Hello,
Some of my clients are reporting this issue (all are Windows 7 and all worked fine for years till now)... i have looked at the article with the same title written by Ivanti and all the ISS settings they ask to check are as they are supposed to be. Anything else i can try to figure this out? Again, out of the sudden 10 of 150 clients are exhibiting this behavior.
Thanks!
This document details common patch content download issues and the troubleshooting steps involved in troubleshooting and resolving the issue.
Check the proxy configuration and credentials within the Proxy tab of the Download Updates section of the Patch and Compliance tool.
If it does require login credentials which format does it require?
Typically the first thing that should be checked is the Proxy Configuration. If possible it is best to configure the Proxy Server to allow the Core to bypass it entirely.
The Proxy Information must be filled out in the Proxy tab within the Download Updates tool if a Proxy is to be used.
In addition, it may be necessary to configure the Proxy information within Internet Explorer: (Internet Options --> Connections tab --> Lan Settings --> Proxy Server)
Again, connectivity issues to the Ivanti Patch Servers are almost ALWAYS the issue. Proxies, Internet Caching appliances, etc are quite often to blame.
There are three different patch content servers, DNS on the core server must be able to resolve these hostnames.
DNS on the core server must be able to resolve these hostnames. Ideally *.landesk.com and *.shavlik.com should be reachable in both directions.
These URL's should be reachable by the core as well to make sure the certificates are kept up to date:
If using Ivanti Antivirus, the following URL's will be used for pattern file downloads:
[1-9] and [01-19] denote separate entries such as http://downloads1.kaspersky-labs.comand http://dnl-01.geo.kaspersky.com.
The following ports need to be allowed to the core server:
- DOMAIN\username
- username
The following steps should be followed:
If anything is missing, incorrect (such as product version is wrong), or shows as expired you should reactivate your core server.
From within the Core Server Activation Tool, make sure the Contact Name and Password are correct and click "Activate".
If you have reactivated and the information still does not appear correct, contact Ivanti Support to investigate further. If either is expired, contact your Sales Representative or the Licensing Queue at Ivanti Support for further assistance. This can be done through the Self Service Portal or via Telephone.
A screenshot of the Licensing screen from the Core Activation Utility would be advised to give to Ivanti Support.
If a particular vendor's updates fail to download (for example Adobe, Java, etc), this is most likely due to a proxy or other internet appliance configuration.
The proxy or Internet appliance must be configured to allow the core server access to various vendor download sites, both on HTTP and FTP.
For a complete list of the URL's used by Ivanti patch content, consult this article.
For patches that are already in the Scan folder that are from the vendor you wish to exclude:
To automatically assign the unwanted vendor patches to the "Do not scan" folder as they are downloaded:
See articlePatch Download Settings - custom settings reverted back to original options
See the article How to change the default Patch Location for Security and Patch Manager?
Security patch updates are generally available within a 48-hour window.
See article Error when downloading content "Hash for patch does not match with host. Discarding."
When this error occurs, there is likely another update process that is still taking place, possibly from a scheduled task, or a previous download process has hung.
Another possible cause is another user logged into the core server using Remote Desktop in a separate session.
Typically closing and reopening the Management Suite console will resolve this error.
If a Remote Desktop session is not being used or is being used in an Admin Session, and the Core Server has been rebooted and the error still does not go away, it is possible that there is a lock entry in the database that needs to be cleared.
Within SQL Management Studio, connect to the Management Suite database, open the Query Tool, and do the following:
select * from PatchSettings where Name like '%LOCK.UpdVulnLock%'
If entries, as pictured below, are returned, those rows should be deleted:
In order to delete the rows, run the following query:
delete from patchsettings where Name like '%LOCK.UpdVulnLock%'
When trying to download updates for definitions through Patch and Compliance Manager all patches and of the following errors is given:
"Object does not match the specified SHA-256 hash" or "Signature is not valid, failed to download platform information"
To resolve this, uncheck the box "Verify definition signatures/hashes before downloading" on the Content tab of the Download Updates window.
See article Error: "You have not specified a site from which to download updates" when downloading updates in Patch Manager
Hello!
We're having some frustrating behavior when trying to schedule repair tasks to push windows updates.
When we create these tasks, they default to policy supported push. We leave the frequency under Task Settings as Run Once, Check Ignore Subsequent requests. Under Schedule, Start now, Repeat every Day, Schedule devices that did not succeed.
In this case, we're seeing Successful devices go back to active randomly over the next few days, when no changes to patch groups were made.
We tried changing this task to push, same settings, but after 20 minutes or so, the task changes to Leave Unscheduled and it does not re-run next day.
Support has not been helpful on giving us a clear answer on if this is a bug or a mistake on our end, we havent found a concrete "best practice" for this method.
(Using 2017.3 SU3)
Any guidance?
I am attempting to convert an existing WSUS server patching strategy to LanDesk.
My current WSUS Server patching strategy has all approved patches downloaded to the server when available and then each server is part of an AD group telling it when its OK to start Automatic updates.
So we have AD group for say "Sunday - 2AM" and "Monday - 5AM" and servers are members of the groups accordingly.
So in LD I created a bunch of different Agent settings to match my AD patch groups and then I apply the appropriate agent setting to each server.
So now I have a test server with its Agent settings listing the maint windows from 6pm to 7pm each night.
I created a repair task and scheduled it to run once at 5pm. when the repair task runs at 5pm, it fails with a return code 491 - Some/All actions have been deferred until the next maintenance window.
I understand this message.
What I expect is that the patches have been downloaded to the server via the agent and then when its 6pm, the agent will start up and install the patches.
However, this is not happening and I'm not sure why?
Is it because I need to run the repair task during the maintenance window? or do I need to have Autofix somehow enabled?
Just not sure why its not doing what I expect it to do.
any insight would be appreciated.
Gather Historical Information crashes the LANDESK Console.
Gather Historical Information task is failing to run.
