods do not apply to base agents with v9.60 or higher.

That explaines a lot.

But in this case I have no clue how to shedule an automatic delay until next reboot or login in 9.60.

Usage of RunOnce registry keys makes no sense since they work for administrators only.

Applies to LANDesk Management Suite 9.0 (LDMS 9.5 not affected)

Description

You have made modifications to the Patch Download Properties.  When you go back in later on, you find that the properties you have set (like the Patch Download location) have reverted back to defaults.

Cause

This issue is mainly caused by a loss of connection with the database when vaminer runs on the core to download patch/Antivirus content

Another possible cause is that the database was migrated from an older version of LANDesk Management Suite that has a smaller nvarchar size for the storage of the patch settings in the database.

Resolution

1. Make a full backup of the database
2. Open SQL Server Management Studio, connect to the RDBMS where the LANDesk database is located  and click the New Query button
3. Select the LANDesk database from the drop-down list
4. Run the following query against the LANDesk database:

SET ANSI_NULLS ON GO SET QUOTED_IDENTIFIER ON GO Drop table [dbo].[PatchSettings] GO CREATE TABLE [dbo].[PatchSettings]( [PatchSettings_Idn] [int] IDENTITY(1,1) NOT NULL, [Name] [nvarchar](255) NULL, [Value] [nvarchar](MAX) NULL, CONSTRAINT [XPKPatchSettings] PRIMARY KEY CLUSTERED ( [PatchSettings_Idn] ASC )WITH (PAD_INDEX  = OFF, STATISTICS_NORECOMPUTE  = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS  = ON, ALLOW_PAGE_LOCKS  = ON) ON [PRIMARY] ) ON [PRIMARY] GO

After making this change, go into the Download Updates tool and and make sure the settings on all tabs are as desired, and click OK to save the options.

To prevent this from happening a "failover" system can be used for when the connection to the database is not available when vaminer runs. In LANDesk Management Suite 9 these patch settings are stored in the database, and a "hard-copy" file is not present or normally used. However, if you setup a file with the correct information and set it to read only, the core will not remove it and will use it when database connectivity is lost.

1. Set up the Download settings how you want and then click OK to save the settings.
   
   
   
   
2. Open the Database and go to the PatchSettings table
3. Find the row with the Name column set to patchsources.xml.  (usually the first row)
   
   
   
   
4. Copy the contents of the Value column for this row.  (Contents will be an xml document)
   
   
   
   
5. Copy the contents to a text file and save it as PatchSourcesA.xml
   
   
   
   
6. Move the file to the \\Core\LDMain\ (\LANDesk\ManagementSuite\) folder on your core.
7. Right click on the file and select Properties.
8. Set the File to be Read Only and Click OK.
9. Rename the file to PatchSources.xml
   
   

How often does LANDESK release 3rd Party vulnerability content?

The patch content team has a monitor tool that monitors all 3rd party content twice a day.

When it finds an update for the 3rd party the patch content team is notified and work begins on the definition content.

Typically release of the content definition will be within 24 hours of the group receiving the notification.

If the update is not critical it may take more time if they are released on a weekend or on a public holiday.

Where does the LANDesk patch executable content come from?

LANDesk downloads the patch executables it deploys from the vendors’ web sites.

What vendor sites are used for downloading patches?

This list can be updated  daily (depending on vendor and patch availability)

The following article details the complete list, and is accurate to the date on the filename of the .XLS file:

http://community.landesk.com/support/docs/DOC-1594

How can I see what download paths patches are coming from?

A current detailed list of URL's can be obtained by running a simple database query:

"select url from patch" without quotes

The following article details the complete list of URL's, and is accurate to the date on the filename of the .XLS file:

http://community.landesk.com/support/docs/DOC-9638

Most of the patches are downloaded with HTTP:// with a small number coming from FTP://

What is LANDesk’s Process for downloading Content through Security and Patch Manager?

• LANDesk receives notification of a Patch

• LANDesk will download the patches from the application vendor’s site.

• LANDesk does not validate or test patches published by a third party vendor. It is the responsibility of the third party vendor to maintain the validity of the patches published on their websites.

• LANDesk hashes the "official" patch made available by the vendor.

• The file hash is to ensure that the patch downloaded from the vendor is the same file provided for remediation. This insures that the patch is authentic and has not been modified for malicious reasons or otherwise.

• LANDesk creates vulnerability information including detection, install and uninstall commands, and the patch download location.

• The Vulnerability Information is published to the Secure LANDesk content server.

What process does the LANDesk Core Server follow when downloading Patch Content?

