How to troubleshoot Patch Manager detection and remediation issues

Introduction

Ivanti Security and Compliance Manager enables you to remediate (repair) vulnerabilities on clients with the Ivanti agent installed.  There are several situations where this remediation will not complete, will detect improperly, otherwise does not act as desired.

Scope

The scope of this article is to walk through some of the basic troubleshooting steps to find why the Patch and Compliance scan is not working as desired.  It will cover troubleshooting install errors or corrupted installs that are being caused by the patch the vulnerability definition is attempting to remediate.

Assumptions

The clients also have the agent installed with the latest service update and are able to send inventory and vulnerability scans to the Core Server.

Logs and files and paths used in Troubleshooting

1. Vulscan.log
   a.. c:\ProgramData\Vulscan
   
2. 0_winxp_enu_########.xml –
       Client - ..\ldclient\sdmcache b. Core - \\\ldlogon\computervulnerability
3. MergedGetVulnerabilitiesoftype_X..xml
       C:\Program Data\Vulscan
4. SDMCache folder
       a. C:Program Files\LANDesk\LDClient\SDMCACHE (32-bit client)
       b. C:\Program Files (x86)\LANDESK\LDClient\SDMCACHE (64-bit client)

Vulscan Switches

• AgentBehavior=AgentBehaviorID
• /ShowUI
• /AllowUserCancelScan
• /AutoCloseTimeout=Seconds

/Scan=X, where X is the Type (listed below)\

• 0-Vulnerabilities
• 1-Spyware
• 2-Security Threats
• 3-Ivanti Updates
• 4-Custom Definitions
• 5-Blocked Apps
• 8-Antivirus

• /Group=GroupID /AutoFix=True or False

The Computer is being detected vulnerable when it shouldn’t be.

1. If the vulnerability was just remediated and the computer is still showing detected:
   1. Make sure the client has rebooted.
   2. If the patch requires changing a system or protected file, that change will not take effect until the client reboots.
2. Run a Security Scan on the client.
   You can manually run the scan with the following command.
   

   Vulscan /scan=0 /showui (Vulscan Switches)

3. Verify that the client installed the patch and still shows as vulnerable on the core server.
   1. Open an Ivanti Endpoint Manager Console.
   2. From the Network View expand Devices and click on All Devices.
   3. Locate the computer in question.

The Computer is being detected vulnerable when it shouldn't be

If the vulnerability was just remediated and the computer is still showing detected:

1. Make sure the client has rebooted.
   1. If the patch requires changing a system or protected file, that change will not take effect until the client reboots.
   2. Run a Security Scan on the client.  You can manually run the scan with the following command.
      

      Vulscan /scan=0 /showui (Vulscan Switches)

   3. Verify that the client installed the patch and still shows as vulnerable on the core server.
      1. Open an Ivanti Endpoint Manager Console.
      2. From the Network View expand Devices and click on All Devices.
      3. Locate the computer in question.
      4. Right-click on the computer and select "Security and Patch Information"
      5. Click on Clean/Repair History.
      6. Locate the patch and locate the Succeeded column.  Verify that it says "Yes".
      7. Click on All Detected in the left-hand column.
      8. Look for the vulnerability in question.
      9. Check the most recent Vulscan logs.  About the Vulnerability scan and repair logs
      10. Look for the vulnerability that is still showing as detected.
      11. The log will show why the client is still showing as vulnerable.
          1. Possible Causes of why the client is still showing as vulnerable:
             1. The file or registry setting is not being properly updated by the patch.
                (Try uninstalling and reinstalling the patch.  If detection works after this, the original patch failed to install the required files)
             2. The vulnerability detection logic needs to be adjusted.  Ivanti Support will need the Vulscan log to request a change to the detection logic.
                
                How to report Ivanti Patch Manager vulnerability detection problems to technical support

The vulnerability should never have been detected

1. Run a vulnerability scan on the client.
     You can manually run the scan with the following command: 

   vulscan /scan=0 /showui

     (The /scan=# command may differ depending on the definition type you wish to scan)