Following is in the GatherHistory.Details.Log file in the Managmentsuite\Log folder on the Core Server:
09/18/2014 15:12:18 INFO 13352:SaveTrendInfoForVulnerabilitiesAsync : Critical Exception: System.Data.OleDb.OleDbException (0x80040E31): Query timeout expired at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method) at System.Data.OleDb.OleDbCommand.ExecuteNonQuery() at LANDesk.ManagementSuite.Database.Database.ExecuteNonQueryP(String sql, Int32 timeoutSeconds, Object[] parameters) at LANDesk.ManagementSuite.Database.Database.ExecuteNonQuery(String sql, Int32 timeoutSeconds, ArrayList oleDbParameters) at LANDesk.ManagementSuite.Database.Database.ExecuteNonQuery(String sql) at LANDesk.ManagementSuite.PatchBiz.PatchTrend.SaveTrendInfoForVulnerabilities(Int32 removeOldDataDays) at LANDesk.ManagementSuite.PatchManagement.ProgressForm. € () at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state) at System.Threading.ThreadHelper.ThreadStart() Stack Trace: at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method) at System.Data.OleDb.OleDbCommand.ExecuteNonQuery() at LANDesk.ManagementSuite.Database.Database.ExecuteNonQueryP(String sql, Int32 timeoutSeconds, Object[] parameters) at LANDesk.ManagementSuite.Database.Database.ExecuteNonQuery(String sql, Int32 timeoutSeconds, ArrayList oleDbParameters) at LANDesk.ManagementSuite.Database.Database.ExecuteNonQuery(String sql) at LANDesk.ManagementSuite.PatchBiz.PatchTrend.SaveTrendInfoForVulnerabilities(Int32 removeOldDataDays) at LANDesk.ManagementSuite.PatchManagement.ProgressForm. € () at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state) at System.Threading.ThreadHelper.ThreadStart()
9.6 or 2016 Core Server:
HKLM\SOFTWARE\LANDesk\ManagementSuite\WinConsole
Create any registry keys that are missing. Set the value to 10000 decimal.
We are attempting to install Windows 10 1709 release. I have followed both steps to install using patching and provisioning, not having any luck. Both tasks fail. I have gone over these instructions multiple times and can not figure out what I am missing. All help is appreciated.
Re: anyone been able to push 1709 update to windows 10 in LANDesk?
2016.3 SU5 - I have 3 devices stuck in the Active queue of a scheduled task that was auto-generated by a rollout project. The devices failed because the core couldn't detect an agent. I did a "retry selected failed devices" when they went to the failed queue, which placed them back in the Active queue, but now they're stuck there and I can't find a way to retry them again? I found some of the LANDesk services were disabled on these, so after enabling them I can't find a way to retry them against the task? If I remove them from the task, and then drop them back in, they just sit in the Pending queue, even if I right-click the task and do any of the Start options, the devices just remain in Pending?
Overview:
Ivanti Patch and Compliance now provides support for Office 365 versions 2013 and 2016. Patch and Compliance administrators can now scan, detect, and remediate client devices that have Office 365 installed. For Office 365 version 2013, Ivanti leverages the Microsoft Office Deployment Tool to perform the remediation tasks for updating Office 2013 installations. For Office 365 version 2016, Ivanti has developed an Office Com API to perform remediation tasks for updating Office 2016 installations. Ivanti provides a utility (Office365Util.exe) for you to use to download the Office installation data and to check the hash for Office 2016 installation data. When the Office patches are downloaded, Ivanti Endpoint Manager will check the hash on the pertinent files to ensure validity.
Customers download the Office 365 vulnerability definitions, the O365Util.dll, and the Office365Util.exe from the Ivanti Global Host Content Server by downloading the latest Microsoft Windows Vulnerabilities.
| Download Updates (Microsoft Windows Vulnerabilities) | Updating Definitions (Office365Util.exe/O365Util.dll) |
|---|---|
 |  |
| Updating Definitions (MSO365)MSOFFICE 365 (Vul_Defs) | MSO365 (Vul_Defs) |
|---|---|
 |  |
Upon successful content download, an Office365Utility folder is created under the LDLogon share and will contain the Office365Util.exe file provided by Ivanti.
\\Core_Server\LDLogon\Office365Utility
This utility will allow you to select the specifics regarding the Office 365 product you are patching. Launch this utility directly from C:\Program Files\LANDesk\ManagementSuite\ldlogon\Office365Utility\ by double-clicking on Office365Utility.exe
(do not try to run it via the network share \\Core_Server\LDLogon\Office365Utility or \\localhost\LDlogon\Office365Utility as you will get an error).
The view provided below displays the available options inside of the Office365Util application (Ivanti Office 365 Utility for Patch and Compliance):
| Platforms | Deployment Tools |
|---|---|
 |  |
| Channels | Office 365 (2013) Product List View |
|---|---|
 |  |
In order to successfully patch Office 365, select which Office 365 patch product updates to download in order to support client remediation. After selecting the desired product updates from the Ivanti Office 365 Utility for Patch and Compliance application, click START.
The START action will do (2) things:
\\Core_Server\LDLogon\Office365Tool
The contents of this folder will contain the Deployment Tool Type (2016 or 2013) selected during the download and all relative installation data applicable to the options selected in the Ivanti Office 365 Utility for Patch and Compliance
application. The display below will outline the contents of both Deployments Tools (2016 and 2013).
If you have both 2016 and 2013 products in need of patching, the download has to be completed separately.
| Office365Tool | Deployment Tool Options |
|---|---|
 |  |
| 2016 Content | 2013 Content |
|---|---|
 |  |
2. Create an Office365 folder under the LDLogon\Patch share that contains the patch files(s):
\\Core_Server\LDLogon\Patch\Office365
Updated Office 365 patching is not designed to take advantage of our download technology. The client device will NOT download o365 patch files from a preferred server or peer device. The files will be retrieved from the default or non-default patch location.
