On LD 9.6 SP1 client I'm seeing issues with ISSUSER.exe running at 100% of one core and sometimes faulting.
Once suggestion was to replace the jscript.v55 file, but that has not resolved the issue.
Looking at the application errors in the diagnostic data in inventory I'm seeing the following
So it appears the LIBEAY32MT.dll is where it's faulting at with an exception code of c0000005
Any advice?
Anyone else have this problem? Patch won't download because has doesnt match what is being downloaded from adobe.com
Downloading sw_lic_slim_installer.exe (3710 KB)...
Hash for patch sw_lic_slim_installer.exe does not match with host. Discarding.
Hi,
did anyone went through this process? What are the proper steps? I did try to use MS script that should switch from Lync to Skype but didn't work. Using patch management I didn't find the way neither.
Thank you for hints.
This article explains the behavior of optional and recommended Patch Repair tasks as they relate to the LDMS Portal
.
When creating a patch repair task as a policy, and setting the task to be optional or recommended in the LDMS Portal, the task may:
When a patch repair task is set as a policy, and is made optional or recommended in the LDMS Portal, the following occurs:
If 'show one portal entry with the following title:' is selected, a single entry will be created in the portal which when ran will repair all detected patches.
Note: If no patches were found as missing, no items will be shown in the portal.
If 'show each definition seperately' is selected in the scheduled tasks properties, patches will be contained per definition within the portal.
Example: Definition MS15-020_MSU contains patch kb3039066 and kb3032323.
In our test scan, both of these patches were detected as missing, but since they belong to the same definition (MS15-020_MSU), only the definition is advertised in the portal.
Because vulscan checks patches listed for repair first, and only offers those needed through the portal for repair, policysync (refresh in the portal) is required to be ran a second time after vulscan finishes its scan.
Running policysync (refresh in the portal) prior to vulscan completing its scan will not populate any items in the portal.
If policysync (refresh in the portal) is not manually ran, it will be ran on its scheduled interval as defined in the agents settings.
After applying the below patch, all machines that this was applied to, lost their local file associations with PDFs and are unable to open PDF docs via IE or Chrome.
Running a repair Installation via Adobe DC (Reader) fixes the issue, but why is this causing this problem, and how do we fix this on a wide-scale? has anyone else encountered this problem?
Thanks!
LDMS 9.6 SP2
Overview: The ability to schedule and start a patch content download is limited to administrators. A non-administrator can schedule the download but they cannot start it.
Resolution: This is by the current design.
Hello:
We are running LANDesk 9.6 with SP2 on Windows Server 2012 R2. When we have tasks scheduled and those tasks run, it logs an error in the Event Viewer. The error that is logged is "The Interaction Services Detection service terminated with the following error: Incorrect Function".
What do I need to do or how should I be scheduling these tasks, so that it does not try to start the Interactive Services Detection service wish is set to "manual" in Windows Services.
Thanks,
Gary Shadley
After scheduling a repair task or policy, clients complete with a status message of “Successful” a result of "No Patches Available"
This is caused by patches in the repair task not being detected as needed on the client. Patches can only be applied if the vulnerability definition being scanned for shows the computers as affected.
Typically this is because a security scan has not been run recently.
Alternatively, when repairing against a group of definitions in Security and Patch Manager, both the Scan and Repair take place during the repair job
──────────────────────────────────────────────────────────────────────────────
This issue can also be indicative of a failure for the Core Server to access the database to get the patch information. This is typically done through the GetAllPatches web call from client to core. The core then generates an XML that gets downloaded to the client that contains the data about the patches that need to be installed. Failures to parse the XML on the client can cause the issue as well.
──────────────────────────────────────────────────────────────────────────────
The following details this issue:
Getting errors in the vulscan log that reflect:
Warning: AddPatchesToPatchList - Failed to parse xml data or there were no patches 0x80004005
No patches found for vulnerability="Vulnerability ID". Returning PATCH_NO_PATCHES_AVAILABLE
Cause
This is due to an incompatible Vulscan.dll version causing the .XML data for the patch information to be parsed incorrectly.
After the Vulnerability Scanner has run on a client, it will report back the vulnerabilities found to the server. If autofix is enabled, or the vulscan task is a repair job, it will also request the corresponding patch details from the core server.
An .XML file containing the patch data will then be downloaded to the client.
Typically this .XML file will have a name like the following:
If repairing against a group: GetPatchesForGroup.CoreNameAndRevision.patchlist.xml
If repairing a particular vulnerability: GetPatchesForVulnerability.PatchName.CoreNameAndRevision.patchlist.xml
The client then attempts to parse this XML and pass the information over to the Software Distribution portion of the repair process.
