Error: "Client user does not have administrator rights" when running Vulnerability Scan

April 8, 2014, 8:58 am

≫ Next: Unable to schedule and start a patch content download

≪ Previous: How to Import/Export Patch Content

Issue

The following error occurs when running the Vulnerability Scanner (vulscan) as a limited user:

"Client user does not have administrator rights to run vulscan error"

Vulscan run as an administrative user runs successfully.

Resolution

A fix for this issue is available in the latest service pack for LDMS 9.6.

Fix # 178968 Vulscan UI reports failure to connect to the pipe of the current vulscan with error "Current users does not have administrative rights"

Otherwise, ensure that the LANDESK Management Agent shows up in Services If it does not show up, go through the following steps

1. From the command prompt, run the following command:

32-Bit clients:

runas /user:(admin user) "C:\Program Files\LANDesk\Shared Files\residentagent.exe /register"

64-Bit clients:

runas /user:(admin user) "C:\Program Files (x86)\LANDesk\Shared Files\residentagent.exe /register"

2. Enter password.

3. Ensure that the service exists in the Services applet.

4. Start the service by running the following command:

5. Next start the service by running this command.

runas /user:(admin user) "net start cba8"

6. It will prompt you for your password again.

↧

Unable to schedule and start a patch content download

August 24, 2015, 7:10 am

≫ Next: How to schedule a Security Scan

≪ Previous: Error: "Client user does not have administrator rights" when running Vulnerability Scan

Overview: The ability to schedule and start a patch content download is limited to administrators. A non-administrator can schedule the download but they cannot start it.

Resolution: This is by the current design.

↧

How to schedule a Security Scan

September 28, 2009, 9:34 am

≫ Next: Why certain vulnerability definitions require the patch to be manually downloaded?

≪ Previous: Unable to schedule and start a patch content download

Problem: How do you schedule a Security Scan to run on a client.

Resolution: You can use the Create a task option in Security and Patch Manager to create a scheduled task that will run the security scan.

Open a 32bit Management Suite Console.
Click on Tools | Security and Compliance | Patch and Compliance
Click on Create a task.
Click on Security Scan.
Give the task an appropriate name.
Select Create a scheduled task.
If the scan requires a specific Scan and repair setting select it here.
1. This setting will only run for the scheduled tasks. It will not override the default setting on the client.
Click ok.
A Scheduled Task will be created. .
Drag the appropriate computers to the scheduled task.
Right click on the Task and Click properties.
Click on Schedule task.
Make the Desired changes on when you would like the scan to run and click ok.

Note: If the Start Now or Start Later radio buttons are grayed out, you need to make sure that you have added computers to the scheduled task.

↧

Why certain vulnerability definitions require the patch to be manually downloaded?

September 8, 2011, 11:45 pm

≫ Next: How to Use Manually Downloaded Patches

≪ Previous: How to schedule a Security Scan

Description

LANDesk Patch may include certain vulnerability definitions which require a manual download of the patch file. The message "Skipping manual download patch..." may be displayed in the Downloading Patches window, as shown below:

Cause

There are a few potential reasons for a patch file to require a manual download:

Vendor does not provide patch download URLs.
Customers have to get the patches via email or by registering a user on vendors’ web site.
The different versions of the product updates use the same download URL.
The old patches have been replaced by the latest ones. And the download URLs for the old patches are not available.

Resolution

When a vulnerability definition is marked as requiring a manual download of the patch file, please follow these steps:

Download the patch from vendor site manually.
Modify the filename as described in the property of the LANDesk Patch definition field.
Place the downloaded file into the core server's Patch folder.

Related: How to Use Manually Downloaded Patches

↧

How to Use Manually Downloaded Patches

October 9, 2015, 8:26 am

≫ Next: Update & improvement to the LANDeskScan.DLL notification

≪ Previous: Why certain vulnerability definitions require the patch to be manually downloaded?

Purpose
How to use Manually Downloaded Patches
What if the patch still shows Not Downloaded?
Submit a Support Ticket
Clone Definition for Use
Patch Properties That are Checked
File Name
Sha1
MD5
How to manually check hash values
Using LDMS Database
Using 3rd Party Utility

Purpose

This article covers how patches are validated within the Patch Repository, and how to make use of manually downloaded patches.

How to use Manually Downloaded Patches

Download the patch desired
- If the definition lists the patch as _Manual, it is not available for download from LDMS. You will need to find a download source for the patch manually.
Copy the downloaded patch, into the patch repository
- Patch repository is defined under Tools | Security and Compliance | Patch and Compliance
- In the Patch and Compliance window click Download Updates

In the Download updates window, click Patch Location
UNC path where patches are stored represents the Patch Repository share

Rename the file to match the Patch Name shown in LDMS

In the LDMS console, right click the patch, and choose Download Patch...

The patch repository will be checked for files that match based on name, then will compare hash information.
In the Downloading Patches window
- Since the patch does not contain download information, it will be listed as 'skipped'
- Click Close

If the Patch is still listed as Downloaded - No, close the Patch Properties window, then reopen the properties
If the file passed validation, it will now show as Downloaded - Yes

What if the patch still shows Not Downloaded?

In order to use a manually downloaded patch with LDMS, it will need to be placed in the patch repository, and certain properties will have to match what we know of that file.

If there is a mismatch, the file will not show as downloaded, and there for not be available for use in a repair task.

Example: Patch jdk-8u45-windows-x64.exe was manually downloaded, and placed in the patch repository, but it continues to show 'No' in the Downloaded column.

Submit a Support Ticket

If the patch downloaded has the LDMS name, is located in the patch repository, and still does not show as Downloaded, there is likely a hash value mismatch between the file that was downloaded, and the hash value in the Patch table of the Database.

If LDMS content is outdated compared to the current correct hash values of a patch, a ticket should be submitted to Support indicating this so it can be corrected.

Example:

Issue: Patch downloaded, placed in patch repository, has LDMS File Name, but does not show as downloaded.

Vulnerability ID: JREJDKv8U45_Manual

Patch Name: jdk-8u45-windows-x64.exe

Patch Download URL (if available): http://download.oracle.com/otn/java/jdk/8u45-b15/jdk-8u45-windows-x64.exe

Note: Including the URL you obtained the patch from will allow LANDESK to check the hash values of the file in house, and determine if the hash should be updated within content.

Clone Definition for Use

It is always recommended that hash mismatches be submitted to Support so it can be addressed from a Content perspective.

Once this is done, if you are needing to patch the affected definition in the interim, it can be Cloned for use with LDMS.

Content downloaded from LDMS is 'Read Only' and cannot be modified. Cloning a definition however creates a customizable copy of the definition, with all detection rules in tact.

Right click the definition and choose Clone

In the Properties window:
- Enter a unique ID
- Double click the desired patch to open its properties

In the patch properties window:
- Click Detection Logic | Patch Information
- Verify the Unique Filename matches the name of the file as it shows in the Patch Repository
- Click Calculate Hashes
  - A green checkmark should appear next to MD5.
  - Typically SHA-1 and SHA-256 will get checked as well, but if not that is ok.
- Click Ok

In the Definition Properties window, click Ok.
Open the new Custom Definition, and choose to download the patch

Because the custom defintion for the patch has the name of the file in the patch repository, and the hashes match (because they were obtained directly from the file), it will show as Download = Yes now.

This custom definition can be used to Scan and Repair vulnerabilites accordingly.

Patch Properties That are Checked

File Name

The first property checked to match a file to a patch definition is its filename. The Filename must match the LDMS Definitions name for the patch exactly.

Typically downloading the patch from the vendor will yield the same filename that LDMS checks for:

Example: Downloading the patch Java Runtime Environment (JRE) 7 Update 71 patch from the vendor, will download the file with a name that matches the name LDMS is looking for. To place this file in the patch repository, would be a match based on name.

Name: jre-7u71-windows-i586.exe

Download URL: http://javadl.sun.com/webapps/download/AutoDL?BundleId=97807

In some circumstances however, the patch name LDMS is looking for may vary from what the patch downloads as from the vendor.

Patch names must be unique for LDMS to distinguish between them. Some vendors give their patch files a generic name, which if downloaded manually, would need to be renamed to match the LDMS patch name.

Example:

Downloading Google Chrome 45.0.2454.101 from Google downloads a file called googlechromestandaloneenterprise.msi; there is nothing unique about this file name.

In order to differentiate it amongst the other multitudes of Chrome patches, LDMS looks for a filename of GoogleChromeStandaloneEnterprise_45.0.2454.101.msi

If the file was downloaded with a name that does not match the LDMS Patch Name, the file must be renamed to match the LDMS Patch Name..

Sha1

If the patch has a SHA-1 Value available in the database, it will compare this against the file's SHA-1 value to determine if the patch found based on filename is the same patch that is expected. By verifying this hash value, LDMS prevents distributing wrong patches that happen to have the name of a patch. If the SHA-1 value of the file does not match what is listed in the database, the file will not be listed as 'downloaded'.

The SHA-1 value is stored within the Database's Patch table in the SHA1 column as a Base64 encoded value.

Note: Patches may contain SHA-256 values, however these are currently not compared when analyzing if the patch exists within the patch repository.

MD5

If there is not a known SHA-1 value availalbe for the patch in the database, LDMS will use the known MD5 value to identify if the patch is the correct file.

The MD5 value is stored in the Database's Patch table in the Hash column as a Base64 encoded value.

How to manually check hash values

The hash values are only available from the database, in the Patch table, not through the LDMS console.

The values are stored as Base-64 encoded values.

Using LDMS Database

If the defintion was cloned for use, the patch had its hash values gathered during the process and are available in the Database.

The following query will return the patches associated with the Custom definition, and display their Hash (MD5) and SHA1 value.

Select vul.vul_id, Patch.Name, patch.Hash, patch.SHA1
From Patch
Inner Join Vulnerability as vul
On Patch.Vulnerability_Idn = vul.Vulnerability_Idn
Where vul.Vul_ID = 'Custom Definition ID'

Using 3rd Party Utility

The tool outlined in this article (FileHasher64.exe) will provide MD5 and SHA-1 values encoded in Base64. These can be used to compare against the value in the Patch table of the LDMS database.

Tool: Get MD5 & SHA-1 Encoded in Base64

↧

Update & improvement to the LANDeskScan.DLL notification

October 2, 2015, 5:16 am

≫ Next: The unofficial guide to assessing your custom security compliance using LANDesk

≪ Previous: How to Use Manually Downloaded Patches

I - Introduction

This document highlights & explains a recent change and update that has been implemented to enable better logging & clarifying detection reasons for vulnerabilities.

This will be of particular interest to customers who do not have all of their core servers connected to the WWW to download patch content directly.

II - What's changing?

The LANDesk patch content team have added additional capabilities to a DLL used in scanning for vulnerabilities.

Since various vulnerabilities may have to check dozens, if not close to 100 affected dependencies / products, it can get complicated at times trying to identify specifically *WHY* a certain patch has been detected. The new logging update will improve upon this significantly, highlighting the specific product GUID(-s) that have triggered the detection, rather than forcing an administrator to check this themselves individually.

Better still, the relevant information is included in the "REASON" field, so is centrally reportable / extractable from the LANDesk database.

II.A - An example highlighting the change

Hitherto, the relevant client-side log file section which listed a vulnerability as being detected would look as follows (in this case, MS14-072 is used to highlight the hit) - the key line is highlighted:

(...)
Thu, 24 Sep 2015 10:28:25 Running detection script
Thu, 24 Sep 2015 10:28:25 created the hlpr instance ok
Thu, 24 Sep 2015 10:28:25 isInstallable=True
Thu, 24 Sep 2015 10:28:25 MS14-072_INTL detected
Thu, 24 Sep 2015 10:28:25 VUL: 'MS14-072_INTL' (ndp40-kb2978125-x86.exe) DETECTED. Reason 'Patch NDP40-KB2978125-x86.exe was not found.'. Expected 'Patch NDP40-KB2978125-x86.exe installed'. Found 'Patch NDP40-KB2978125-x86.exe not installed'. Patch required 'ndp40-kb2978125-x86.exe'.

Thu, 24 Sep 2015 10:28:25 Patch is NOT installed
(...)