This section is only applicable to those who have changed the default download location for patches. After downloading the Office 365 patch updates and installation data with the Ivanti Office 365 tool, the following SOURCE will be in the vulnerability definition:
Office 365 (2016)
httpSourcesURL="Core_Server/LDLogon/Patch/Office365/DeploymentToolType/Channel/Architecture"
Ex: httpSourcesURL=http://2016E/ldlogon/patch/office365/2016/current/x64
Office 365 (2013)
httpSourcesURL=http://Core_Server/LDLogon/Patch/Office365/DeploymentToolType
Ex: httpSourcesURL= http://2016E/ldlogon/patch/office365/2013
In order for the Patch Install Commands in the vulnerability definition to interpret the correct patch location, the Custom Variable will have to be set in every MSO365 vulnerability definition.
To do this open the properties on the definition and select the Custom Variables tab. By default the value specified will resolve to the default patch location.
You will need to explicitly set the value to reflect the location your patches reside.
The Patch Install Commands section of the definition utilizes a script that resolves the Custom Variable.
How to change the default Patch Location for Security and Patch Manager
Hello,
I am attempting to scan a Windows 10 1709 Machine with the Level 1 Computer CIS-CAT template applied to it. I am getting an error code 106 - Credentials invalid error after applying the policy.
Are there logs of what is happening behind the scenes when you scan a particular machine? If so, where can I review them? Patch for Windows Servers 9.3.0 build 4510
Thank you.
This document details the procedure for copying definitions from a "light core" (A core that is connected to outside networks) and a "Dark Core" (a core that is not connected to outside networks) This is often done for security purposes or lack of connectivity.
Note: Due to current changes to the Ivanti Patch and Compliance Definitions, the Dark Core will need to have period access to the internet. If you do not have periodic access to the internet, please follow only Step Six and then the steps in "Additional information for Dark Cores with no internet access"
This issue is being reviewed by our Development team and more communication will follow.
In order to download a complete set of data to transfer from the light core to the dark core, the database tables related to Patch Manager must be reset. This must occur on any core server that has previously downloaded patch data, otherwise, a complete set of data will not be downloaded.
This can be done on both core servers by doing the following:
On the Dark Network Core Server, you will need to have a location for the vulnerability XML files and a location for the actual patches themselves to be stored in. For ease of use, we recommend using the already created patch folder structure that is set up when you install Ivanti EPM. By default, patches are stored in the \Program files\LANDESK\ManagementSuite\LDLogon\patch folder. If a different location is desired this article can be used to set up the alternative location.
If patches have not been downloaded on the dark core previously the patch folder may not have been created and should be manually created.
(Vaminer.exe is the executable that runs to download content from the Ivanti patch content servers).
The first time this is run it will take quite a while as it will not only be downloading vulnerability definitions but also all patches. (Due to this you will need a large amount of storage space on the dark core server). This will download updates and store them to a to the patch directory. The default patch directory is \Program Files\LANDESK\ManagementSuite\LDLOGON\patch.
To verify further that this process has completed correctly, in \Program Files\LANDESK\Managementsuite\ldlogon\patch and it's subdirectories you should have .XML files that were generated by the Ivanti Content download to represent your vulnerability definitions. Do not change the folder structure or files.
Copy ENU_PatchSourcesXXX*.xml (Where XXX equals the current LDMS version) from \Program Files\LANDESK\ManagementSuite\LDMAIN to \Program Files\LANDESK\ManagementSuite\LDLOGON\PATCH on the source core. This step is necessary because Vaminer.exe (the program that is downloading the Patch Content) expects that file to be in that location. Again, this needs to match the version you are running: 9.5 (ENU_PatchSources95.xml), 9.6 (ENU_PatchSource96.xml, 2016.3 (ENU_PatchSources101.xml) and so on. Modification of the file is not necessary, it just needs to exist in that location.
(It has been noted that on LDMS 2017.3 SU3 the file has to be renamed from ENU_PatchSources1013.xml to ENU_PatchSources10132.xml)
In the \Program Files\LANDESK\ManagementSuite\LDMAIN folder there will be several files called ENU_PatchSources and then a numerical ending. These stand for the current and prior versions of LDMS. Choose the one that is the latest and matches your version on your core server.
For example: On a 2017.3 Core server you will likely see three ENU_PATCHSOURCESXXX files:
We would select ENU_PatchSources1013.xml as this corresponds to LDMS 2017.3 and begin editing it.
If your core is not running in the English language you will want to select the XML file that matches your language prefix (ESP, JPN, etc)
Modify the Enu_PatchSourcesXXX.xml as modeled below:
Line #3 in the .XML will contain ‘/LDPM8/ldvul.php?%Credentials%KEYWORD=filename&FILENAME=’. Replace it with /ldlogon/Patch (or whatever directory you have defined as your patch storage directory).
Before:
PatchesSrcRelativePath>/LDPM8/ldvul.php?%Credentials%KEYWORD=filename&FILENAME=patches</PatchesSrcRelativePath>
<LDAVRelativePath>/kvirus-8.0/mirror</LDAVRelativePath>
<CVEMoreInfo>http://cve.mitre.org/cgi-bin/cvename.cgi?name=%CVE_ID%</CVEMoreInfo>
After:
<PatchesSrcRelativePath>\LDLOGON\PATCH</PatchesSrcRelativePath>
<LDAVRelativePath>/kvirus-8.0/mirror</LDAVRelativePath>
<CVEMoreInfo>http://cve.mitre.org/cgi-bin/cvename.cgi?name=%CVE_ID%</CVEMoreInfo>
If you are using content that will be manually copied to the core server, put the name of your Dark Core server. If there will be constant or periodic network connection between your light core and dark core, put the name of your light core here.
In the following section, you will select the definition download category that you want to download to the dark core and you will edit that entry in the .XML. We will replace the string that normally works with the Ivanti Patch server and replace it with a local path.
The following example is for the vulnerability definition category Windows Vulnerabilities Again, you will modify the path from the patch server location to a local directory. You also will add the tag <Enabled>true</enabled>. This is the same as ticking the checkbox next to the vulnerabilities category when bringing up the Download Updates tool.
Search for /LDPM8/ldvul.php?%Credentials%KEYWORD=filename&FILENAME=Windows2 the correct section by searching for "Windows2". Modify the section within the <URL> tags
The resulting line will be<URL>/LDLOGON/PATCH/Windows2</URL>.