• Vaminer.exe connects to the selected secure LANDesk content server (West coast, East Coast, EMEA).
• Connection to secure site is verified through a secure certificate.
• Vulnerability definition information is downloaded directly from Content servers e.g. patch.landesk.com.
• Patches are downloaded directly from the vendor’s site (with redundancy falling back to the LANDesk content servers for certain patches – (see the next question for more details) provided that the file's hash matches the hash created when LANDesk created the content.

Does LANDesk mirror ALL patches specified in vulnerability content?

Most if not all Microsoft patches are hosted on the LANDesk content servers. There are some Mac patches that are also hosted, usually large file downloads. The hosting of these patches provides a limited backup of the most accessed patches from these two main vendors. Some patch content cannot be legally hosted on the patch content servers and require they be downloaded directly from the vendor's web site (e.g. Adobe, Java). These files, however, are still hashed in the LANDesk vulnerability to provide the same level of file authenticity as files hosted on the content server.

This video shows you how to leverage the download updates tool to help you automate the sorting and organization of your downloaded patches.

If this video has been helpful, please like or leave a comment.

Hello All,

I am having a problem with a big percentage of our servers being patched with Landesk. When the Landesk client issues a reboot (if required for patching), when the server comes back up, we get "The previous system shutdown was unexpected" messages.

Anybody else noticing this problem? Core is 9.5 SP1.

Thanks

This article describes how to change the default Distribution and Patch settings.

Distribution and Patch Settings

How to locate and modify the Distribution and Patch Settings:

1. Open the LANDESK Management Suite console on either the core server or on a remote console.
2. Select Tools | Security and Compliance | Agent Settings
3. Under Agent Settings  you will select "Distribution and Patch" under "My agent settings" or "Public agent settings" depending on whether you want to create the setting for only you to Manage or if you want it to be accessible to others with the correct RBA rights.
4. Either modify an existing setting in the right hand pane, or right-click the right-hand pane and select "New"

Changes made to a setting that is already set as the default will automatically take affect on the computers next Security Scan. This is the simplest way to globally update your agents with new Settings.

If you would like to change a specific computer or a group of computers settings you will have to create a new setting and then push that change out.

After creating a new Setting you can use a "Change Settings" task to change the default settings on computers.

Change Settings Task

1. Open the LANDESK Management Suite console on either the core server or on a remote console.
2. Select Tools | Security and Compliance | Agent Settings
3. Click Create a Task and select Change Settings.
   
4. Give the task a name and select whether you want it to be a Scheduled Task or a policy.
5. Click on "Keep agent's current settings" to bring up a drop down menu of available settings.
6. Select the new setting.
   
7. Click "Save".
8. Add computers to the task and run it.

Does anybody know where I can find the firmware updates for the Surface Pro 3 in Patch Management?

• • Details
  • Log Locations
  • Cannot connect to LANDESK Patch Content servers and/or vendor patch download locations
  • Vulnerability content category not showing up in the Download Updates window
  • A particular vendor's updates fail to download
  • Error when downloading content "Hash for patch does not match with host. Discarding."
  • Error: "Waiting for file lock" when downloading patch content
  • How to exclude scanning of patches from a certain vendor
  • How to change the default patch download location
  • Error: "Object does not match the specified SHA-256" hash
  • Error: "You have not specified a site from which to download updates" when downloading updates in Patch Manager

Details

This document details common patch content download issues and the troubleshooting steps involved in troubleshooting and resolving the issue.

Log Locations

Patch content download activity is logged to the following log files on the core server:

\Program Files\LANDESK\ManagementSuite\log\console.exe.log

\Program Files\LANDESK\ManagementSuite\log\vaminer.log

\Program Files\LANDESK\ManagementSuite\log\vaminer.details.log

Antivirus content downloads are also logged in the following log files:

\Program Files\LANDESK\ManagementSuite\log\getbases.exe.log

\Program Files\LANDESK\ManagementSuite\log\updatevirusdefinitions.exe.log

Cannot connect to LANDESK Patch Content servers and/or vendor patch download locations

There are three different patch content servers:

• US West Coast (patch.LANDESK.com)
• US East Coast (patchec.LANDESK.com)
• EMEA (patchemea.LANDESK.com)

DNS on the core server must be able to resolve these host names.
In addition the LANDESK core server will contact the following addresses:

• community.LANDESK.com
• cswebtools.LANDESK.com
• licensing.LANDESK.com
• Various vendor patch URL's as detailed in this article.

If using LANDESK Antivirus, the following URL's will be used for pattern file downloads:

• Downloads-us##.kaspersky-labs.com
• dnl-##.geo.kaspersky.com
• Downloads#.kaspersky-labs.com

The following ports need to be allowed to the core server:

• Port 80 (for access to patch download URL's)
• Port 21 (for access to patch downloads from FTP sources)
• Port 443 (for secure HTTPS access to the patch content servers)

Check the proxy configuration and credentials within the Proxy tab of the Download Updates section of the Patch and Compliance tool.