The change that has been implemented (and that will be incorporated into the patch content changes this into the following (highlighting the relevant additions in RED):

(...)
Fri, 02 Oct 2015 13:11:33 Running product detection script
Fri, 02 Oct 2015 13:11:33 Running detection script
Fri, 02 Oct 2015 13:11:33 created the hlpr instance ok
Fri, 02 Oct 2015 13:11:33 MS14-072_INTL detected
Fri, 02 Oct 2015 13:11:33 VUL: 'MS14-072_INTL' (ndp40-kb2978125-x86.exe) DETECTED. Reason 'Product {3C3901C5-3455-3E0A-A214-0B093A5070A6} needs this patch.'. Expected 'Patch NDP40-KB2978125-x86.exe should be installed'. Found 'Patch NDP40-KB2978125-x86.exe has not been installed'. Patch required 'ndp40-kb2978125-x86.exe'.

Fri, 02 Oct 2015 13:11:33 Patch is NOT installed
(...)

III - What & Who is affected?

III.A - What versions of LANDesk Management Suite are affected?

The updated DLL is already live & available in patch content for the following versions of LANDesk Management Suite:

LANDesk Management Suite 9.0 (any service pack level)
File Version = 9.60.0.2 / Date Modified = September 24th 2015

LANDesk Management Suite 9.5 (any service pack level)

File Version = 9.60.0.2 / Date Modified = September 24th 2015

LANDesk Management Suite 9.6 (any service pack level)

File Version = 9.60.0.2 / Date Modified = September 24th 2015

(yes, all versions download the 9.6 DLL)

It will be automatically downloaded as part of your patch content update.

This will be a standard feature for future versions of LANDesk Management Suite going forward / to be released in the future.

III.B - Who is affected?

Technically "everyone" who downloads / makes use of patch content is affected, as this is an update to one of the key patching DLL's.

In practice though, most customers do not need to perform any actions - the situation where actions are required highlighted separately in section IV below.

IV - Do I need to do anything?

If your Core(-s) is/are connected to the WWW & download their own patch content, then you do not need to do anything. If they haven't already, they'll get the updated LANDeskScan.DLL when they next check for updated patch content.

The new version of the DLL will then be automatically downloaded & put into the Core's LDLOGON-share, whereupon all clients will automatically self-update with the new DLL when they next execute the vulnerability scanner (vulscan.exe). This will ensure that they are up to date in an automated fashion and not have problems with the new/updated content as it goes live.

IV.A - Situations / Customers who ARE affected are...

... anyone who does not download vulnerability / patch-content to their environment from the WWW directly to all of their core servers. This is usually restricted to air-gapped environments, where a single Core is connected to the WWW to download content, and a certain process is followed to then move that content to these "dark" Cores.

Equally, it will affect any customer who (for whatever reasons) rely on copying patch content from one of their own servers, rather than the WWW directly.

Since the "dark core"-process does not usually include checking for updates of binaries / DLL's, this is being highlighted as a necessary step to undertake. Such customers should copy the updated "LANDeskScan.dll" from whichever Core server downloads content from the WWW & distribute this updated binary to your "dark" or otherwise disconnected Cores (and just copy it into the LDLOGON-directory).

Any clients will then self-update the next time the vulnerability scanner starts.

IMPORTANT NOTE:
We (strongly) recommend that patch content be only copied / moved between "same version" servers.

V - In Conclusion

If there are any questions that have not been answered, please post them in the comments section, and we'll try to respond to them there.

↧

The unofficial guide to assessing your custom security compliance using LANDesk

September 6, 2012, 2:30 am

≫ Next: LANDESK Patch Content severity levels

≪ Previous: Update & improvement to the LANDeskScan.DLL notification

Introduction

Assessing the level of security of your machines is a key factor to understand and prevent security threats in your environment. LANDesk FDCC (SCAP) allows you to check the security configuration of all your machines to determine their level of compliancy with a set of internationally recognized security standards.

While checking the compliance of your environment against benchmarks that are issued by internationally recognized security organization is the norm, the nature of your activity might require you to have your own security baseline. LANDesk FDCC allows you to do both:

Checking the compliance of your environment against the FDCC, USGCB, and Microsoft official baselines

Checking the compliance of your environment with your own set of baselines

This guide will help you to implement the latter.

Note that this is not an official LANDesk documentation. Our developers have not tested this scenario in their environment. LANDESK SHALL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES, INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER INTANGIBLE LOSSES (EVEN IF LANDESK HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES), OR COST OF PROCUREMENT OF SUBSTITUTE SERVICES.

If you would like to implement this solution, make sure you have thoroughly tested it in your lab environment and have consulted your LANDesk technical and sales points of contact before any actions in your production environment.

If you have any comments about the content or the form of the article or if you would like to help me improving it, feel free to send me a message through community.

A. The SCAP protocol
B. LANDesk FDCC (SCAP) default content
C. Implementing a custom baseline with LANDesk FDCC
- 1. SCAP Scanner installation
  - a. Manual Steps (core side)
  - b. XML structure
- 2. Creation of the custom compliance results scan
  - a. XML structure
  - b. Creation of the custom SCAP compliance results file definition
  - c. Results of the custom compliance files
- 3. Creation of the scoring definition
  - a. Manual Steps
  - b. XML Structure
  - c. Creation of the custom scoring definition
  - d. Scan of the scoring definition.
- 4. Creation of the individual definitions
  - a. XML structure
  - b. Creation of an individual definition
  - c. Scan of the individual definitions
- 5. Automation of the creation of the LANDesk definitions
  - a. Definition
  - b. Explanation of the code
  - c. Import into LDMS
D. Conclusion

A. The SCAP protocol

The main internationally recognized security compliance benchmarks now use the Security Content Automation Protocol. The latter is a set of specifications that allows a software vendor to communicate its security flaws or security configurations. The specifications that will be useful in our case are the following:

Extensible configuration Checklist Description format (XCDDF): it is the language used to define the benchmark/checklist. In our case, this will allow us to define our rules: which setting (GPO) am I going to check? How many of them I going to check?
Open Vulnerability and Assesment Language: it is language used to assess the machine state. In our case, how should I check the parameter I defined in my xccdf? Which value in the registry should I check, which file should I check?
Common Configuration Enumeration (CCE): it is a dictionary of security software configurations

There are other specifications for SCAP that we will not cover in this document. If you would like more information about the protocol you can download the full specifications on the NIST website at the following link:

http://csrc.nist.gov/publications/PubsSPs.html#SP-800-126

B. LANDesk FDCC (SCAP) default content

LANDesk FDCC is built in patch manager. It is organized in as sets of definitions you can download through the LANDesk download updates window (vaminer). It is available once you have purchased LANDesk FDCC licences and reactivated your core server.

The content includes the official SCAP baselines of the US government (FDCC, USCGB) as well as the Official Microsoft SCAP baselines (windows 7, 2008 R2, Internet explorer 8)

There are four kinds of definitions that match the four steps required to perform the security compliance of your machines:

Step 1 : Installation of the SCAP scanner on the client (definition called “SCAP-SCANNER-INSTALL”)

This definition will instruct vulscan.exe to start the installation of the SCAP scanner. This will not only copy the scanner on the client but it will also copy the standard SCAP definitions (XCCDF and OVAL files) available from our content servers. These SCAP definitions are copied on your client in \Program Files (x86)\LANDesk\LDClient\S-CAT\oem-content. they are organized as mentioned previously:

a “xccdf.xml” file that contains the list of GPOs to check
an “oval.xml” file that contains the detection logic of the GPOs (Value in the registry)
a “cpe-dictionnary.xml” and a “cpe-oval.xml” files that check the platform and products affected by the settings (GPOs) of our baselines

Step 2: Creation of the results file (definition called “COMPLIANCE-RESULTS-FILE”)

This definition will instruct SCAP scanner (through vulscan) to analyse the SCAP definitions xml baselines files in \Program Files (x86)\LANDesk\LDClient\S-CAT\oem-content and to write the results in formatted “xccdf-results” files in \Program Files (x86)\LANDesk\LDClient\S-CAT\Products. It is a formatted xml file that you can manually open on the client to check the results of the scan

Step 3: Score Calculation (definitions that ends with “XCCDF-SCORE”)

Vulscan reads the results files created earlier in order to check the score for the standard baselines.

Step 4: Scan of the individual definitions (Individual definitions that usually starts by the “CCE”)

Vulscan reads the results file to check if each rule in the xccdf file has passed or failed the test and return it to the core server

- On the core, if you right-click on the definition you have scanned, in the patch and compliance tool and click on “affected computers”, you will see the machines that failed the compliance test

C. Implementing a custom baseline with LANDesk FDCC

As you already have examples from our default content, there is no need to start creating our custom definitions in LANDesk from scratch. We can clone and modify the existing content and tweak it to our likings. This section explains on how to use the default content to build a custom one.

Given that your SCAP definitions are ready to be used, you are ready to create your custom definitions. This section explains how to inject in a custom scanner installation definition that can be deployed on a client.

If you are new to the scap protocol, I have attached an example of a custom baseline that contains one rule. The latter will check if the “disable control-alt-del” sequence is enabled (value in the registry). Feel free to use it as a template for the creation of your custom SCAP baseline.

1. SCAP Scanner installation

a. Manual Steps (core side)

As mentioned earlier the “INSTALL SCANNER” definition includes a zip file that contains the SCAP scanner and the default SCAP baselines. In order to inject our own baseline into this zip file, we can follow the steps below:

Clone an existing “INSTALL SCANNER” definition from the LANDesk SCAP content
Download the SCAT-DATA.zip that is associated with this definition
After the download, uncompress this zip folder
Locate the oem-content folder and insert your custom content xml files (example files available above) in it.
Re-zip this folder and name it S-CAT.zip
In your cloned definition delete all the rules except a windows 7 based one
Open this windows 7 rule
Go to the “Patch information” section and change the name of the zip file that is advertised in the “Manufacturer’s patch URL” and “unique filename” section with “S-CAT.zip”
Select “No” for “auto-downloadable”
Save the rule

When scanning your client against this definition you should be able to install the scanner with your own SCAP Baseline

b. XML structure

The XML structure of a standard SCAP scanner install definition is illustrated below:

<?xml version="1.0"?>

<Name>SCAP-SCANNER-INSTALL</Name>

<Items>

<Name>SCAP-SCANNER-INSTALL</Name>

<string>1 + Security Content Automation Protocol + Microsoft Baselines + (Step 1) Install Scanner</string>

<string>1 + Security Content Automation Protocol + Federal Desktop Core Configuration + (Step 1) Install Scanner</string>

<string>1 + Security Content Automation Protocol + United States Government Configuration Baseline + (Step 1) Install Scanner</string>

</Groups>

<CVE_ID />

<Title>SCAP Scanner Installation</Title>

<Description>This security threat will scan a LANDesk client and determine if the SCAP installation is present. If the SCAP scanner utility is not installed this security threat will be detected. The administrator will be able to remediate the detection by installing the SCAP scanner utility.</Description>

<Vendor>LANDesk</Vendor>

<Status>Enabled</Status>

<Type>Configuration</Type>

<AutoFix>false</AutoFix>

<Fixable>AllFixable</Fixable>

<CanRunSilent>NoPatchesAreSilent</CanRunSilent>

<Compliance>false</Compliance>

<Alert>false</Alert>

<HasCustomVars>false</HasCustomVars>

</Advanced>

<URL>http://patch.landesk.com/patches/S-CAT-Data.zip</URL>

<State>Enabled</State>

<Files>

<File>

<Path>%regval(HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path)%\S-CAT\s-cat.exe</Path>

</File>

<File>

<Path>%regval(HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path)%\S-CAT\TADLib.dll</Path>

</File>

<File>

<Path>%regval(HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path)%\S-CAT\TADLib_x64.dll</Path>

</File>

<File>

<Path>%regval(HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path)%\S-CAT\TGMGT.dll</Path>

</File>

<File>

<Path>%regval(HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path)%\S-CAT\TGMGT_x64.dll</Path>

</File>

<File>

<Path>%regval(HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path)%\S-CAT\TGVista.dll</Path>