You also will add the tag <Enabled>true</Enabled>. This is the same as ticking the checkbox next to the vulnerabilities category when bringing up the Download Updates tool. Without adding the <Enabled> tag you will need to select the categories every time Download Updates is opened.
When renaming these sections per component you wish to download, FILENAME=Windows2 will use the subdirectory name of "Windows2" under the Patch directory after you modify it. For example, if I wanted to change the source for Ivanti Data Analytics updates, you would search for that category by searching for just that - "LANDESK Data Analytics Updates".
You would then modify the <URL>/LDPM8/ldvul.php?%Credentials%KEYWORD=filename&FILENAME=LDDA</URL> to <URL>/LDLOGON/PATCH/LDDA</URL>.
Before:
<Source><URL>/LDPM8/ldvul.php?%Credentials%KEYWORD=filename&FILENAME=LDDA</URL>
<Description>LANDESK Data Analytics Updates</Description>
<ShowInLDSM>true</ShowInLDSM>
<ShowInLSM>true</ShowInLSM>
</Source>
After:
<Source><URL>/LDLOGON/PATCH/LDDA</URL>
<Description>LANDESK Data Analytics Updates</Description>
<ShowInLDSM>true</ShowInLDSM>
<ShowInLSM>true</ShowInLSM>
<Enabled>true</Enabled>
</Source>
Once all of the edits have been made do a "Save as" and save it as "Patchsourcestemp.xml" and mark it as a read-only file. (Right-click, go to properties and check the box "Read Only")
After you have marked it as read-only, rename it to "patchsources.xml". Remember, all of this is taking place in the LDMAIN folder.
Step six: Import the vulnerability definitions into the "Dark Core"
If you are automating the copying of the vulnerability data from the light core to the dark core, ensure the following steps are taking place:
This should be done on an automated schedule so that these steps take place in sequence and that there is enough time for each step to complete before the next one starts.
STDeployerCore.log
2018-06-01T11:28:44.2093405Z 171c I Authenticode.cpp:134 Verifying signature of C:\Program Files\LANDesk\LDClient\sdmcache\jre-8u172-windows-i586_tw14468-39207.exe with CWinTrustVerifier
2018-06-01T11:29:03.2302424Z 171c E WinTrustVerifier.cpp:270 Certificate verification failed with error: -2146762748.
Vulscan.log
Fri, 01 Jun 2018 07:29:30 ReportRepairResult returned failure: Repair failed, patch still missing.
Fri, 01 Jun 2018 07:29:30 Message returned from repair script was Repair failed, patch still missing.
Fri, 01 Jun 2018 07:29:30 ERROR(RunVbScript) Failed to run command - 80004005
The OS is unable to verify the digital signature. The specific error is -2146762748 which is a Mircosoft error that translates to "The subject is not trusted for the specified action"
1) Update the Root Certificate on the client machine.
2) Usually you can get the cert needed from the Patch itself.
Right click>go to properties>Digital Signatures
Highlight the cert and click details, this will bring up the Digital Signature Details, click View Certificate
From there you can obtain the Certificate
Also click the certification path on the certificate properties, this will also idicate if you have all the neccessary intermediate certificates also
EMP 2017.X
I can't find the W10V1803 under our detected patches.
Is it listed under a different number?
Best.
Please read this disclaimer before using this tool: LANDESK Share IT Disclaimer
We created a GUI tool to simplify diagnostic scanning to troubleshoot patch scan issues.
The DPDTrace GUI interface requires .Net 2.0 or greater to work.
4. Choose Local to scan the local machine. The IP address or the Machine Name of the local machine will automatically populate.
5. Choose Remote to scan a remote machine. You will need to provide a valid Machine Name or IP Address to scan.
6. Enter a username with administrator access to the target machine.
a. The format must be DomainName\UserName or MachineName\UserName depending on how you are authenticating to the target machine.
7. Enter a valid Password. You can choose to un-check the Hide option if you wish to see your password for troubleshooting purposes.
OEM Version: (EPM Customers)
8. Choose the OEM scan engine version 9.3.2644 to be used during the scan.
Patch Type:
9. Choose Patch Type to be used during the scan.
a. We highly suggest leaving the defaults of Security Patches and Non-Security Patches selected unless a support tech requests a change.
10. Click Run to start the scan.
The DPDTrace GUI tool will automatically download the latest data files (WindowsPatchData.zip).
If your machine does not have internet connectivity or a proxy is blocking the downloads, you will need to manually download the data files and place them in the DataFiles folder in the extracted DPDTrace folder on the desktop.
11. You will see Command Prompt popups and popups for the Rename HF.Log utility during the scan process. Do not close either these.
12. All popup windows will close and a new popup will occur once the scan is complete. Click OK.
13. The scan diagnostic is complete and all of the trace logs, scan outputs and registry exports have been zipped to this folder: C:\Users\UserName\Desktop\DPDTrace\SendToSupport
a. The zip file will be named HFCLi_YearMonthDay.zip
14. Provide this zip files to support! If you have any issues attaching this zip to the case, please let the support tech know so they can provide you with more options.
A command line DPDTrace tool can be used by customers who cannot run this GUI version: DPDTrace command line logging tool used for patch detection issues
Error when downloading content "Hash for patch (Patch Name) does not match with host. Discarding."
You can also be getting the following errors:
For security purposes, each patch file referenced within a vulnerability definition contains a hash value to ensure that the file referenced is the authentic patch file.
After downloading the patch, if the patch does not match, Patch Manager will discard the file.
There are various causes that can contribute to this issue.
This issue occurs because the update contains a static URL for the vendor file. This means that the vendor uses the same URL for thier files and they only make the latest patch available to download.
Often this is seen with Adobe and Google Crome updates.
This is especially when getting the "Invalid XML file TOC_Product.xml" error.
In many environments, web caching appliances are in place. When Ivanti Patch and Compliance Manager attempts to download the file, the Internet caching appliance intercepts the request and incorrectly delivers an older version of the file. Once the file is downloaded on the Ivanti Core Server, the hash check fails.