Resolution
Check the Vulscan.dll version on the core in your LDLogon directory. If the DLL version is does not match what should exist due to your current patch level, manually copy the vulscan.dll from the service pack install or component patch and see if this resolves the issue.
I have pushed the agent to new machines ,I am not getting any error .
I patch a server a server yesterday with roughly 40 Microsoft updates.
All were downloaded prior to the job.
Patch 34 patched just fine and I verified this on the server, but the Task in the Management Console shows All Patches Failed- Error 412.
This cannot be, but there it is as plain as day.
how can I achieve accurate results. is there a report I can run that show all the patches applied and failed patches?
Thanks in advance
Dave
Log file...
Running patch windows-kb890830-x64-v5.27.exe
Installing patch 34 out of 34 patches
Contacting server...
Contacting server...
Done
Running post-install/uninstall script
Sending previous action history to core
Contacting server...
Done
Sending status to core
...
http://192.168.46.134/LDLogon/patch/ie10-windows6.1-kb3087985-x64.msu
Failed
Failed: Could not download http://192.168.46.134/LDLogon/patch/ie10-windows6.1-kb3087985-x64.msu
Running pre-install/uninstall script
Running post-install/uninstall script
Sending previous action history to core
Contacting server...
Done
Sending status to core
| The following article applies to a version of the product that is no longer officially supported |
| Latest information on this topic: | How to manage replaced (superceded) patches in Security and Compliance Manager |
|---|
Applies to LANDESK Management Suite 9.0 Service Pack 2 and earlier
LANDesk provides a large number of vulnerability definitions for a large number of products going back quite some time. Because newer patches sometimes replace older patches, LANDesk provides this information as part of the definition. When a newer patch or vulnerability becomes available, the previous version will be marked as replaced, either partially or completely. This information can be used to improve the performance of Security Scans on client machines as well as provide more accurate information about the vulnerability status of machines. Some other symptoms that are seen and can be resolved include:
While this process will not resolve all cases with the above symptoms, it can resolve some issues. It is recommended that all customers review this information to help keep the Patch Content up-to-date.
Vulnerabilities keep getting detected on computers and the patch will not install
Patches are stuck in loop continually trying to install on the clients
Security Scans (VULSCAN.EXE) takes a long time to run
The general overview of the steps required is outlined below. Continue reading for more detailed information, or select the step in question for more details.
The Download Updates tool is accessed from the Patch and Compliance window.
LANDesk® Management Suite 8.8
To get to the Download Updates tool, select Tools > Security > Security and Patch Manager. Then select the Download updates button from the toolbar. It is the first button on the left.
For more information about updating defintions see: Getting started with Patch Manager in LANDesk® Management Suite 8.8
LANDesk® Management Suite 9.0
To get to the Download Updates tool, select Tools > Security and Compliance > Patch and compliance. Then select the Download Updates button from the toolbar. It is the first button just to the right of the drop-down menus.
For more information about updating defintions see: Getting started with Patch Manager in LANDesk® Management Suite 9.0
After the Patch Content has downloaded, move any new vulnerabilities that should be scanned from the Unassigned folder to the Scan folder. Only put vulnerabilities in the Scan folder that should be scanned for on the computers to help speed up the security scans on clients.
There are 2 methods to complete this step. One is using a SQL query and the other is through the LANDesk Management Console. Only one of the options needs to be completed for this step.
For LANDesk® Management Suite 8.8, run the following SQL statement against the LANDesk database:
/* This Query will move vulnerabilites that have "All" in the "Replaced" column to the "Do Not Scan" folder. */ UPDATE Vulnerability SET Status = 0 WHERE Vulnerability_Idn in ( SELECT Vulnerability_Idn FROM Vulnerability WHERE SupercededState = 2 AND Status != 0 )
For LANDesk® Management Suite 9.0, run the following SQL statements against the LANDesk database:
/* This Query will move vulnerabilites that have "All" in the "Replaced" column to the "Do Not Scan" folder. */ INSERT INTO PatchTask (TaskType, RequestDate, param1, param3, message) SELECT 2, GETDATE(), Vul_ID, 'False','Remove scan status for vulid: '+ Vul_ID +' , patch' FROM Vulnerability WHERE SupercededState = 2 AND Status != 0 UPDATE Vulnerability SET Status = 0 WHERE Vulnerability_Idn in ( SELECT Vulnerability_Idn FROM Vulnerability WHERE SupercededState = 2 and Status != 0 )
Note: The SQL statements have only been tested on Microsoft SQL server. They may require modifacation to run on Oracle. The SQL statements can be added to the database maintenance run by your DBMS so that they run on a regular basis. Contact your DBA for help with this.