</File>

<File>

<Path>%regval(HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path)%\S-CAT\TGVista_x64.dll</Path>

</File>

<File>

<Path>%regval(HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path)%\S-CAT\TGWmi.dll</Path>

</File>

<File>

<Path>%regval(HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path)%\S-CAT\TGWmi_x64.dll</Path>

</File>

<File>

<Path>%regval(HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path)%\S-CAT\Version.dll</Path>

</File>

</Files>

<ID>winxp</ID>

<ID>winxp-x64</ID>

<ID>winvista</ID>

<ID>winvista-x64</ID>

</Platforms>

<canBeUninstalled>false</canBeUninstalled>

<requiresOriginalPatch>false</requiresOriginalPatch>

</UninstallInfo>

<Cmds>

<Args>

</Args>

</Cmd>

<Args>

</Args>

</Cmd>

</Cmds>

</Patch>

</Patches>

<Group>Security Content Automation Protocol + Federal Desktop Core Configuration + (Step 1) Install Scanner</Group>

<Group>Security Content Automation Protocol + Microsoft Baselines + (Step 1) Install Scanner</Group>

<Group>Security Content Automation Protocol + United States Government Configuration Baseline + (Step 1) Install Scanner</Group>

</ReadonlyGroups>

</Exportable>

</Items>

</ExportableContainer>

We can use this default content to create are own scanner installation definition. The xml document below indicates what to change in the xml document to create this custom definition. The important changes are highlighted in red:

<?xml version="1.0"?>

<Name>INSTALLSCANNERcustom</Name>

<Items>

<Name>INSTALLSCANNEREC</Name>

<Groups>

<string>1 + install scanner</string>

<string>1 + Security Content Automation Protocol + Federal Desktop Core Configuration + (Step 1) Install Scanner</string>

</Groups>

<CVE_ID />

<Title>SCAP Scanner Installation</Title>

<Vendor>LANDesk</Vendor>

<Status>Enabled</Status>

<Type>Custom</Type>

<AutoFix>false</AutoFix>

<Fixable>AllFixable</Fixable>

<CanRunSilent>NoPatchesAreSilent</CanRunSilent>

<Compliance>false</Compliance>

<Alert>false</Alert>

<HasCustomVars>false</HasCustomVars>

</Advanced>

<URL>http://patch.landesk.com/patches/S-CAT.zip</URL>

<State>Enabled</State>

<Files>

<File>

<Path>%regval(HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path)%\S-CAT\s-cat.exe</Path>

</File>

<File>

<Path>%regval(HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path)%\S-CAT\TADLib.dll</Path>

</File>

<File>

<Path>%regval(HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path)%\S-CAT\TADLib_x64.dll</Path>

</File>

<File>

<Path>%regval(HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path)%\S-CAT\TGMGT.dll</Path>

</File>

<File>

<Path>%regval(HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path)%\S-CAT\TGMGT_x64.dll</Path>

</File>

<File>

<Path>%regval(HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path)%\S-CAT\TGVista.dll</Path>

</File>

<File>

<Path>%regval(HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path)%\S-CAT\TGVista_x64.dll</Path>

</File>

<File>

<Path>%regval(HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path)%\S-CAT\TGWmi.dll</Path>

</File>

<File>

<Path>%regval(HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path)%\S-CAT\TGWmi_x64.dll</Path>

</File>

<File>

<Path>%regval(HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path)%\S-CAT\Version.dll</Path>

</File>

</Files>

<Platforms>

<ID>win7-x64</ID>

<ID>win2008r2-x64</ID>

<ID>winxp</ID>

<ID>win2k3</ID>

<ID>winxp-x64</ID>

<ID>win2k3-x64</ID>

<ID>winvista</ID>

<ID>winvista-x64</ID>

<ID>win2008</ID>

<ID>win2008-x64</ID>

<ID>win7</ID>

</Platforms>

<canBeUninstalled>false</canBeUninstalled>

<requiresOriginalPatch>false</requiresOriginalPatch>

</UninstallInfo>

<Cmds>

<Args>

</Args>

</Cmd>

<Args>

</Args>

</Cmd>

</Cmds>

</Patch>

</Patches>

<Group>Security Content Automation Protocol + Federal Desktop Core Configuration + (Step 1) Install Scanner</Group>

</ReadonlyGroups>

</Exportable>

</Items>

</ExportableContainer>

2. Creation of the custom compliance results scan

a. XML structure

As mentioned previously this definition executes the SCAP scanner against a specific baseline. Our standard compliance results definition looks like the following when we export it in xml:

<?xml version="1.0"?>

<Name>COMPLIANCE-RESULTS-FILE</Name>

<Items>

<Name>COMPLIANCE-RESULTS-FILE</Name>

<string>1 + Security Content Automation Protocol + Federal Desktop Core Configuration + (Step 2) Results File Scan</string>

<string>1 + Security Content Automation Protocol + United States Government Configuration Baseline + (Step 2) Results File Scan</string>

<string>1 + Security Content Automation Protocol + Microsoft Baselines + (Step 2) Results File Scan</string>

</Groups>

<CVE_ID />

<Title>Compliance Results File</Title>

<Description>Runs the SCAP tool to create the results file needed identify SCAP vulnerabilities</Description>

<Vendor>LANDesk</Vendor>

<Status>Enabled</Status>

<Type>Configuration</Type>

<AutoFix>false</AutoFix>

<Fixable>AllFixable</Fixable>

<CanRunSilent>Custom_Unknown</CanRunSilent>

<Compliance>false</Compliance>

<Alert>false</Alert>

<Name>FDCC-Vista</Name>

<DetectScript>' This script will call s-cat.exe using the FDCC XCCDF template and if the file

' is older than x number of days it will be vulnerable

'----- Start of variables section -----

Const FileNotThere = 1

Const FileHasExpired = 2

Dim sComputerName, sXCCDFIE, sXCCDFWin

Dim sXCCDFFw, sLDPath, sMessage

Dim iExpDays, iRetVal

Dim dNow

dNow = Now

iExpDays = CInt(CustomVariable("ExpirationDate"))

iRetVal = 0

'----- End of variables section -----

'----- Start of function section -----

' Checks for file's existance & if it has expired

Function IsVulnerable(sFile, iDays)

Dim bRet

Dim iDiffDays

Dim oFS, oFile

Set oFS = CreateObject("Scripting.FileSystemObject")

If oFS.FileExists(sFile) Then

Set oFile = oFS.GetFile(sFile)

iDiffDays = DateDiff("d", oFile.DateLastModified, dNow)

Log "Found: " & sFile

Log "Last Modified Date: " & oFile.DateLastModified

Log "Current Date: " & dNow

Log "Difference in days: " & iDiffDays

If iDiffDays >= iDays Then

Log "Expired: " & sFile

iRetVal = FileHasExpired

bRet = True

Else

Log sFile & " exists and is not past due."

bRet = False

End If

Else

Log sFile & " NOT FOUND"

iRetVal = FileNotThere

bRet = True

End If

Set oFS = Nothing

Set oFile = Nothing

IsVulnerable = bRet

End Function

' Returns the path to the XCCDF results file

Function GetXCCDFPath(sLDClientPath, sHostName, sTemplate)

str = sLDClientPath + "\S-CAT\Products\"

str = str + sHostName + sTemplate + "-xccdf-results.xml"

GetXCCDFPath = str

End Function

'----- End of function section -----

sComputerName = GetComputerName()

sLDPath = ReadRegValue("HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path")

Log "LDPath: " + sLDPath

sXCCDFWin = GetXCCDFPath(sLDPath, sComputerName, "-fdcc-winvista")

If IsVulnerable(sXCCDFWin, iExpDays) Then

If iRetVal = FileNotThere Then

Report true, sXCCDFWin, "XCCDF file not found", "The file is not in the products folder."

ElseIf iRetVal = FileHasExpired Then

Report true, sXCCDFWin, "XCCDF has expired", "The file is older than " & iExpDays & " days."

Else

Report true, sXCCDFWin, "XCCDF has an unspecified error", "The file has an unknown error with it."

End If

Else

Report false, "XCCDF file was found", "XCCDF file was found", "The file is in the products folder."

End If

</DetectScript>

<DetectScriptDescription>Checks to see if the XCCDF file exists</DetectScriptDescription>

</Advanced>

<URL />

<State>Enabled</State>

<ID>S-CATSCAN</ID>

</Products>

<ID>winvista</ID>

<ID>winvista-x64</ID>

</Platforms>

<canBeUninstalled>false</canBeUninstalled>

<requiresOriginalPatch>false</requiresOriginalPatch>

</UninstallInfo>

<CV>

<Name>ExpirationDate</Name>

<ReadOnly>False</ReadOnly>

<Hidden>False</Hidden>

<Description>The number of days before an SCAP scan is performed. Setting this to 0 will force a new scan.</Description>

</CV>

</CustVars>

<Cmds>

<Args>

</Args>

</Cmd>

</Cmds>

</Patch>

<Name>FDCC-Winxp</Name>

<DetectScript>' This script will call s-cat.exe using the FDCC XCCDF template and if the file

' is older than x number of days it will be vulnerable

'----- Start of variables section -----

Const FileNotThere = 1

Const FileHasExpired = 2

Dim sComputerName, sXCCDFIE, sXCCDFWin

Dim sXCCDFFw, sLDPath, sMessage

Dim iExpDays, iRetVal

Dim dNow

dNow = Now

iExpDays = CInt(CustomVariable("ExpirationDate"))

iRetVal = 0

'----- End of variables section -----

'----- Start of function section -----

' Checks for file's existance & if it has expired

Function IsVulnerable(sFile, iDays)

Dim bRet

Dim iDiffDays

Dim oFS, oFile

Set oFS = CreateObject("Scripting.FileSystemObject")

If oFS.FileExists(sFile) Then

Set oFile = oFS.GetFile(sFile)

iDiffDays = DateDiff("d", oFile.DateLastModified, dNow)

Log "Found: " & sFile

Log "Last Modified Date: " & oFile.DateLastModified

Log "Current Date: " & dNow

Log "Difference in days: " & iDiffDays

If iDiffDays >= iDays Then

Log "Expired: " & sFile

iRetVal = FileHasExpired

bRet = True

Else

Log sFile & " exists and is not past due."

bRet = False

End If

Else

Log sFile & " NOT FOUND"

iRetVal = FileNotThere

bRet = True

End If

Set oFS = Nothing

Set oFile = Nothing

IsVulnerable = bRet

End Function

' Returns the path to the XCCDF results file

Function GetXCCDFPath(sLDClientPath, sHostName, sTemplate)

str = sLDClientPath + "\S-CAT\Products\"

str = str + sHostName + sTemplate + "-xccdf-results.xml"

GetXCCDFPath = str

End Function

'----- End of function section -----

sComputerName = GetComputerName()

sLDPath = ReadRegValue("HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path")

Log "LDPath: " + sLDPath

sXCCDFWin = GetXCCDFPath(sLDPath, sComputerName, "-fdcc-winxp")

If IsVulnerable(sXCCDFWin, iExpDays) Then

If iRetVal = FileNotThere Then

Report true, sXCCDFWin, "XCCDF file not found", "The file is not in the products folder."

ElseIf iRetVal = FileHasExpired Then

Report true, sXCCDFWin, "XCCDF has expired", "The file is older than " & iExpDays & " days."

Else

Report true, sXCCDFWin, "XCCDF has an unspecified error", "The file has an unknown error with it."

End If

Else

Report false, "XCCDF file was found", "XCCDF file was found", "The file is in the products folder."