In this instance, the cache for the particular failed file can be cleared on the Internet caching appliance, the entire cache can be cleared, or the Internet caching appliance can be configured to allow the core server to bypass caching.
Manually copying the file to the patch storage directory from a computer that bypasses the Internet caching appliance can verify that this is the issue.
It is VERY important to make SURE there is nothing blocking full internet access to the internet from the core server. We often have someone INSIST that the Proxy or Firewall is configured correctly only to find out later that something was still wrong. As soon as this is resolved the downloads work correctly.
If the Ivanti Patch Content has been changed since the last time patch content has been downloaded this error can occur.
Download patch content again. If the error still occurs, try downloading from a different patch content server (US West Coast, US East Coast, or Europe)
If the latest patch content is downloaded, there are no caching appliance is in the environment, the locally downloaded patch file has been deleted from the storage directory, and there is still a failure, the following SQL query can be run to force the content to download again.
This query changes the LANDESKRevision number to "0". When the core server compares revision numbers with the revision on the Ivanti patch content servers the version on the Ivanti patch content server will be higher, thus the content will download again:
UPDATE Vulnerability SET LANDESKrevision = 0 WHERE vul_id = 'definition name'
A more advanced variation on this is:
select * from VULNERABILITY where VUL_ID IN ('<vul_no1>', '<vul_no2>')
Update VULNERABILITY
set LANDESKREVISION=0 where vul_id in ('<vul_no1>', '<vul_no2>')
Parameters vul_no1 and vul_no2 can be set to the name of the definitions that are causing the issue or needs to be reset. You can create a list of definitions that have this issue
Examples of vul_no1: MS06-066 or MS07-050v2
It is recommended that you run the select statement first to ensure that the definition is present in the database.
If other steps fail, it is possible that the file has changed, and it is necessary for Ivanti to update the patch content.
It is possible that the vendor changed the contents of the file but kept the same filename, and Ivanti has not updated the related vulnerability definition yet. At times a vendor will make a change to a file but does not publish information regarding the change.
If this is the case, this download should fail regardless of the Core server attempting the download. This would be a global issue.
In this instance, contact Ivanti Support and request that the patch content be updated. An Ivanti technician can also verify the file download failure internally.
It can be difficult to determine if the hash does not match for patches that must be manually downloaded from the vendor. Typically these require going to the vendor web site, finding the correct file and version, renaming it to the unique filename specified in the rule for the definition, and placing it into the patch download folder.
Hello all,
I have a large number of PHYSICAL machines on network with VMWare Tools installed -- The VMWare Tools update through LANDesk does not work (actually, it can't work at all since VMWare Tools executables simply throw an error on physical machines)
So I tried to uninstall VMWare Tools via VMware Tools "setup.exe" /s /c on a test machine. As far as I can tell, VMWare Tools is removed completely -- I've run several inventory scans since, and Inventory doesnt show VMWare Tools under Add/Remove Programs or Software Products.
Nevertheless, VMWare Tools seems to be detected by vulscan, and it still attempts (and fails) to run the fix.
Can anyone provide any insight as to why it's still detecting?
| vulscan.log |
|---|
Thu, 10 May 2018 09:11:59 Patch is NOT installed Thu, 10 May 2018 09:11:59 Checking vulnerability VMWT-023_INTL, rule index 1 ('VMware-tools-10.2.5-8068406-x86_64_tw1206360.exe') Thu, 10 May 2018 09:11:59 Running product detection script Thu, 10 May 2018 09:11:59 Checking pre-requisite... Thu, 10 May 2018 09:11:59 filesDownloaded: True Thu, 10 May 2018 09:11:59 AlreadyScanned: True Thu, 10 May 2018 09:11:59 Detecting product... (ProductId 0: 16173, SP UID 6842: {00001aba-0001-0000-0000-000000000000}) Thu, 10 May 2018 09:11:59 Clearing status... Thu, 10 May 2018 09:11:59 Converted ProductId 16173 -> 16173 (int), SP UID {00001aba-0001-0000-0000-000000000000} Thu, 10 May 2018 09:11:59 Product NOT DETECTED: ProductId 0: 16173, SPUid 6842: {00001aba-0001-0000-0000-000000000000} Thu, 10 May 2018 09:11:59 Detected: False Thu, 10 May 2018 09:11:59 Running product detection script Thu, 10 May 2018 09:11:59 Checking pre-requisite... Thu, 10 May 2018 09:11:59 filesDownloaded: True Thu, 10 May 2018 09:11:59 AlreadyScanned: True Thu, 10 May 2018 09:11:59 Detecting product... (ProductId 0: 13820, SP UID 6378: {000018ea-0001-0000-0000-000000000000}) Thu, 10 May 2018 09:11:59 Clearing status... Thu, 10 May 2018 09:11:59 Converted ProductId 13820 -> 13820 (int), SP UID {000018ea-0001-0000-0000-000000000000} Thu, 10 May 2018 09:11:59 Product DETECTED: ProductId 0: 13820, SPUid 6378: {000018ea-0001-0000-0000-000000000000} Thu, 10 May 2018 09:11:59 Detected: True Thu, 10 May 2018 09:11:59 Running detection script Thu, 10 May 2018 09:11:59 Checking pre-requisite... Thu, 10 May 2018 09:11:59 filesDownloaded: True Thu, 10 May 2018 09:11:59 AlreadyScanned: True Thu, 10 May 2018 09:11:59 Checking detection... (PatchGuid: {0001d73c-0000-0000-0000-000000000000}, Lang: INTL) Thu, 10 May 2018 09:11:59 Clearing status... Thu, 10 May 2018 09:11:59 GetLanguageId: 'INTL' ==> Language Id: 0 Thu, 10 May 2018 09:11:59 Patch found 120636: {0001D73C-0000-0000-0000-000000000000} Thu, 10 May 2018 09:11:59 RegionId '0' belongs to Lang: INTL Thu, 10 May 2018 09:11:59 Missing patch found: BulletinName: VMWT-023, PatchId 120636: {0001D73C-0000-0000-0000-000000000000}, Lang: INTL, regionId: 0 Thu, 10 May 2018 09:11:59 ----------------- DETECTION RESULT ---------------------------- Thu, 10 May 2018 09:11:59 FileTestResult: Thu, 10 May 2018 09:11:59 C:\Program Files\VMware\VMware Tools\vmtools.dll Thu, 10 May 2018 09:11:59 [File version expected]: 10.2.5.3619 Thu, 10 May 2018 09:11:59 [File version found]: 