If you use the SQL statement(s), continue to the next section titled "Verify only superseded vulnerabilities moved to Do not Scan".
For LANDesk® Management Suite 9.0, if the "Update dependent or prerequisite definitions as well" box comes up, click No.
For LANDesk® Management Suite 8.8, if the "Update dependent or prerequisite definitions as well" box comes up, click Yes.
Note: This assumes that no other vulnerabilities had already been moved to the Do Not Scan folder. If there were already definitions in the Do not Scan folder only move back definitions that may have been moved inadvertently.
Sometimes only part of a vulnerability will be replaced. For example, only the Windows XP part of the previous definition will be replaced by a newer definition. In this case, the Replaced column will indicate Some. In these cases, you can disable the scanning of each replaced detection fule inside the vulnerability
There are 2 methods to complete this step. One is using a SQL query and the other is through the LANDesk Management Console. Only one of the options needs to be completed for this step.
For LANDesk® Management Suite 8.8 and 9.0, run the following SQL statement against the LANDesk database:
/* This Query will disable individual detection rules if they have been superseeded and if the vulnerability they belong to has "Some" in the "Replaced" column. This only disables detection rules for vulnerabilities currently in the Scan Folder */ UPDATE Patch Set Ignore = 1 WHERE Patch_Idn IN ( SELECT p.Patch_Idn FROM Patch p, Vulnerability v WHERE p.Vulnerability_Idn = v.Vulnerability_Idn AND SupercededByVulID IS NOT NULL AND v.SupercededState = 1 AND v.Status NOT IN (0, 2) )
Note: The SQL statement has only been tested on Microsoft SQL server. It may require modifacation to run on Oracle. The SQL statement can be added to the database maintenance run by your DBMS so that it runs on a regular basis. Contact your DBA for help with this.
If you use the SQL statement, continue to the next section titled "Delete superseded vulnerabilities from custom groups".
Once you have moved all of the definitions that have been entirely replaced (All) to Do not Scan, some definitions will remain in the Scan folder that have been partially replaced. To deal with these, you can disable any superseded detection rules.
Now that superseded detection rules have been disabled, it is time to delete the superseded vulnerabilities from custom groups.
This tool will delete all patches from the patch folder for the Core Server that are not associated with a vulnerability in the Scan folder.
Note: Adding s to the commandline (deleteOldPatches.exe s) will make it run silently so that it can be scheduled. This tool is provided as-is without any warranty, express or implied and is not supported by LANDesk support. If patches are deleted inadvertantly, they can generally be re-downloaded using the Download Updates tool
Similar to this thread here: https://community.landesk.com/support/message/110694
This one deals with Patch Manager, but also seems to be a flaw in the way rights are assigned via RBA controls in LANDesk.
I'd like to allow users to create their own custom patch groups and drag and drop patch definitions into these groups. I assume that is the entire purpose of the "My custom groups" and also the "Team" Custom groups. However, there doesn't seem to be a way to assign a user to do this, without also granting them access to edit the main Scan, Do Not Scan, Unassigned groups, which also grants them the rights to delete patches (LANDesk provided and custom created ones).
Am I overlooking something here?
The only thing I have seen work, and I can only assume this is an unintended side effect, is if a user tries to patch >25 patches in one job, the console will prompt them to create a new repair group. This lets them create a new patch group under "My custom groups" but they still can't edit it after the fact.
I'm wondering if anyone else is seeing odd behaviour regarding "Replaced" patches.
For example:
Google Chrome
I currently have patches listed from 43.0.2357.130 thru 44.0.2403.107.
There are 10 patches in total, each an increment in version #. Each patch is listed as "Replaced by" the patch ahead of it.
However, nothing shows up in the "Replaced" folder under Scan.
I would expect that these "replaced" patches would be filtered into that folder so that I can disable scanning for them.
This makes me wonder if these Chrome patches have a dependence on previous patches or if my LDMS just stopped working properly in this regard.
Thanks.
-Brendan
Hi ,
I am planning to deploy IE 11 in the workstations ( Windows 7 SP1 Machines )
I do not have a package for IE 11 . Can you help me how to download and push it from LANDESK
Landesk 9.6 SP2, this used to work just fine but it was maybe after an update that it stopped working? I'm not entirely sure. I can't connect using any of the patch servers. Small part of the error log below. Note that I can navigate to the file in IE and download it just fine. Same error for every single file it tries to download
06/12/2015 06:00:34 INFO 17552:1 : Downloading Latitude_E6400.xml (0 KB)...