End If

</DetectScript>

<DetectScriptDescription>Checks to see if the XCCDF file exists</DetectScriptDescription>

</Advanced>

<URL />

<State>Enabled</State>

<ID>S-CATSCAN</ID>

</Products>

<ID>winxp</ID>

<ID>winxp-x64</ID>

</Platforms>

<canBeUninstalled>false</canBeUninstalled>

<requiresOriginalPatch>false</requiresOriginalPatch>

</UninstallInfo>

<CV>

<Name>ExpirationDate</Name>

<ReadOnly>False</ReadOnly>

<Hidden>False</Hidden>

<Description>The number of days before an SCAP scan is performed. Setting this to 0 will force a new scan.</Description>

</CV>

</CustVars>

<Cmds>

<Args>

</Args>

</Cmd>

</Cmds>

</Patch>

</Patches>

<Name>S-CAT Scanner</Name>

<Vendor>ThreatGuard</Vendor>

<Custom>false</Custom>

<File>

<filename>%regval(HKLM\SOFTWARE\LANDesk\ManagementSuite\Winclient\Path)%\S-CAT\s-cat.exe</filename>

</File>

</DetectedByFiles>

</Advanced>

</prod>

</AssociatedProducts>

<Group>Security Content Automation Protocol + Federal Desktop Core Configuration + (Step 2) Results File Scan</Group>

<Group>Security Content Automation Protocol + Microsoft Baselines + (Step 2) Results File Scan</Group>

<Group>Security Content Automation Protocol + United States Government Configuration Baseline + (Step 2) Results File Scan</Group>

</ReadonlyGroups>

</Exportable>

</Items>

</ExportableContainer>

Note that this xml document has been truncated for clarity purposes and only shows two vulnerability rules. In our case, we are interested by the following information in this xml document:

i. Name of the vulnerability

This element gives the name of the definition and is defined within the “ExportableContainer” element in the following way:

<Name>COMPLIANCE-RESULTS-FILE</Name>

ii. Version of the assembly

This element is associated with the version and patch level of your LDMS core server. This might therefore change when applying new LANDesk patch on the core server. This is something to monitor when applying a patch on the core server. It is also defined within the “ExportableContainer” element in the following way

iii. Groups

This element defines in which custom or predefined groups this definition will be visible in the LANDesk console. It is also defined within the “ExportableContainer” element in the following way:

<string>1 + Security Content Automation Protocol + Federal Desktop Core Configuration + (Step 2) Results File Scan</string>

<string>1 + Security Content Automation Protocol + United States Government Configuration Baseline + (Step 2) Results File Scan</string>

<string>1 + Security Content Automation Protocol + Microsoft Baselines + (Step 2) Results File Scan</string>

</Groups>

In this case, this definition will be visible in 3 pre-defined groups in the patch and compliance tool

iv. Type

In the LANDesk Patch and compliance tool of your 32 bits console, you have several types of definitions “Windows vulnerabilities”, “custom definitions”, “security threat”, etc. By default, SCAP definitions are listed as a security threat. This information is defined in the “ExportableContainer” element as illustrated below:

<Type>Configuration</Type>

The “Configuration” type in the XML document is associated with the “security threats” type in the 32 bits console.

A custom definition can be modified/edited in the 32 bits console. A security threat cannot be edited in the 32 bits console.

v. Detection Rules

In LANDesk patch manager, a vulnerability definition can have one or “n” detection rules. This is useful if you have a definition that needs be detected on different platforms or for different product. For example our standard compliance-results definition has 8 detection rules that caters for the different MS, FDCC, and USGCB baselines

Those rules have the following xml structure:

<Name>FDCC-Vista</Name>

<DetectScript>' This script will call s-cat.exe using the FDCC XCCDF template and if the file

' is older than x number of days it will be vulnerable

'----- Start of variables section -----

Const FileNotThere = 1

Const FileHasExpired = 2

Dim sComputerName, sXCCDFIE, sXCCDFWin

Dim sXCCDFFw, sLDPath, sMessage

Dim iExpDays, iRetVal

Dim dNow

dNow = Now

iExpDays = CInt(CustomVariable("ExpirationDate"))

iRetVal = 0

'----- End of variables section -----

'----- Start of function section -----

' Checks for file's existance & if it has expired

Function IsVulnerable(sFile, iDays)

Dim bRet

Dim iDiffDays

Dim oFS, oFile

Set oFS = CreateObject("Scripting.FileSystemObject")

If oFS.FileExists(sFile) Then

Set oFile = oFS.GetFile(sFile)

iDiffDays = DateDiff("d", oFile.DateLastModified, dNow)

Log "Found: " & sFile

Log "Last Modified Date: " & oFile.DateLastModified

Log "Current Date: " & dNow

Log "Difference in days: " & iDiffDays

If iDiffDays >= iDays Then

Log "Expired: " & sFile

iRetVal = FileHasExpired

bRet = True

Else

Log sFile & " exists and is not past due."

bRet = False

End If

Else

Log sFile & " NOT FOUND"

iRetVal = FileNotThere

bRet = True

End If

Set oFS = Nothing

Set oFile = Nothing

IsVulnerable = bRet

End Function

' Returns the path to the XCCDF results file

Function GetXCCDFPath(sLDClientPath, sHostName, sTemplate)

str = sLDClientPath + "\S-CAT\Products\"

str = str + sHostName + sTemplate + "-xccdf-results.xml"

GetXCCDFPath = str

End Function

'----- End of function section -----

sComputerName = GetComputerName()

sLDPath = ReadRegValue("HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path")

Log "LDPath: " + sLDPath

sXCCDFWin = GetXCCDFPath(sLDPath, sComputerName, "-fdcc-winvista")

If IsVulnerable(sXCCDFWin, iExpDays) Then

If iRetVal = FileNotThere Then

Report true, sXCCDFWin, "XCCDF file not found", "The file is not in the products folder."

ElseIf iRetVal = FileHasExpired Then

Report true, sXCCDFWin, "XCCDF has expired", "The file is older than " & iExpDays & " days."

Else

Report true, sXCCDFWin, "XCCDF has an unspecified error", "The file has an unknown error with it."

End If

Else

Report false, "XCCDF file was found", "XCCDF file was found", "The file is in the products folder."

End If

</DetectScript>

<DetectScriptDescription>Checks to see if the XCCDF file exists</DetectScriptDescription>

</Advanced>

<URL />

<State>Enabled</State>

<ID>S-CATSCAN</ID>

</Products>

<ID>winvista</ID>

<ID>winvista-x64</ID>

</Platforms>

<canBeUninstalled>false</canBeUninstalled>

<requiresOriginalPatch>false</requiresOriginalPatch>

</UninstallInfo>

<CV>

<Name>ExpirationDate</Name>

<ReadOnly>False</ReadOnly>

<Hidden>False</Hidden>

<Description>The number of days before an SCAP scan is performed. Setting this to 0 will force a new scan.</Description>

</CV>

</CustVars>

<Cmds>

<Args>

</Args>

</Cmd>

</Cmds>

</Patch>

In this xml document, we are interested by the following elements:

vi. Name of the rule

This element identifies the rule in the patch and compliance tool and is defined as a parameter of the “Patch” element in the following way

vii. Detection script

All the SCAP definitions are using a VBscripts that manipulate the xml filesand control the SCAP scanner on the client. What we need in this script in our case, is the reference to baseline it is going to check. This is defined in the following way:

sComputerName = GetComputerName()

sLDPath = ReadRegValue("HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path")

Log "LDPath: " + sLDPath

sXCCDFWin = GetXCCDFPath(sLDPath, sComputerName, "-fdcc-winvista")

This will define which definition xml files will be used to perform the SCAP scan

iix. Platform

This defines the platform on which the rule will be detected. It is defined as the following in the xml document:

<ID>winvista</ID>

<ID>winvista-x64</ID>

</Platforms>

The platforms supported by LANDesk are available in the “platform” table in the LANDesk database and are available below:

winnt, winxp, win2k3, win9x, win2k, winvista, win2008, win7, winvista-x64, win2008-x64, win7-x64, winxp-x64, win2k3-x64, win2008r2-x64, rhel5_x86_64, win7x64, solaris7, solaris8, solaris9, suse91, macosx, macosxserver

ix. Product

This defines if the detection of the definition must occur for a specific product installed on the client. It is defined as the following in the xml document:

<ID>S-CATSCAN</ID>

</Products>

In that instance we want to make sure that the SCAP scanner is installed in order to perform the detection. The list of available products is available in the “PatchProduct" table of the LANDesk database.

b. Creation of the custom SCAP compliance results file definition

Based on the information gathered above, we can create a custom compliance result definition xml file. In the following example we create a definition that will scan for the “LANDeskCustomSCAP” custom baseline. I have highlighted in red what I have changed to make the definition work.

<?xml version="1.0"?>

<Name>ldcustomscap-compliance-results-file</Name>

<Items>

<Name>ldcustomscap-compliance-results-file</Name>

<string>1 + LANDeskcustomSCAP + Step 2 - Create result files</string>

</Groups>

<CVE_ID />

<Title>Compliance Results File</Title>

<Description>Runs the SCAP tool to create the results file needed identify SCAP vulnerabilities</Description>

<Vendor>LANDesk</Vendor>

<Status>Enabled</Status>

<Type>Configuration</Type>

<AutoFix>false</AutoFix>

<Fixable>AllFixable</Fixable>

<CanRunSilent>Custom_Unknown</CanRunSilent>

<Compliance>false</Compliance>

<Alert>false</Alert>

<Name>ldccustomscapcomplianceresults-windows7</Name>

<DetectScript>' This script will call s-cat.exe using the USGCB XCCDF template and if the file

' is older than x number of days it will be vulnerable

'----- Start of variables section -----

Const FileNotThere = 1

Const FileHasExpired = 2

Dim sComputerName, sXCCDFIE, sXCCDFWin

Dim sXCCDFFw, sLDPath, sMessage

Dim iExpDays, iRetVal

Dim dNow

dNow = Now

iExpDays = CInt(CustomVariable("ExpirationDate"))

iRetVal = 0

'----- End of variables section -----

'----- Start of function section -----

' Checks for file's existance & if it has expired

Function IsVulnerable(sFile, iDays)

Dim bRet

Dim iDiffDays

Dim oFS, oFile

Set oFS = CreateObject("Scripting.FileSystemObject")

If oFS.FileExists(sFile) Then

Set oFile = oFS.GetFile(sFile)

iDiffDays = DateDiff("d", oFile.DateLastModified, dNow)

Log "Found: " & sFile

Log "Last Modified Date: " & oFile.DateLastModified

Log "Current Date: " & dNow

Log "Difference in days: " & iDiffDays

If iDiffDays >= iDays Then

Log "Expired: " & sFile

iRetVal = FileHasExpired

bRet = True

Else

Log sFile & " exists and is not past due."

bRet = False

End If

Else

Log sFile & " NOT FOUND"

iRetVal = FileNotThere

bRet = True

End If

Set oFS = Nothing

Set oFile = Nothing

IsVulnerable = bRet

End Function

' Returns the path to the XCCDF results file

Function GetXCCDFPath(sLDClientPath, sHostName, sTemplate)

str = sLDClientPath + "\S-CAT\Products\"

str = str + sHostName + sTemplate + "-xccdf-results.xml"

GetXCCDFPath = str

End Function

'----- End of function section -----

sComputerName = GetComputerName()

sLDPath = ReadRegValue("HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path")

Log "LDPath: " + sLDPath

sXCCDFWin = GetXCCDFPath(sLDPath, sComputerName, "-LANDeskSCAPcustom")

If IsVulnerable(sXCCDFWin, iExpDays) Then

If iRetVal = FileNotThere Then

Report true, sXCCDFWin, "XCCDF file not found", "The file is not in the products folder."

ElseIf iRetVal = FileHasExpired Then

Report true, sXCCDFWin, "XCCDF has expired", "The file is older than " & iExpDays & " days."

Else

Report true, sXCCDFWin, "XCCDF has an unspecified error", "The file has an unknown error with it."

End If

Else

Report false, "XCCDF file was found", "XCCDF file was found", "The file is in the products folder."