10.0.5.520 Thu, 10 May 2018 09:11:59 [File test action]: [5]: Check existence - patch installed if the file exists Thu, 10 May 2018 09:11:59 m_Reason: 'C:\Program Files\VMware\VMware Tools\vmtools.dll' does not exist. Thu, 10 May 2018 09:11:59 [Patch file error]: 284035128 Thu, 10 May 2018 09:11:59 IsRegistryTestResultUsable: true Thu, 10 May 2018 09:11:59 --------------------------------------------------------------- Thu, 10 May 2018 09:11:59 Reason: 'C:\Program Files\VMware\VMware Tools\vmtools.dll' does not exist., Registry key 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6D158FDD-2E20-4C54-A271-4D2CE2C39905}' does not exist, Expected: 10.2.5.3619, Found: 10.0.5.520 Thu, 10 May 2018 09:11:59 Detected: True Thu, 10 May 2018 09:11:59 VMWT-023_INTL detected, removing it from scan filter Thu, 10 May 2018 09:11:59 VMWT-023_INTL detected Thu, 10 May 2018 09:11:59 VUL: 'VMWT-023_INTL' (VMware-tools-10.2.5-8068406-x86_64_tw1206360.exe) DETECTED. Reason ''C:\Program Files\VMware\VMware Tools\vmtools.dll' does not exist., Registry key 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6D158FDD-2E20-4C54-A271-4D2CE2C39905}' does not exist'. Expected '10.2.5.3619'. Found '10.0.5.520'. Patch required 'VMware-tools-10.2.5-8068406-x86_64_tw1206360.exe'.
Thu, 10 May 2018 09:11:59 Patch is NOT installed
|
Hi,
I have an Environment where initial configuration of Windows agent scan option was enabled with auto fix. Which normally take much more time when user run Security scan or policy run the Security scan on the Windows Machine.( Endpoint Manager 2017.x)
What is the impact if we disable auto fix on windows agent configuration settings?
1. Do I need to update all client with the latest installer or
2. I can just disable the option and create new client for new install or
3. Does it automatically detect of disable auto fix so it don't try auto fix when first time scan or consecutive scan?
This document describes the various switches that can be used on the command line to manipulate the vulscan behavior. It is recommended to use the different available settings (Distribution and Patch Settings, Reboot Settings, etc) to control the Vulscan behavior otherwise unintended consequences may result.
| Number | Type | Description | Example |
|---|---|---|---|
| 0 | Vulnerabilities | This category is for security-related releases by 3rd-party vendors such as Microsoft, For a detailed list of available content click here |  |
| 1 | Anti-Spyware | Definitions and engine updates for the Anti-spyware component within Security and Patch Manager (This differs from the Anti-virus component and is based on the Lavasoft engine and targets spyware and adware) |  |
| 2 | Security Threats | This differs from the Vulnerabilities category in that this is not to address vulnerabilities in vendor code, but simply facilitates configuration changes to tighten down security. |  |
| 3 | Ivanti Updates | Ivanti Patches and Service Updates (not including Ivanti Antivirus which is in category 8) |  |
| 4 | Custom Definitions | Custom-user made definitions, including custom definitions that have been imported. This will also include other definitions that have been cloned. |  |
| 5 | Blocked Apps | Includes both pre-configured content downloaded from Ivanti Content servers, and any custom blocked application content that has been created. Some of the Summary information in the blocked applications definitions are provided from http://www.sysinfo.org (Blocked application legal disclaimer) Click graphic for an example of these definitions: |  |
| 6 | Software Updates | Non-Security related updates for Intel, Ivanti, and Lenovo. (Click graphic for an example) |  |
| 7 | Drivers | This category includes Dell, HII, HP Client, and Lenovo definitions if they have been downloaded as part of the download updates process. |  |
| 8 | Antivirus | Downloads Ivanti Antivirus definitions, and if selected also downloads updates pattern files for both Ivanti Antivirus and 3rd party antivirus products |  |
| General | Description |
|---|---|
| /AgentBehavior=AgentBehaviorID | Points to the Distribution and Patch behavior to be used during scan and repair |
| /ShowUI | Shows the vulscan user interface during the scanning and/or repair operation (Note: you can press Alt-L while this window is active to show the current vulscan log) |
| /AllowUserCancelScan | Allow the user to cancel the scan or repair operation |
| /AutoCloseTimeout=Seconds | Changes the default amount of time the Vulscan UI stays open after the scan/repair operation is complete. (Default is 60 seconds) |
| /Group=GroupID | Specify the Custom group that should be scanned against. The custom Group ID can be found right clicking the group and looking at the Unique ID: section. |
| /Autofix=True or False |
| Repair | Description |
|---|---|
| /ob:RebootBehavior=<BehaviorIDName_vXXX> | References the Reboot Behavior to be used during the repair job. |
| /rebootwithui | Allows the vulscan GUI to appear during a reboot operation. Should be used in conjunction with /ob:rebootbehavior |
| /rebootifneeded | Checks whether a reboot is required or not, if /showui switch is used this can be viewed |
| VB Testing | Description |
|---|---|
| /scriptrepair=filename | VBScript file to be used during testing of a repair operation |
| /scriptdetect=filename | VBScript file to be used during testing of a detection operation |
| /customVarfile=filename | If the VBScript calls variables, they should be defined in this file |
| Disable | Description |
|---|---|
| /NoElevate | Do not elevate permissions during scanning or repair |
| /NoSleep | |
| /NoSync | |
| /NoUpdate | Do not update other files that vulscan typically updates during a scan operation. More information about the files that vulscan will automatically update |
| /NoSelfUpdate | Do not update vulscan.dll and vulscan.exe if the files are newer on the core. |
| /NoRepair |
| Data Files | Result | Example |
|---|---|---|
| /O=Filename (including full path)s | Send vulscan output to a file as specified in the command line rather than back to the server in the form of a SOAP response. (Click graphic for an example) |  |
| /Log=Filename (including full path) | Sends the vulscan log files to a different location than the default as specified. | |