• Is it set to use a proxy server?
• Does your environment require a proxy server?
• Is the proxy server address correct?  (Can the core server reach the IP, server name or FQDN?)
• Is the port correct for what the proxy server is configured to use?
• Is this an HTTP based proxy?
• Does it require login credentials?

If it does require login credentials which format does it require?

    - DOMAIN\username

    - username

      - username@domain.com

Note: Some proxy servers require authentication protocols not supported by LANDESK (such as NTLMv2, etc)

Vulnerability content category not showing up in the Download Updates window

The following steps should be followed:

1. From the Start menu on the core server go to All Programs --> LANDESK --> and run "Core Server Activation"
2. Within the "Activate LANDESK Core Server" utility click on "Licenses"
3. Compare the licenses listed with your licensing agreement.  Are any expired?  Do you have all of the licenses you expect to have?
4. Reactivate the core server by clicking on "Activate"

If anything is missing, incorrect (such as product version is wrong), or shows as expired you should reactivate your core server.

From within the Core Server Activation Tool, make sure the Contact Name and Password are correct, and click "Activate".

If you have reactivated and the information still does not appear correct, contact LANDESK Support to investigate further.  If either is expired, contact your Sales Representative or the Licensing Queue at LANDESK Support for further assistance.  This can be done through the Self Service Portal or via Telephone.

A screenshot of the Licensing screen from the Core Activation Utility would be advised to give to LANDESK Support.

A particular vendor's updates fail to download

If a particular vendor's updates fail to download (for example Adobe, Java, etc), this is most likely due to a proxy or other internet appliance configuration.

The proxy or internet appliance must be configured to allow the core server access to various vendor download sites, both on HTTP and FTP.

For a complete list of the URL's used by LANDESK patch content, consult this article.

Error when downloading content "Hash for patch does not match with host. Discarding."

See article Error when downloading content "Hash for patch does not match with host. Discarding."

Error: "Waiting for file lock" when downloading patch content

"Waiting for file lock" error when downloading patch content

When this error occurs, there is likely another update process that is still taking place, possibly from a scheduled task, or a previous download process has hung.

Another possible cause is another user logged into the core server using Remote Desktop in a separate session.

Typically closing and reopening the Managementsuite console will resolve this error.

If a Remote Desktop session is not being used or is being used in an Admin Session, and the Core Server has been rebooted and the error still does not go away, it is possible that there is a lock entry in the database that needs to be cleared.

Within SQL Management Studio, connect to the Management Suite database, open the Query Tool, and do the following:

select * from PatchSettings where Name like '%LOCK.UpdVulnLock%'

If entries as pictured below are returned, those rows should be deleted:

In order to delete the rows, run the following query:

delete from patchsettings where Name like '%LOCK.UpdVulnLock%'

How to exclude scanning of patches from a certain vendor

For patches that are already in the Scan folder that are from the vendor you wish to exclude:

1. In the "Find" section put in the name of the vendor you wish to exclude and then under "In column" select "Vendor"

2. Select all of the vendor patches that show as a result of the search, and then drag them into the "Do Not Scan" folder.

To automatically assign the unwanted vendor patches to the "Do not scan" folder as they are downloaded:

1. Click the "Download updates" tool. (Yellow diamond with black down arrow).
2. Under "Definition Grouping" click the "Definition group settings" button. 
  (Note, the definition grouping option is not available in SP2 or earlier, it is a feature added with the Patch Manager component patch)
3. Click "New" to define a new filter.
4. Select "Vulnerability" under "Definition Type" and "Any" under "Severity"
5. Under "Comparison" select "Vendor" and "equals" and put in the vendor name you wish to exclude.

Patch storage folder resetting back to defaults

See article Patch Download Settings - custom settings reverted back to original options

How to change the default patch download location

See articleHow to change the default Patch Location for Security and Patch Manager?

Error: "Object does not match the specified SHA-256" hash

When trying to download updates for definitions through Patch and Compliance Manager all patches and of the following errors is given:

"Object does not match the specified SHA-256 hash" or "Signature is not valid, failed to download platform information"

To resolve this, uncheck the box "Verify definition signatures/hashes before downloading" on the Content tab of the Download Updates window.

Error: "You have not specified a site from which to download updates" when downloading updates in Patch Manager

See article Error: "You have not specified a site from which to download updates" when downloading updates in Patch Manager

If there is an application update that you would like to see included in Patch Manager content you can submit a request to LANDESK support to have the content added.

A list of current Patch Manager content can be located here: Products and Applications available through LANDESK Security and Compliance content delivery.

To increase the chance of the content being added and the speed that it is added, collecting the following information for the Support case will be helpful.

1. Name of the application including version.
2. Name of the update.
3. Link to the update.
4. A short business justification for adding the content.