End If

</DetectScript>

<DetectScriptDescription>Checks to see if the XCCDF file exists</DetectScriptDescription>

</Advanced>

<URL />

<State>Enabled</State>

<ID>S-CATSCAN</ID>

</Products>

</Platforms>

<canBeUninstalled>false</canBeUninstalled>

<requiresOriginalPatch>false</requiresOriginalPatch>

</UninstallInfo>

<CV>

<Name>ExpirationDate</Name>

<ReadOnly>False</ReadOnly>

<Hidden>False</Hidden>

<Description>The number of days before an SCAP scan is performed. Setting this to 0 will force a new scan.</Description>

</CV>

</CustVars>

<Cmds>

<Args>

</Args>

</Cmd>

</Cmds>

</Patch>

</Patches>

<Name>S-CAT Scanner</Name>

<Vendor>ThreatGuard</Vendor>

<Custom>false</Custom>

<File>

<filename>%regval(HKLM\SOFTWARE\LANDesk\ManagementSuite\Winclient\Path)%\S-CAT\s-cat.exe</filename>

</File>

</DetectedByFiles>

</Advanced>

</prod>

</AssociatedProducts>

<Group>Security Content Automation Protocol + Microsoft Baselines + (Step 2) Results File Scan</Group>

</ReadonlyGroups>

</Exportable>

</Items>

</ExportableContainer>

c. Results of the custom compliance files

After scanning this definition on my client, the machine is scanned for the different rules for this baseline and a result file is created on the client in \Program Files (x86)\LANDesk\LDClient\S-CAT\products.

3. Creation of the scoring definition

a. Manual Steps

There is a way to create a custom definition that will report about the score of a defined baseline. You can follow the manual steps below to achieve this:

Clone an existing score definition
Open the definition (change its name and description ) and a rule on this definition (change its name and description
Go into the “Custom Script” section of the definition and modify the following line in the script :

Const XCCDFSuffix = "-Microsoft_Office2010-EC-Computer-XCCDF-Results.xml"Const USGCBProfile = "Office2010-EC-Computer"

Change the “XCCDFSuffix” variable to the name of your xccdf results file. The latter on your client in \LDCLIENT\S-CAT\Products\ has the following name “<Name of the client>-<Name of the baseline>-xccdf-results.xml”. As the vbscript will automatically populate the name of the client you only need to set this variable to “-<Name of the baseline>-xccdf-results.xml”.
Change the USCGBProfile to the value of the attribute “id” in the the “Profile” element of the xccdf.xml definition file
Change also in this vbscript the following line

iPassingScore = CustomVariable("Office2010ECComputerScore")

The value in parenthesis is a custom variable that allows you to set which score you want to set for this baseline. You need to change

Validate the rule
If you want to have to manage the score of all your baselines, add additional rules to your definition
In the properties of the definition go to the “Custom Variables”
Change the name of the Custom variables from to what you have defined earlier in the vbscript.
Change the score of this variable to the score you want your clients to compliant with.
Save your definition

Scanning this definition on the client now returns the requested score.

b. XML Structure

The XML structure of a standard SCAP scoring definition is illustrated below:

<?xml version="1.0"?>

<Name>Microsoft_Office2010-EC-Computer-XCCDF-Score</Name>

<Items>

<Name>Microsoft_Office2010-EC-Computer-XCCDF-Score</Name>

<string>1 + Security Content Automation Protocol + Microsoft Baselines + (Step 3) Overall Scores</string>

</Groups>

<CVE_ID />

<Title>Microsoft Office2010 EC Computer XCCDF Score</Title>

<Description>Scans for the overall score of the Microsoft IE8 EC Computer profile in the XCCDF template.</Description>

<Vendor>LANDesk</Vendor>

<Status>Enabled</Status>

<Type>Configuration</Type>

<AutoFix>false</AutoFix>

<Fixable>NotFixable</Fixable>

<CanRunSilent>NoPatchesExist</CanRunSilent>

<Compliance>false</Compliance>

<Alert>false</Alert>

<Name>Microsoft Office2010 EC Computer XCCDF Score</Name>

Const XCCDFSuffix = "-Microsoft_Office2010-EC-Computer-XCCDF-Results.xml"

Const USGCBProfile = "Office2010-EC-Computer"

Dim sComputerName, sLDPath, sXCCDFPath

Dim sSelectedProfile ' To be assigned by custom variable FDCCSelectedProfile

Dim iPassingScore, iActualScore ' To be assigned by custom variable FDCCPassingScore

Dim sStatus, sFindings

Function GetSelectedProfile()

GetSelectedProfile = USGCBProfile

End Function

Function GetXCCDFPath(sLDClientPath, sHostName)

str = sLDClientPath + "\S-CAT\Products\"

str = str + sHostName + XCCDFSuffix

GetXCCDFPath = str

End Function

Function IsFileThere(sFile)

Dim oFS

Set oFS = CreateObject("Scripting.FileSystemObject")

IsFileThere = oFS.FileExists(sFile)

Set oFS = Nothing

End Function

Function GetScoreXPath(strId)

Dim str

str = "/xccdf_results/profiles/profile[@id='"

str = str + strId

str = str + "']/scores"

GetScoreXPath = str

End Function

Sub ParseTigerXml(strFile)

Dim objXmlDoc, objXmlNode

Dim strResult, strRuleId, strXPath

Set objXmlDoc = CreateObject("Microsoft.XMLDOM")

If objXmlDoc.load(strFile) Then

objXmlDoc.Async="false"

strXPath = GetScoreXPath(sSelectedProfile)

Set objXmlNode = objXmlDoc.selectSingleNode(strXPath)

If TypeName(objXmlNode) = "Nothing" Then

Log "Unable to find score for profile."

sStatus = "Not found."

sFindings = "Failed to find profile score."

Exit Sub

Else

iActualScore = CInt(objXmlNode.getAttribute("actual"))

If iActualScore > CInt(iPassingScore) Then

sStatus = "pass"

sFindings = iActualScore

Else

sStatus = "fail"

sFindings = iActualScore

End If

Set objXmlDoc = Nothing

End Sub

' Main()

sSelectedProfile = GetSelectedProfile()

Log "Selected profile: " + sSelectedProfile

iPassingScore = CustomVariable("Office2010ECComputerScore")

Log "Passing score: " + iPassingScore

sComputerName = GetComputerName()

sLDPath = ReadRegValue("HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path")

Log "LDPath: " + sLDPath

sXCCDFPath = GetXCCDFPath(sLDPath, sComputerName)

sStatus = "fail"

sFindings = "nothing found"

iAcutalScore = 0

If IsFileThere(sXCCDFPath) Then

ParseTigerXml(sXCCDFPath)

End If

If sStatus = "fail" Then

Report true, iPassingScore, sFindings, sStatus

Else

Report false, iPassingScore, sFindings, sStatus

End If

</DetectScript>

</Advanced>

<Comments>Checks the XCCDF results file for the score</Comments>

<URL />

<State>Enabled</State>

<ID>S-CATSCAN</ID>

</Products>

<ID>winxp</ID>

<ID>winvista</ID>

<ID>winvista-x64</ID>

<ID>winxp-x64</ID>

</Platforms>

<canBeUninstalled>false</canBeUninstalled>

<requiresOriginalPatch>false</requiresOriginalPatch>

</UninstallInfo>

<CV>

<Name>Office2010ECComputerScore</Name>

<ReadOnly>False</ReadOnly>

<Hidden>False</Hidden>

<Description>The maxium score for passing.</Description>

</CV>

</CustVars>

</Patch>

<Name>Dependency</Name>

</Advanced>

<URL />

<State>Enabled</State>

<canBeUninstalled>false</canBeUninstalled>

<requiresOriginalPatch>false</requiresOriginalPatch>

</UninstallInfo>

</Patch>

</Patches>

<Name>S-CAT Scanner</Name>

<Vendor>ThreatGuard</Vendor>

<Custom>false</Custom>

<File>

<filename>%regval(HKLM\SOFTWARE\LANDesk\ManagementSuite\Winclient\Path)%\S-CAT\s-cat.exe</filename>

</File>

</DetectedByFiles>

</Advanced>

</prod>

</AssociatedProducts>

<Group>Security Content Automation Protocol + Microsoft Baselines + (Step 3) Overall Scores</Group>

</ReadonlyGroups>

</Exportable>

</Items>

</ExportableContainer>

c. Creation of the custom scoring definition

The example below is the custom definition I create to cater to your needs. In this case, this is a definition to return the score of the landeskscapcustom. I have highlighted the important changes in red

<?xml version="1.0"?>

<Name>landeskcustomscore</Name>

<Items>

<Name>landeskcustomscore</Name>

<string>1 + LANDeskcustomSCAP + Step 3 - Scoring</string>

</Groups>

<CVE_ID />

<Title>landeskcustomscore definition</Title>

<Description>Scans for the overall score of the Microsoft windows 7 Laptop profile in the XCCDF template.</Description>

<Vendor>LANDesk</Vendor>

<Status>Enabled</Status>

<Type>Configuration</Type>

<AutoFix>false</AutoFix>

<Fixable>NotFixable</Fixable>

<CanRunSilent>NoPatchesExist</CanRunSilent>

<Compliance>false</Compliance>

<Alert>false</Alert>

<Name>custom score windows 7</Name>

Const XCCDFSuffix = "-LANDeskSCAPcustom-results.xml"

Const USGCBProfile = "windows_content_profile"

Dim sComputerName, sLDPath, sXCCDFPath

Dim sSelectedProfile ' To be assigned by custom variable FDCCSelectedProfile

Dim iPassingScore, iActualScore ' To be assigned by custom variable FDCCPassingScore

Dim sStatus, sFindings

Function GetSelectedProfile()

GetSelectedProfile = USGCBProfile

End Function

Function GetXCCDFPath(sLDClientPath, sHostName)

str = sLDClientPath + "\S-CAT\Products\"

str = str + sHostName + XCCDFSuffix

GetXCCDFPath = str

End Function

Function IsFileThere(sFile)

Dim oFS

Set oFS = CreateObject("Scripting.FileSystemObject")

IsFileThere = oFS.FileExists(sFile)

Set oFS = Nothing

End Function

Function GetScoreXPath(strId)

Dim str

str = "/xccdf_results/profiles/profile[@id='"

str = str + strId

str = str + "']/scores"

GetScoreXPath = str

End Function

Sub ParseTigerXml(strFile)

Dim objXmlDoc, objXmlNode

Dim strResult, strRuleId, strXPath

Set objXmlDoc = CreateObject("Microsoft.XMLDOM")

If objXmlDoc.load(strFile) Then

objXmlDoc.Async="false"

strXPath = GetScoreXPath(sSelectedProfile)

Set objXmlNode = objXmlDoc.selectSingleNode(strXPath)

If TypeName(objXmlNode) = "Nothing" Then

Log "Unable to find score for profile."

sStatus = "Not found."

sFindings = "Failed to find profile score."

Exit Sub

Else

iActualScore = CInt(objXmlNode.getAttribute("actual"))

If iActualScore > CInt(iPassingScore) Then

sStatus = "pass"

sFindings = iActualScore

Else

sStatus = "fail"

sFindings = iActualScore

End If

Set objXmlDoc = Nothing

End Sub

' Main()

sSelectedProfile = GetSelectedProfile()

Log "Selected profile: " + sSelectedProfile

iPassingScore = CustomVariable("customscapPassingScore")

Log "Passing score: " + iPassingScore

sComputerName = GetComputerName()

sLDPath = ReadRegValue("HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path")

Log "LDPath: " + sLDPath

sXCCDFPath = GetXCCDFPath(sLDPath, sComputerName)

sStatus = "fail"

sFindings = "nothing found"

iAcutalScore = 0

If IsFileThere(sXCCDFPath) Then

ParseTigerXml(sXCCDFPath)

End If

If sStatus = "fail" Then

Report true, iPassingScore, sFindings, sStatus

Else

Report false, iPassingScore, sFindings, sStatus

End If

</DetectScript>

</Advanced>

<Comments>Checks the XCCDF results file for the score</Comments>

<URL />

<State>Enabled</State>

<ID>S-CATSCAN</ID>

</Products>

</Platforms>

<canBeUninstalled>false</canBeUninstalled>

<requiresOriginalPatch>false</requiresOriginalPatch>

</UninstallInfo>

<CV>

<Name>customscapPassingScore</Name>

<Type>int</Type>

<ReadOnly>False</ReadOnly>

<Hidden>False</Hidden>

<PossibleValues />

<Value>10</Value>

<DefaultValue>10</DefaultValue>

<Description>The maxium score for passing.</Description>

</CV>

</CustVars>

</Patch>

</Patches>

<Name>S-CAT Scanner</Name>

<Vendor>ThreatGuard</Vendor>

<Custom>false</Custom>

<File>

<filename>%regval(HKLM\SOFTWARE\LANDesk\ManagementSuite\Winclient\Path)%\S-CAT\s-cat.exe</filename>

</File>

</DetectedByFiles>

</Advanced>

</prod>

</AssociatedProducts>

<Group>Security Content Automation Protocol + Microsoft Baselines + (Step 3) Overall Scores</Group>

</ReadonlyGroups>

</Exportable>

</Items>

</ExportableContainer>

d. Scan of the scoring definition.