| /Reset | Removes the client side settings and files (leaves log files intact if you want to delete the log files as well you can simply delete the ProgramData\Vulscan directory) | |
| /Clear or /ClearScanStatus | Will clear the scan and repair status for the client on the core server (blanks out the history) |
| Ivanti Endpoint Security related commands | Description |
|---|---|
| vulscan /installeps | Installs Ivanti Endpoint Security (use /showui to show progress) |
| vulscan /removeeps | Removes Ivanti Endpoint Security (use /showui to show progress) |
| vulscan /changesettings | Run this command to refresh any changes that have been made to the settings |
Ivanti Antivirus related commands
| Ivanti Antivirus related commands | Description |
|---|---|
| vulscan /removeoldav | Removes 3rd party antivirus solutions (Provided they are not password protected) |
| vulscan /removeav | Removes an already installed instance of Ivanti Antivirus |
| vulscan /installav | Install Ivanti Antivirus |
| vulscan av | Opens the Ivanti Antivirus logs directory (Typically C:\ProgramData\LANDESKAV |
| Vulscan configuration settings directory | Open logs folder | Open LDClient directory | Open Ivanti Antivirus logs folder |
|---|---|---|---|
| vulscan e - Opens the Vulscan Directory | vulscan l - Opens the current vulscan log (Or press "Alt-L" while the vulscan UI is showing) vulscan log (vulscan space log) opens the LANDESK logs directory | vulscan c | vulscan av |
| Switch | Description |
|---|---|
| /replicate | Triggers vulscan to do a content replication |
| /changesettings with /replicationbehavior=default | Tells vulscan which vulscan behavior to use. Default means to compute the behavior guid based on the computer idn. For example, if my computer idn is 1234, then I will try to download a behavior called “ReplicationBehavior_Replicator_1234.xml”. Vulscan will now consider itself a “replicator” and will try to update its copy of a replicationBehavior any time it runs, creating any local scheduler jobs as necessary. |
| /changesettings with /replicationbehavior=-2 | Will disable vulscan as a replicator, removing any local scheduler tasks regarding replication and causing vulscan to no longer attempt to get the latest replication behavior file. |
| /settingsIndex=NNN | You’ll see this commandline used by the local scheduler when it launches vulscan. This tells vulscan which group of settings to use to control its behavior as specified in the console’s UI. For each scheduled replication event that you specify, there will be a new “settingsIndex”. |
| /duration=NNN | The maximum duration that vulscan should do replication, in minutes. This will appear in the replication behavior file and not typically on the command line, but in the file, you’ll see something like “Duration_0”, or “Duration_1”, etc. The value after the underscore is the settings index number. When vulscan applies settings found in the behavior file and it sees that its settings Index value has been set, then it looks for any variables in the behavior file that ends with an underscore and that number (such as “Duration_0”). It strips off the underscore and number and sets the value internally. Therefore, anything you see in the behavior file that ends in the underscore can be passed on the commandline (and therefore take precedence over the behavior file settings). Many of the _NNN settings that are in the behavior file are regarding the local scheduler task that should be created. So vulscan only interprets those values when creating the local scheduled task that will later launch itself to do replication. |
2016.3 SU5: Why do some patches appear with the word "DETECT" in the name and why aren't they downloadable?
LDMS introduced SSL Validationfor Client Certificates when communicating with the core via Vulscan. This can sometimes cause errors when clients attempt to verify using the Client Certificates its been given.
This issue is often caused by those who have upgraded their core to 2016 from an older version, or a side-by-side installation with a database import.
Vulscan hangs on "Contacting Server..." and never proceeds:
In order to identify if Vulscan is failing due to Certificate issues, a number of items can be referenced/tested on the Core and Clients.
After this change has been made, attempt to run a vulscan on the client machine. If successful, then the issue is indeed involving Client/Core Certificates.
Note - Disabling Client Certificate Validation on the core is NOT meant to be a permanent change. Ivanti urges all users to keep the SSL Settings set to "Accept."
Logs under C:\inetpub\logs\LogFiles\W3SVC1 can be reviewed for HTTP status return codes when workstations attempt to contact WSVulnerabilityCore.
2016-08-26 19:23:34 10.25.26.50 POST /WSVulnerabilityCore/VulCore.asmx - 443 - 10.25.26.55 Microsoft-ATL-Native/11.00 403 16 2148204809 358 2016-08-26 19:23:34 10.25.26.50 POT /WSVulnerabilityCore/VulCore.asmx - 443 - 10.25.26.55 Microsoft-ATL-Native/11.00 403 16 2148204809 358 2016-08-26 19:23:34 10.25.26.50 POST /WSVulnerabilityCore/VulCore.asmx - 443 - 10.25.26.55 Microsoft-ATL-Native/11.00 403 16 2148204809 421 2016-08-26 19:23:34 10.25.26.50 POST /WSVulnerabilityCore/VulCore.asmx - 443 - 10.25.26.55 Microsoft-ATL-Native/11.00 403 16 2148204809 405
Things that can be derived from this information:
ProxyHost.log under C:\ProgramData\LANDesk\Log on the client will show errors when attempting to reach WSVulnerabilityCore.
2016-08-26 18:49:28(5144-148) proxyhost.exe:IsProcessSigned succeeded - returning: 1 2016-08-26 18:49:28(5144-148) proxyhost.exe:Made direct (non-proxy) connection to LDCORE2016:443 2016-08-26 18:49:28(5144-148) proxyhost.exe:Call UpdateCSAROIFile() with numberofDirectConnectSuccess = 1 numberofDirectConnectFailure = 0 csaName = bCsaSuccess = 1 2016-08-26 18:49:28(5144-148) proxyhost.exe:127.0.0.1:57652 Connection close 0 0 0 0 2016-08-26 18:49:28(5144-148) proxyhost.exe:127.0.0.1:57652 - - [26/Aug/2016:11:49:28 -0800] "POST http://LDCORE2016:443/WSVulnerabilityCore/VulCore.asmx HTTP/1.1" 403 651 469
As the resolution for this issue isn't reserved to one cause, a few things will need to be verified:
According to this Microsoft KB Article, any Non Self-Signed certificates installed in the Trusted Root Certification Authority certificate store on the IIS Server may cause an error when users attempt to authenticate when using a Client Certificate.