It is recommended to use the Support Portalto submit this information.

Note: The addition of new content is not guaranteed.  It is reviewed on a case-by-case basis.

Microsoft has ended support for Windows XP

LANDESK Software continues to support Windows XP as an LDMS client.

Supported Platforms and Compatibility Matrix for LANDESK Management Suite

The Microsoft Extended Hotfix Support Datasheet states the following:

──────────────────────────────────────────────────────────────────────────────

Article: Extended Hotfix Support Program

The Extended Support phase is the second phase of the Microsoft Support Lifecycle Policy. During this phase, security hotfixes are available free of charge; however, non-security hotfixes, warranty support, Software Assurance problem resolution support, and the ability to request design changes are not available.

The Extended Hotfix Support program provides customers with the opportunity to receive non-security hotfixes through the end of the Extended Support phase of the Microsoft Support Lifecycle.

──────────────────────────────────────────────────────────────────────────────

The following Microsoft article gives general information about the Windows XP end of life policy: Support for Windows XP has ended

In addition Microsoft has made a decision to extend to extend their Anti-malware support for Windows XP even further:

Microsoft Malware Protection Center - Support for XP

LANDESK Windows XP Extended Patch Program

Customers must meet the following requirements

• Own LANDESK Patch Manager
• Purchase extended Windows XP Support from Microsoft

LANDESK Deliverables to customers

LANDesk will provide the following to the customer:

• Content for each Windows XP SP3 patch the customer delivers to LANDESK.
• Upon receiving the required patches and bulletins, LANDESK will provide the customer with Windows XP patch content that can be imported into their Security and Compliance tool in LANDESK Management Suite.

Windows XP Patch Support Guidelines

The following applies to publicly released patches for Microsoft Windows XP:

Patches for bulletins related to security:

• Patch content will be released on the same cadence and supported release schedule as non-EOL Microsoft security bulletins (MS15-XX).

Patches for bulletins that are not related to security:

Question: What log files are used to troubleshooting vulnerability scan and repair jobs?

Answer:  Vulnerability scan and repair jobs are handled by vulscan.exe.  Every time vulscan.exe is ran it will create a vulscan.log file in

C:\ProgramData\landesk\log  ( Windows 7/8.1/Server 2008/Server 2012 )

C:\Documents and Settings\All Users\Application Data\landesk\log (Windows XP/Server 2003)

While the scan is running a log file is created and named after that process identifier (PID).  For example if the PID of the instance of vulscan that is running a scan on the computer is 640 then a Vulscan.PID_640.log file is created.  This log file would contain all of the information that is being logged as vulscan.exe is running.  Once vulscan.exe is done running the Vulscan.PID###.log file is renamed to vulscan.log. If a vulscan.log file already exist it will rename the current vulscan.log file to vulscan.1.log.  If vulscan.1.log already exist then it would rename the current vulscan.1.log to vulscan.2.log.  This process is repeated up to vulscan.5.log.  at which point the oldest log file is deleted.

These log files contain the status information that vulscan has generated.   They roll after reaching 10 logs deep.

Question:Why are there multiple versions of vulscan.exe running in Taskmanager?

Answer:There will always be 2 instances of vulscan.exe running when ever a vulnerability scan is running that is configured to show a user interface.  There may also be a instance of vulscan.exe running if vulscan is being launched from a local scheduler task.  To see what each version of vulscan is doing you can refer to the Vulscan.PID_###.log file for each Process ID.

Useful Troubleshooting Info 

• Pressing Alt + L when the vulnerability scan window is displayed will show you the current results for that scan.
• Typing "vulscan e" from a command line will open up the directory where the vulscan data files and settings are stored.   (C:\ProgramData\vulScan)
• In LDMS 9.6 and above typing "Vulscan log" will open the logs directory where most of the client logs are stored.   (C:\ProgramData\landesk\log)

Additional Log Files

The Statusdlg.log and Runstatus.log file are located in the same directory as the vulscan log files.

Statusdlg.log file

• Will exist if there are 2 versions of vulscan.exe runing at the same time.
• Shows information related to the current status of each job.
• Will keep up to 10 log files.

Runstatus.log

• Will be created anytime there is a "Do Now" task that is ran.
• Will keep up to 5 log files.

For further information about Vulscan log files and how to read them see the following article:

http://community.landesk.com/support/docs/DOC-2629

In the Inventory of a  Managed machine there are attributes for Last scan dates that represent the last time a computer scanned for Inventory or Security Items.

There are multiple Security data items:

Under the Agent Settings tool, Distribution and Patch settings --> Patch-Only Settings - Scan Options tab there are different options to scan for, "Type" or "Group". Scanning for a Group will not update any scan date field. Under the Type section the different check boxes that are selected or are able to be selected will determine the dates that are updated in the Inventory.