After scanning this definition on the client we can check the score of the machine for our baseline in the security and patch information on the LANDesk 32 bits console

4. Creation of the individual definitions

a. XML structure

A standard SCAP definition looks like the following when exported in xml:

<?xml version="1.0"?>

<Items>

<CVE_ID />

<Title>Network access: Do not allow anonymous enumeration of SAM accounts</Title>

<Description>If you enable this policy setting, users with anonymous connections cannot enumerate domain account user names on the workstations in your environment. This policy setting also allows additional restrictions on anonymous connections.</Description>

<MoreInfoURL>http://cce.mitre.org</MoreInfoURL>

<Vendor>LANDesk</Vendor>

<Status>Enabled</Status>

<Type>Configuration</Type>

<AutoFix>false</AutoFix>

<Fixable>NotFixable</Fixable>

<CanRunSilent>NoPatchesExist</CanRunSilent>

<Compliance>false</Compliance>

<Alert>false</Alert>

<HasCustomVars>false</HasCustomVars>

<Name>CCE-10027-1 Check</Name>

<DetectScript>Const XCCDFRuleId = "Network_access__Do_not_allow_anonymous_enumeration_of_SAM_accounts130"

Const XCCDFSuffix = "-Microsoft_WS08R2-SSLF-DC-xccdf-results.xml"

Dim sComputerName, sLDPath, sXCCDFPath

Dim sStatus, sFindings

Function GetXCCDFPath(sLDClientPath, sHostName)

str = sLDClientPath + "\S-CAT\Products\"

str = str + sHostName + XCCDFSuffix

GetXCCDFPath = str

End Function

Function IsFileThere(sFile)

Dim oFS

Set oFS = CreateObject("Scripting.FileSystemObject")

IsFileThere = oFS.FileExists(sFile)

Set oFS = Nothing

End Function

' This XPath may be cheating, but it should work

Function GetResultString(strId)

Dim str

str = "//rule[@id='"

str = str + strId

str = str + "' and @result]"

GetResultString = str

End Function

sComputerName = GetComputerName()

sLDPath = ReadRegValue("HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path")

Log "LDPath: " + sLDPath

sXCCDFPath = GetXCCDFPath(sLDPath, sComputerName)

Log "XCCDFPath: " + sXCCDFPath

Sub ParseTigerXml(strFile)

Dim objXmlDoc, objXmlNode

Dim strResult, strRuleId, strXPath

Set objXmlDoc = CreateObject("Microsoft.XMLDOM")

'Load the XML document into memory

If objXmlDoc.load(strFile) Then

objXmlDoc.Async="false"

' Find <RuleID Here>

' XPath doesn't seem to like xmlns prefixes

' |XCCDFRuleId points to a constant |

' |that references rule of interest |

strXPath = GetResultString(XCCDFRuleId)

Set objXmlNode = objXmlDoc.selectSingleNode(strXPath)

' Check if object is valid

If TypeName(objXmlNode) = "Nothing" Then

Log "Unable to find Rule " + XCCDFRuleId + "."

sStatus = "not found"

sFindings = "Item does not exist in the results file. Please vist client to be sure it's not vulnerable."

Exit Sub

Else

strRuleId = objXmlNode.getAttribute("id")

If IsNull(strRuleId) Then

Log "Unable to find the rule id attribute."

Set objXmlNode = Nothing

Set objXmlDoc = Nothing

sStatus = "not found"

sFindings = "Unable to find the rule id attribute."

Exit Sub

Else

strResult = objXmlNode.getAttribute("result")

Set objXmlNode = objXmlNode.firstChild

If TypeName(objXmlNode) = "Nothing" Then

sStatus = "not found"

sFindings = "result was not found."

Else

sFindings = objXmlNode.text

End If

If IsNull(strResult) Then

Log "Unable to find result attribute value."

sStatus = "not found"

sFindings = "not found"

Set objXmlNode = Nothing

Set objXmlDoc = Nothing

Exit Sub

End If

Set objXmlDoc = Nothing

sStatus = strResult

End Sub

If IsFileThere(sXCCDFPath) Then

ParseTigerXml(sXCCDFPath)

End If

If sStatus = "fail" Then

Report true, "pass", sFindings, sStatus

Else

Report false, "pass", sFindings, sStatus

End If

</DetectScript>

<DetectScriptDescription>This script will:

1. Detect if the tiger formated XCCDF file exists.

2. Then evaluated if the system is vulnerable to CCE-10027-1</DetectScriptDescription>

</Advanced>

<URL />

<State>Enabled</State>

<ID>S-CATSCAN</ID>

</Products>

</Platforms>

<canBeUninstalled>false</canBeUninstalled>

<requiresOriginalPatch>false</requiresOriginalPatch>

</UninstallInfo>

</Patch>

<Name>Dependency</Name>

</Advanced>

<URL />

<State>Enabled</State>

</Platforms>

<canBeUninstalled>false</canBeUninstalled>

<requiresOriginalPatch>false</requiresOriginalPatch>

</UninstallInfo>

</Patch>

</Patches>

<Name>S-CAT Scanner</Name>

<Vendor>ThreatGuard</Vendor>

<Custom>false</Custom>

<File>

<filename>%regval(HKLM\SOFTWARE\LANDesk\ManagementSuite\Winclient\Path)%\S-CAT\s-cat.exe</filename>

</File>

</DetectedByFiles>

</Advanced>

</prod>

</AssociatedProducts>

</Exportable>

</Items>

</ExportableContainer>

Most of the xml tags in this xml file have already been previously explained. What is useful in that document is the reference to the definition to scan. The latter is located in the “DetectScript” element:

<DetectScript>Const XCCDFRuleId = "Network_access__Do_not_allow_anonymous_enumeration_of_SAM_accounts130"

Const XCCDFSuffix = "-Microsoft_WS08R2-SSLF-DC-xccdf-results.xml"

The ruleID can be found in the xccd definition xml file as the the “idref”

The Const XCCDFSuffix is the suffix of your results file created previously by the “step 2”

b. Creation of an individual definition

Based on the information above we can modify our xml document in the following way

<?xml version="1.0" encoding="UTF-8"?>

<Name>disablecad</Name>

<Items>

<Name>disablecad</Name>

<CVE_ID />

<Title>Check_ctrl_alt_del_sequence</Title>

<Description>Disable the control_alt_del seauence</Description>

<MoreInfoURL>http://cce.mitre.org</MoreInfoURL>

<Vendor>LANDesk</Vendor>

<Status>Enabled</Status>

<Type>Configuration</Type>

<AutoFix>false</AutoFix>

<Fixable>NotFixable</Fixable>

<CanRunSilent>NoPatchesExist</CanRunSilent>

<Compliance>false</Compliance>

<Alert>false</Alert>

<HasCustomVars>false</HasCustomVars>

<Name>disablecad</Name>

<DetectScript>Const XCCDFRuleId = "Rule_oval_LANDeskSCAPcustom_def_1"

Const XCCDFSuffix = "-LANDeskSCAPcustom-xccdf-results.xml"

Dim sComputerName, sLDPath, sXCCDFPath

Dim sStatus, sFindings

Function GetXCCDFPath(sLDClientPath, sHostName)

str = sLDClientPath + "\S-CAT\Products\"

str = str + sHostName + XCCDFSuffix

GetXCCDFPath = str

End Function

Function IsFileThere(sFile)

Dim oFS

Set oFS = CreateObject("Scripting.FileSystemObject")

IsFileThere = oFS.FileExists(sFile)

Set oFS = Nothing

End Function

' This XPath may be cheating, but it should work

Function GetResultString(strId)

Dim str

str = "//rule[@id='"

str = str + strId

str = str + "' and @result]"

GetResultString = str

End Function

sComputerName = GetComputerName()

sLDPath = ReadRegValue("HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path")

Log "LDPath: " + sLDPath

sXCCDFPath = GetXCCDFPath(sLDPath, sComputerName)

Log "XCCDFPath: " + sXCCDFPath

Sub ParseTigerXml(strFile)

Dim objXmlDoc, objXmlNode

Dim strResult, strRuleId, strXPath

Set objXmlDoc = CreateObject("Microsoft.XMLDOM")

'Load the XML document into memory

If objXmlDoc.load(strFile) Then

objXmlDoc.Async="false"

' Find &lt;RuleID Here&gt;

' XPath doesn't seem to like xmlns prefixes

' |XCCDFRuleId points to a constant |

' |that references rule of interest |

strXPath = GetResultString(XCCDFRuleId)

Set objXmlNode = objXmlDoc.selectSingleNode(strXPath)

' Check if object is valid

If TypeName(objXmlNode) = "Nothing" Then

Log "Unable to find Rule " + XCCDFRuleId + "."

sStatus = "not found"

sFindings = "Item does not exist in the results file. Please vist client to be sure it's not vulnerable."

Exit Sub

Else

strRuleId = objXmlNode.getAttribute("id")

If IsNull(strRuleId) Then

Log "Unable to find the rule id attribute."

Set objXmlNode = Nothing

Set objXmlDoc = Nothing

sStatus = "not found"

sFindings = "Unable to find the rule id attribute."

Exit Sub

Else

strResult = objXmlNode.getAttribute("result")

Set objXmlNode = objXmlNode.firstChild

If TypeName(objXmlNode) = "Nothing" Then

sStatus = "not found"

sFindings = "result was not found."

Else

sFindings = objXmlNode.text

End If

If IsNull(strResult) Then

Log "Unable to find result attribute value."

sStatus = "not found"

sFindings = "not found"

Set objXmlNode = Nothing

Set objXmlDoc = Nothing

Exit Sub

End If

Set objXmlDoc = Nothing

sStatus = strResult

End Sub

If IsFileThere(sXCCDFPath) Then

ParseTigerXml(sXCCDFPath)

End If

If sStatus = "fail" Then

Report true, "pass", sFindings, sStatus

Else

Report false, "pass", sFindings, sStatus

End If

</DetectScript>

<DetectScriptDescription>This script will:

1. Detect if the tiger formated XCCDF file exists.

</DetectScriptDescription>

</Advanced>

<URL />

<State>Enabled</State>

<ID>S-CATSCAN</ID>

</Products>

</Platforms>

<canBeUninstalled>false</canBeUninstalled>

<requiresOriginalPatch>false</requiresOriginalPatch>

</UninstallInfo>

</Patch>

<Name>Dependency</Name>

</Advanced>

<URL />

<State>Enabled</State>

</Platforms>

<canBeUninstalled>false</canBeUninstalled>

<requiresOriginalPatch>false</requiresOriginalPatch>

</UninstallInfo>

</Patch>

</Patches>

<Name>S-CAT Scanner</Name>

<Vendor>ThreatGuard</Vendor>

<Custom>false</Custom>

<File>

<filename>%regval(HKLM\SOFTWARE\LANDesk\ManagementSuite\Winclient\Path)%\S-CAT\s-cat.exe</filename>

</File>

</DetectedByFiles>

</Advanced>

</prod>

</AssociatedProducts>

</Exportable>

</Items>

</ExportableContainer>

c. Scan of the individual definitions

After scanning the definition on the client, I am able to see the definition in the security patch information for my machine on the network view of my 32 bits console:

As seen earlier in the results file, this definition has failed the compliance test. It is therefore in the “detected” section of the "security and patch information" window.

In this test, our baseline has only one definition which is far from the reality where you can have hundreds of definition/settings in your baseline. The manual creation of the definition is gigantic piece of work. In order to automate it, I have created the powershell script available in the next section of this guide.