Non Self-Signed Certificates will show in the CertMgrtool as having different information in the "Issued To" and "Issued by" columns.
Note: Expired Certificates may also cause Client Certification issues; with the exception of Microsoft Required Root Certificates
You can easily determine if this folder contains any non self-signed certs with this PowerShell command:
Get-Childitem cert:LocalMachineroot -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List * | Out-File "c:\certlist.txt"
This command compares the "Issuer" property and the "Subject" property of each certificate in the store and then outputs details of certificates that do not meet the criteria of a self-signed certificate to c:\certlist.txt.
Remove any Non Self-Signed Certificates in the Trusted Root Certification Authority Folder, if found, and attempt running Vulscan again. If the issue persists, continue to next steps.
The certificates in the C:\Program Files\LANDesk\Shared Files\keys and/or C:\Program Files (x86)\LANDesk\Shared Files\keys need to be valid and not expired as well. You can double-click the .CRT and open the .0 file in notepad to verify the information:
If there are expired certificates in that folder, back them up and remove them from that folder, including any keys and .0 files associated with that cert.
The certificates on the clients will need to be checked in this issue. Certificate information on the client is stored under C:\Program Files (x86)\LANDesk\Shared Files\cbaroot\certs.
In this directory, there are usually one to several ".0" certificates. Its possible one or many of these certificates are not trusted by the core, causing the issue. To verify each certificate:
If a ".0" certificate(s) is found to correspond to a LANDESK Trusted Certificate that does not exist within Trusted Root Certification Authority:
Attempt running Vulscan again. If all steps have been correctly followed, Vulscan should successfully verify with the core and begin scanning.
If the issue was found to be a client-side issue, a couple of more steps will need to be taken in order to fully resolve the situation. One of two options can be executed:
If a ".0" certificate was found on the client that didn't correlate with a trusted LANDESK Certificate on the core, its likely due to the client being managed in the past by a core that has since been decommissioned.
The LANDESK Certificate(s) from the old core can be imported into the Trusted Root Certification Authority on the core. This will enable the clients to validate with the core using their existing certificates, provided its the right certificate.
If for whatever reason this is not an option, move on to the next step.
Changes will have to be made to the LANDESK Agent Configuration in order to ensure that clients aren't attempting to connect to the core with Untrusted Certificates.
This is configured through the Client Connectivity Agent Settings on the Core under Configuration > Agent Settings > Client Connectivity.
Ensuring that the correctly configured Client Connectivity Settings are included in the Agent Configuration will ensure that all future agent installs will get the correct certificates.
There are a couple known methods to address the existing clients that already have the untrusted broker certificate on them:
Reinstall agent with updated Client Connectivity Settings
Use a script/batch file
The Default Web Site configured by the LANDESK install will utilize the LANDESK Secure Token Server SSL Certificate for the Site Binding within IIS. This is the recommended configuration.
To verify the SSL Certificate being utilized, open Internet Information Services (IIS) Manager and go to CoreName> Sites > Default Web Site.
From there, click Bindings.
This will bring up the Site Bindings window. Highlight port 443 and select Edit.
In the Edit Site Binding window, the SSL Certificate: dropdown will show the currently assigned binding. Click to expand the dropdown list and verify there aren't any Untrusted Certificates in the list.
Untrusted Certificates here pertains to SSL Certificates found in the Binding Dropdown list, but not found installed in the Trusted Root Certification Authority folder as detailed earlier in this document.
If there aren't any Untrusted Certificates found in the drop-down, the Site Bindings are good. No other work is needed here. If there are, a couple options are available.
This is the recommended resolution to this issue as it ensures simplicity and eliminates the possibility of old certificates becoming a problem again in the future.
Open Internet Information Services (IIS) Manager and select Corename. Under the IIS section, double-click Server Certificates.
Within the Server Certificates window, select the Untrusted Certficate(s) and click Remove and select Yes when prompted.
Run IISReset in an Administrator Command Prompt on the core and Re-attempt vulscan to verify the issue is resolved.
If a copy of the Untrusted Certificate shown IIS is available, it can be imported into the Trusted Root Certification Authority folder so it becomes Trusted.
LANDESK Certificates exist under C:\Program Files\LANDesk\Shared Files\keys on the core by default. They may have been moved to other directories by users for various reasons.
Right-click the currently Untrusted Certificate and select Install Certificate. Follow the configuration detailed below:
Re-attempt vulscan to verify the issue is resolved.
This article is regularly updated with information
Overview
The Ivanti EPMpatchengine allows binary updates through definition downloads. At times it is necessary to make changes to some of the binary files to remediate issues.
When changes are made to these binaries and they are published to the patch content servers they will automatically be downloaded to the core (during the next content sync initiated by the core). When the client next scans in, it will check to verify what version of these binaries it has compared to the version on the core server. If needed, these binaries will be downloaded to the client automatically using the standard download mechanism (i.e., utilizing the CSA and/or peers and preferred servers if configured).
We only make changes to these files if it is found necessary to correct a critical issue. Below lists the file(s) updated, the date, and the reason why the change was necessary.
We will update the list before every expected change to binaries. However, in some cases more urgent fixes are required, and in such cases, we will post the change to this list a short time after the release.
Updated Binaries
| File Updated | Date Updated | Description |
|---|---|---|
| Timberhlpr.dll | 02/13/2018 | To correct an issue where if a patch took more than a specified amount of time to install it would fail |
| Timberhlpr.dll | 06/07/2018 | To correct an issue where shared patches were downloaded multiple times |