06/12/2015 06:00:35 INFO 17552:LoadingPatchSources : GetStreamForPath http://downloads.dell.com/FOLDER02045533M/1/E6400-VISTA-A03-RW93N.CAB failed The underlying connection was closed: An unexpected error occurred on a receive.
06/12/2015 06:00:36 INFO 17552:LoadingPatchSources : GetStreamForPath http://downloads.dell.com/FOLDER02045533M/1/E6400-VISTA-A03-RW93N.CAB failed The underlying connection was closed: An unexpected error occurred on a receive.
06/12/2015 06:00:36 INFO 17552:1 : Failed to download file E6400-vista-A03-RW93N.CAB
06/12/2015 06:00:36 INFO 17552:1 : Connection to http://downloads.dell.com/FOLDER02045533M/1/E6400-VISTA-A03-RW93N.CAB failed. Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
Proxy settings: Not using a proxy server.
06/12/2015 06:00:36 INFO 17552:1 : Failed to download E6400-vista-A03-RW93N.CAB.
06/12/2015 06:00:36 INFO 17552:LoadingPatchSources : GetStreamForPath http://downloads.dell.com/FOLDER02067077M/1/E6400-XP-A09-R60F7.CAB failed The underlying connection was closed: An unexpected error occurred on a receive.
06/12/2015 06:00:37 INFO 17552:LoadingPatchSources : GetStreamForPath http://downloads.dell.com/FOLDER02067077M/1/E6400-XP-A09-R60F7.CAB failed The underlying connection was closed: An unexpected error occurred on a receive.
06/12/2015 06:00:37 INFO 17552:1 : Failed to download file E6400-xp-A09-R60F7.CAB
06/12/2015 06:00:37 INFO 17552:1 : Connection to http://downloads.dell.com/FOLDER02067077M/1/E6400-XP-A09-R60F7.CAB failed. Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
Proxy settings: Not using a proxy server.
I think this should be a simple one. I want to use a post repair script that lets the user know the repair has been completed.
I tried using a simple msgbox command but the vulscan log said I did not have rights to run that command.
How would I display a message to the user at the end of the repair? I am running 9.5 SP2.
Thank you.
- Kurt
Reviewed: 9/15/2015
By default, vulscan writes 7 logs to the ProgramData\Log folder and then begins overwriting existing logs to save disk space. In LDMS 9.6+ this controlled by a registry key and can be modified. For x64 clients the key is:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\landesk\managementsuite\LogOptions
For x86 the key is:
HKEY_LOCAL_MACHINE\SOFTWARE\landesk\managementsuite\LogOptions
In both cases, change the "maxbackups" value to the hex number of logs you would like to retain. Please note, this applies to vulscan logs as well as other logs. This can be changed manually or via script.
Hello.
Does anyone know if it's possible to increase the no. of vulscan log files that are stored on a device or is the limit of 11 hardcoded?
Thanks in advance.
Applies to LANDesk Management Suite 8.8 and LANDesk Managment Suite 9
By default, patches are downloaded and stored in the core servers LDLogon\Patch directory. It is often desirable to store the patches on a seperate server, such as a Preferred Package Server.
Check Enable anonymous access and apply the changes.
If you click Test settings when you are setting the patch location in the Security and Patch Manager Tool and you get the error "Failed to read test file from HTTP URL http://serverName/shareName/TestWritePatchData.txt" you have not enabled Anonymous access correctly (Steps 7 - 12).
If you click Test settings when you are setting the patch location in the Security and Patch Manager Tool and you get the error "Failed to write test file from HTTP URL http://serverName/shareName/TestWritePatchData.txt" the UNC share permissions have not been set correctly. The share permissions for the patch share should mimic the permissions assigned by default to the LDLogon share.
If you have moved the patch directory to a new server and receive an "HTTP Error 404 File or Directory not found" when attempting to download any files, open the IIS manager, right click the Web directory, choose properties, click the HTTP Headers tab, click MIME types..., and add .* All File Types to the MIME types. Now at the run line type iisreset and after IIS restarts the files should be available for download.
How to scan for a specific patch or group of patches.
In some situations it may becomes necessary to scan for a specific patch or group of patches.
Examples:
Note: We will be using JREJDKv8u31_Manual in the following examples.
Note: If you only want to scan for a patch, uncheck 'Enable autofix' to ensure autofix is turned off. If you want just this scan also repair the vulnerability, check the box 'Immediately install (repair) all applicable items'.
This will take precedence over Autofix settings, and will allow just patches that are found with this scan to be fixed.
In the event the scan needs to happen at a different date/time, or be recurring, it can be scheduled.