5. Automation of the creation of the LANDesk definitions

a. Definition

Each rule on your xccdf file will become a single definition in LANDesk. In order to automate it, I have created a powershell script that creates the definition files that can be imported into LANDesk for each of the rules you have configured in your xccdf file. Technically speaking it is going to create an xml file that can be imported into LANDesk based on your custom xccdf content file and OVAL configuration file. The script as well as the templates and additional files I used are attached to this article. Note that I am not a programmer so you will certainly find a lot of areas to improve this code or to create your own.

b. Explanation of the code

i. Files and folders organisation

We base our script on the following types of files:

A template file which is an xml export from LDMS of a standard SCAP definition so that we can work with the existing xml structure that LANDesk can understand. This template is define in the code as $templatedefxml and

The xccdf files of your custom oem-content that containes the rules of your baseline that will help us build our definitions file. In this script we decompressed your definition files into a subfolder called “content”.

Our script will go to each of these folders and look for the xccdf file and start the creation of the custom xml files. This xccdf file has been imported in landesk as $xccdfile

I have detected a difference regarding the amount of platforms you have in the “oval.xml” file compared to the “cpe-oval.xml” file. I have therefore based the platform detection logic for the individual definition on the first platform element of the “oval.xml”. The oval xml file has been imported in LANDesk as $ovalfile
Platforms are identified by LANDesk by a prefix (shortname) I have therefore created a csv file that is an export the platform table in the LANDesk database and match the prefix to the full name of the platform. The platform csv file has been imported as $Platforms

Each definition has a VBscript associated to it in order to catch the right information in the results xml file. I have store it in a text file and I have inserted inside parameters that I populate based on the definition rule. This variable is defined in this script as $templatedetectsingle.

The part of this code describing the initialisation of these variables is the following

$Platforms=Import-CsvC:\Scapdefcreate\platforms.csv #OS list that can be understood by landesk

$ContentFolder=Get-ChildItemC:\Scapdefcreate\scap\content\ccce | Where-Object {$_.psIsContainer -eq$true} | selectfullname# List all the subfolders in the content folder - where you put your decompressed SCAP xml

$templatedefxml= [xml] (Get-ContentC:\Scapdefcreate\scap\template.ldms)#template of LDMS export of a SCAP definition used to create the new definitions

$templatedetectsingle= (Get-ContentC:\Scapdefcreate\scap\detectruledef.txt | Out-String) #template of the vbscript detection logic used by LANDesk to detect a SCAP definition

ForEach ($folderin$contentfolder) {

$foldername=$folder.FullName

$cpename=Get-ChildItem$folder.FullName -include"*-cpe-oval.xml"-Force-Name# check for the cpe-oval.xml file in order to get the baseline name

$ovalname=Get-ChildItem$foldername-Include"*-oval.xml"-Exclude"*-cpe-oval.xml"-Force-Debug-Name# get the oval.xml for this baseline

$baselinename=$cpename.Substring(0,$cpename.Length - 13)#get the baseline name

$xccdfile= [xml] (Get-Content"$foldername\$baselinename-xccdf.xml") # open the xccdf file to get the individual defintions for the baseline

$ovalfile= [xml] (Get-Content"$foldername\$ovalname") #open the oval file name to get the details about the platform

if (!(Test-Path"$foldername\defsLANDesk")) # create a folder to put all the individual LANDesk custom definitions and check if this folder already exists

{

mkdir"$foldername\defsLANDesk" | Out-Null#create the folder and avoid any display on the machine

}

ii. Manipulation of the xml objects and creation of the XML files

For each “select” tag in the xccd definition content we are doing the following:

Working on a copy of the template imported earlier and modify the parameters of this xml document based on the information I gave you in the previous document

Write-Host"Creating defnition for CCE: $cceid"

$templatedefxml.ExportableContainer.Name ="$cceid"#assign the CCE ID to the definnition

$templatedefxml.ExportableContainer.Items.Exportable.GUID ="$cceid"#populating the GUID with the CCE ID

$templatedefxml.ExportableContainer.Items.Exportable.Name ="$cceid"#populating the name of the definition with the definition reference ID

$templatedefxml.ExportableContainer.Items.Exportable.Title =$_.title #populating the name of the definition title

$templatedefxml.ExportableContainer.Items.Exportable.Description =$_.description #populating the name of the definition description this could be useful if you would like more information for the reporting

$templatedefxml.ExportableContainer.Items.Exportable.Patches.Patch[0].Name ="$cceid"

$templatedefxml.ExportableContainer.Items.Exportable.Patches.Patch[0].Advanced.detectscript ="$templatedetectsingle"-f"$defid", "-$baselinename-xccdf-results.xml"#changes the detection logic with the right definition and insert it in the xml document

I have based the platform detection on oval.xml file. It is going to compare the oval.xml file with the platform available in the csv file and insert in the xml object the correct platform prefix that can be understood by LANDesk.

if ($ovalfile.oval_definitions.definitions.definition[0]) #checking if there are multiple rules in the oval file so that we check the platform in the first one using the "0" index

{

$multirule=$ovalfile.oval_definitions.definitions.definition[0]

}

else

{

$multirule=$ovalfile.oval_definitions.definitions.definition #if there is only one rule we cannot use the "0" index

}

$multirule.metadata.affected.platform |ForEach-Object { #check the platform in the first entry of the oval xml file

$platformamedetected=$_#Cursor for the iteration

$matchplatname= ($Platforms | Select"Name") # obtain the display name of the platform the csv file

$matchplatprefix= ($Platforms | Select"FilePrefix") #obtain the LANDesk understandable name of the platform of the csv file

$i=0 #for the iteration

$matchplatname | ForEach-Object { #goes through the platform list from the platform CSV file

if (($_.name -eq$platformamedetected) -or ($_.name -eq"$platformamedetected x64")){ #compares the platform in the oval definition xml document with the one in the csv platform list file

$nowindows=$false

if ($checksave-eq$true) { #if we have already been in this loop once, we want to increment the xml file with new platforms

$templatedefxml= [xml] (Get-Content"$foldername\defsLANDesk\$cceid.ldms")

}

$newID=$templatedefxml.CreateElement("ID") #creates xml object for the sub-elemeent "ID"

$platprefix=$matchplatprefix.SyncRoot[$i].FilePrefix #checks which platform prefix should be inserted to the xml document

$newID.Set_InnerText("$platprefix") #populate the xml element with the platform detected in the oval file

$templatedefxml.ExportableContainer.Items.Exportable.Patches.Patch[0].Platforms.AppendChild($newID) | out-null#adds the platform information to the first patch element

$templatedefxml.Save("$foldername\defsLANDesk\$cceid.ldms")

#I save and recreate the element a second time because of the limitation inherent to AppendChild.

#if you call it AppendChild consecutively it is going to move the data in the element of the second call

$templatedefidf= [xml] (Get-Content"$foldername\defsLANDesk\$cceid.ldms")

$newID=$templatedefidf.CreateElement("ID")

$newID.Set_InnerText("$platprefix")

$templatedefidf.ExportableContainer.Items.Exportable.Patches.Patch[1].Platforms.AppendChild($newID) | Out-Null #adds the platform information to the second patch element

$templatedefidf.Save("$foldername\defsLANDesk\$cceid.ldms")

$checksave=$true

}

$i++

The definitions will be saved in the folder content\<Name of your baseline>\defsLANDesk with the .ldms extension

If your definition is not associated with an OS but with a specific product, the script will add all the windows OSs into the platform section. This can be improved by introducing the product detection logic in this code.

#if no OS platforms is stated in the oval - puts all available microsoft OSs as the platform

#This is not the most optimized way to do and we would need to manage affected products in the future

if ($nowindows-eq$true) {

$j=0

$matchplatname | ForEach-Object {

if ($_.name -contains"Microsoft"){

if ($checksavenoplat-eq$true) { #if we have already been in this loop once, we want to increment the xml file with new platforms

$templatedefxml= [xml] (Get-Content"$foldername\defsLANDesk\$cceid.ldms")

}

#$newplatform = $templatedefxml.CreateElement("platforms") #creates xml object for the element "platforms"

$newID=$templatedefxml.CreateElement("ID") #creates xml object for the sub-element "ID"

#$id = $templatedefxml

$platprefix=$matchplatprefix.SyncRoot[$j].FilePrefix #checks which platform prefix should be inserted to the xml document

$newID.Set_Innertext("$platprefix")

#$newplatform.AppendChild($newID)

$templatedefxml.ExportableContainer.Items.Exportable.Patches.Patch[0].Platforms.AppendChild($newID) #adds the platform information to the first patch element

$templatedefxml.Save("$foldername\defsLANDesk\$cceid.ldms")

#I save and recreate the element a second time because of the limitation inherent to AppendChild.

#if you call it AppendChild consecutively it is going to move the data in the element of the second call

$templatedefidf= [xml] (Get-Content"$foldername\defsLANDesk\$cceid.ldms") #template of LDMS export of a SCAP definition used to create the new definitions

$newID=$templatedefidf.CreateElement("ID")

$newID.Set_InnerText("$platprefix")

$templatedefidf.ExportableContainer.Items.Exportable.Patches.Patch[1].Platforms.AppendChild($newID) | Out-Null #adds the platform information to the second patch element

$templatedefidf.Save("$foldername\defsLANDesk\$cceid.ldms")

$checksavenoplat=$true

$j++

}

$nowindows=$false# resetting the check for the absence of platform in the oval file

c. Import into LDMS

The xml definitions created content\<Name of your baseline>\defsLANDesk are ready to be imported into LDMS.

To do so, in the patch and compliance of your 32 bits console you can:

Select in the drop-down list the type “custom definition”
Click on the icon “import a custom definition”
Browse your freshly created xml files and insert them in one go by doinga multiple selection.

D. Conclusion

This article does not cover all the capabilities of the security compliance and it has room for improvements. However it should be able to provide you the tools and the understanding on how the SCAP protocol is implemented into the product and how you can use it in a way that suits your own security compliance needs.

↧

LANDESK Patch Content severity levels

October 26, 2009, 8:55 am

≫ Next: About Patch Manager Auto Update

≪ Previous: The unofficial guide to assessing your custom security compliance using LANDesk

Issue
Solution
How does LANDESK determine the severity level of a patch?
Microsoft's Security Rating Definitions
Non-Security KB's / Security Advisories
Other Vendors
More Information

Issue

Microsoft Update has a vulnerability listed at a certain vulnerability level but when looking at the same vulnerability in LANDESK it is listed differently or even as "N/A". Why are they different?

Solution

Windows Update uses a different set of severity levels to sort the vulnerabilities than LANDESK does. The Windows Update site uses high-priority, software, optional, and hardware optional as possible severity levels. These severity types do not correlate with the severity values that Microsoft provides in the vulnerability KB articles.

LANDESK uses the severity level that is specified by the vendor. For Microsoft vulnerabilities LANDESK uses the severity level that is specified in the Microsoft KB article that they provide for each vulnerability.

All of the severity levels that are listed for each vulnerability in the Patch Manager solution come directly from the vendor of the patch. LANDESK does not assume or make any decision as to what severity level the patch should be for a 3rd party product.

How does LANDESK determine the severity level of a patch?

The 3rd party vendors of the vulnerability are responsible for determining the severity ratings. Below is the breakdown of these ratings for both Microsoft and other vendors vulnerability ratings and the corresponding LANDESK value.

Microsoft does distinguish between Vulnerabilities and Security Advisories/Non-Security Updates.

https://technet.microsoft.com/en-us/library/security/dn610807.aspx

Microsoft provides severities for Security Bulletins(Security Vulnerabilities - https://technet.microsoft.com/en-us/library/security/dn631937.aspx) and priorities for non-security(KBs/Security Advisories - https://technet.microsoft.com/en-us/library/security/dn631936.aspx)bulletins.If you look at a security bulletins for August 2014there are severity ratings ofCritical and Important:

Bulletin ID	Bulletin Title and Executive Summary	Max Severity Rating and Impact	Restart Requirement	Affected Software
MS14-051	Cumulative Security Update for Internet Explorer (2976627) This security update resolves one publicly disclosed and twenty-five privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.	Critical Remote Code Execution	Requires restart	Microsoft Windows, Internet Explorer
MS14-043	Vulnerability in Windows Media Center Could Allow Remote Code Execution (2978742) This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file that invokes Windows Media Center resources. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.	Critical Remote Code Execution	May require restart	Microsoft Windows
MS14-048	Vulnerability in OneNote Could Allow Remote Code Execution (2977201) This security update resolves a privately reported vulnerability in Microsoft OneNote. The vulnerability could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft OneNote. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.	Important Remote Code Execution	May require restart	Microsoft Office

Bulletin ID

Bulletin Title and Executive Summary

Max Severity Rating and Impact

Restart Requirement

Affected Software

MS14-051

Cumulative Security Update for Internet Explorer (2976627)

This security update resolves one publicly disclosed and twenty-five privately reported vulnerabilities

in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a

user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited

these vulnerabilities could gain the same user rights as the current user. Customers whose accounts

are configured to have fewer user rights on the system could be less impacted than those who operate

with administrative user rights.

Critical

Remote Code Execution

Requires restart

Microsoft Windows,

Internet Explorer

MS14-043

Vulnerability in Windows Media Center Could Allow Remote Code Execution (2978742)

This security update resolves a privately reported vulnerability in Microsoft Windows.

The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office

file that invokes Windows Media Center resources. An attacker who successfully exploited this

vulnerability could gain the same user rights as the current user.

Customers whose accounts are configured to have fewer user rights on the system could be less

impacted than those who operate with administrative user rights.

Critical

Remote Code Execution

May require restart

Microsoft Windows

MS14-048

Vulnerability in OneNote Could Allow Remote Code Execution (2977201)

This security update resolves a privately reported vulnerability in Microsoft OneNote. The vulnerability

could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft

OneNote. An attacker who successfully exploited this vulnerability could gain the same user rights as the

current user. Customers whose accounts are configured to have fewer user rights on the system could

be less impacted than those who operate with administrative user rights.

Important

Remote Code Execution

May require restart

Microsoft Office

Microsoft's Security Rating Definitions

Rating	Definition
Critical	A vulnerability whose exploitation could allow code execution without user interaction. These scenarios include self-propagating malware (e.g. network worms), or unavoidable common use scenarios where code execution occurs *without* warnings or prompts. This could mean browsing to a web page or opening email. Microsoft recommends that customers apply Critical updates immediately.
Important	A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources. These scenarios include common use scenarios where client is compromised *with* warnings or prompts regardless of the prompt's provenance, quality, or usability. Sequences of user actions that do not generate prompts or warnings are also covered. Microsoft recommends that customers apply Important updates at the earliest opportunity.
Moderate	Impact of the vulnerability is mitigated to a significant degree by factors such as authentication requirements or applicability only to non-default configurations. Microsoft recommends that customers consider applying the security update.
Low	Impact of the vulnerability is comprehensively mitigated by the characteristics of the affected component. Microsoft recommends that customers evaluate whether to apply the security update to the affected systems.

http://technet.microsoft.com/en-us/security/gg309177.aspx

Non-Security KB's / Security Advisories

For non-security KBs/Security Advisories like KB2800095 (http://support.microsoft.com/?kbid=2800095) it is not a security bulletin so there is no severity.

But Windows Update/WSUS will list a bulletin like this as Important or a High-priority, see the screen shots below:

This is not listed as a severity in the associated KB.

So Severities and Priorities are two different items. LANDESK will list severity but not priority.

All the Microsoft content that we provide uses the same Severities provided by Microsoft. Here are the severities that you will find as part of the LANDESK vulnerability definitions:

• Service Pack

• Critical

• Important/High

• Moderate/Medium

• Low

• Unknown

• Not Applicable

Other Vendors

LANDESK attempts to match the vendor's rating system with the above rating system as close as possible.

* Not Applicable applies to any vulnerability that does not have a rating or is a patch or software update that do not have security Implications to them. An example would be a patch that fixes a font display issue in an application.

More Information

Tip: You can look at the article used to set the severity and see additional information about the vulnerability by following the "More Information at:" link in the patch properties. To get to this link, right click on the vulnerability in question and select Properties. Then select the Description tab. You can link directly to the article by clicking the "More Information at:" Link

For more information on some processes to help manage and patch all the patches listed in Microsoft Update, please see LANDESK Patch Manager is not installing all of the patches that show up in Windows Update

↧

About Patch Manager Auto Update

August 5, 2010, 10:11 am

≫ Next: How to Scan for Specific Patches

≪ Previous: LANDESK Patch Content severity levels

LANDESK Patch and Compliance Manager uses an auto update feature in order to make sure that all vulnerability scanning files are up to date with the core server. This ensures compatibility between the files and the latest definitions as well as compatibility with the files on the core.

Vulscan Self Update

When vulscan runs, it will initialize the needed files, then contact the core server to check for any updated files. If it finds updated files it will download them, stop any running LANDESK services as needed, replace the files and then start any LANDESK services. This process varies slightly depending on files that are updated.

Agent files

Vulscan checks for the following agent files and executables and updates them as needed:

vulscan.exe
vulscan.dll
vulscan.sig
xxxVULSCAN.dll where xxx is the 3 letter language prefix such as enu or ptb
softmon.exe
ldavhlpr.dll
vbscript.v55
sendtaskstatus.exe
av.key
ldav.key
rollinglog.dll
ldreboot.exe
ldreboot.dll
localsch.exe
ltapi.dll
LDSystemEventCatcher.dll

Settings

Vulscan will update all settings with the latest version of the CURRENT INSTALLED SETTING on the client. This includes:

Again, this will only update the settings that are currently set or installed on the client machine. This WILL NOT update the client files (exes, dlls, etc) for all of the above components, only the settings.

Important Note: It is important to know which settings are on the client machines whenever modifying settings. If you are working with some settings, testing or adjusting, any machines that run vulscan, scheduled or otherwise, will update. The currently installed settings can be found in the inventory record of the device under Computer - LANDESK Management - Component

Preventing Auto Update

The /noupdate switch can be used to prevent vulscan from updating files. This switch must be added to any scheduled task, policy, or locally scheduled task in order to completely prevent updating the client.

Right Click Scanning

If you right click on a device and select "Security and Compliance scan now" the client WILL NOT update.

↧

How to Scan for Specific Patches

September 8, 2015, 7:45 am

≫ Next: How to patch Office 365

≪ Previous: About Patch Manager Auto Update

How To:
Purpose:
Steps
Create Custom Group
Create Distribution and Patch Setting
Run Scan - Run Now
Run Scan - Scheduled

How To:

How to scan for a specific patch or group of patches.

Purpose:

In some situations it may becomes necessary to scan for a specific patch or group of patches.

Examples:

One off patching instances
Verifying baseline compliance

Steps

Note: We will be using JREJDKv8u31_Manual in the following examples.

Create Custom Group

Begin by creating a new Custom Group in Patch and Compliance.
- Click Tools | Security and Compliance | Patch and Compliance.

In Patch and Compliance create a new Custom Group.
- Right click My Custom Groups or Public Custom Groups | New Group

Name the custom group according to your needs.
- Example: Our scan will be for Java 8u31, so the name will reflect this.

Locate the content to add to the custom scan group, and add it to the custom group.
- Drag the content onto the custom group
- Alternatively right click the content, choose copy, right click the custom group and choose paste.

This provides a custom group to scan against that only contains the desired patch(es).

Create Distribution and Patch Setting

Open Agent Settings - Tools | Security and Compliance | Agent Settings

Click Agent Settings | My Agent Settings or Public Agent Settings | Right click Distribution and Patch and choose New

Provide the new Distribution and Patch setting a name that indicates what it is used for.

Double click the new Distribution and Patch setting to open the options, and choose Patch-only settings | Scan options then click the Groupbrowse button.

In the Group Selectionwindow, choose the custom group that contains the content to be scanned for and click Ok

The Group field now reflects the custom group that will be scanned for, click Save

Note: If you only want to scan for a patch, uncheck 'Enable autofix' to ensure autofix is turned off. If you want just this scan also repair the vulnerability, check the box 'Immediately install (repair) all applicable items'.

This will take precedence over Autofix settings, and will allow just patches that are found with this scan to be fixed.

Run Scan - Run Now

Select the device(s) in inventory to be scanned
Right click and choose Patch and compliance scan now...

In the Patch/compliance scan nowwindow,
- Select Security and Patch scan
- Click the drop down list and select the Distribution and patch settingpreviously configured.

A status window will appear indicating the state of the current scan.

Once the scan completes, repairs and reporting can occur as needed.

Run Scan - Scheduled

In the event the scan needs to happen at a different date/time, or be recurring, it can be scheduled.

In the LDMS Core click Tools | Security and Compliance | Agent Settings
Click the Create a Task button(calendar icon)
Click Security scan...

In the Patch and Compliance - scan task window, click Agent Settings
Click the drop down list for Distribution and patch, and select the previously configured setting.

Configure other settings as needed (Scheduled times, dates etc).
Save the task

↧

How to patch Office 365

November 16, 2016, 8:48 am

≫ Next: Next Gen Microsoft Windows Vulnerabilities (beta) is not shown in the Patch Manager > Download updates > Windows > Vulnerabilities

≪ Previous: How to Scan for Specific Patches

Overview:

LANDESK Patch and Compliance now provides support for Office 365 versions 2013 and 2016. Patch and Compliance administrators can now scan, detect, and remediate client devices that have Office 365 installed. For Office 365 version 2013, LANDESK leverages the Microsoft Office Deployment Tool to perform the remediation tasks for updating Office 2013 installations. For Office 365 version 2016, LANDESK has developed an Office Com API to perform remediation tasks for updating Office 2016 installations. LANDESK provides a utility (Office365Util.exe) for you to use to download the Office installation data and to check the hash for Office 2016 installation data. When the Office patches are downloaded, LANDESK will check the hash on the pertinent files to ensure validity.

Minimum LDMS Core version: 9.6 SP3. The process is only provided on 9.6 SP3 and newer versions.

High Level Process

The LANDESK administrator downloads Office 365 definitions from the LANDESK global servers.
Once the Office 365 definitions are downloaded to the core, the LANDESK administrator can scan for those Office 365 vulnerabilities.
In order to remediate (apply latest patches) detected vulnerabilities, LANDESK administrator have to manually run, on the core machine, a new tool provided by LANDESK (Office365Util.exe). Using this tool, the LANDESK administrator can choose the Office 365 versions that are relevant to the environment. The LANDESK Office 365 utility will download the patch binaries and the Microsoft Office deployment tool from the Microsoft cloud.
Once the patch binaries are downloaded to the core, the LANDESK administrator can apply the patches to all vulnerable endpoints using the standard method of applying patches.

Step 1: Download Content

Customers download the Office 365 vulnerability definitions, the O365Util.dll, and the Office365Util.exe from the LANDESK Global Host Content Server by downloading the latest Microsoft Windows Vulnerabilities.

Download Updates (Microsoft Windows Vulnerabilities)	Updating Definitions (Office365Util.exe/O365Util.dll)

Updating Definitions (MSO365)MSOFFICE 365 (Vul_Defs)	MSO365 (Vul_Defs)

Step 2: Launch Office365Util.exe

Upon successful content download, an Office365Utility folder is created under the LDLogon share and will contain the Office365Util.exe file provided by LANDESK.

\\Core_Server\LDLogon\Office365Utility

This utility will allow you to select the specifics regarding the Office 365 product you are patching. Launch this utility directly from C:\Program Files\LANDesk\ManagementSuite\ldlogon\Office365Utility\ by double-clicking on Office365Utility.exe
(do not try to run it via the network share \\Core_Server\LDLogon\Office365Utility or \\localhost\LDlogon\Office365Utility as you will get an error).

Step 3: Select Options from Office365Util

The view provided below displays the available options inside of the Office365Util application (LANDESK Office 365 Utility for Patch and Compliance):

There is no Channel support for Office 2013

Platforms	Deployment Tools

Channels	Office 365 (2013) Product List View

In order to successfully patch Office 365, select which Office 365 patch product updates to download in order to support client remediation. After selecting the desired product updates from the LANDESK Office 365 Utility for Patch and Compliance application, click START.

Office 365 Tool

The START action will do (2) things:

Create an Office365Tool folder under the LDLogon share and process the Microsoft setup.exe file

\\Core_Server\LDLogon\Office365Tool

The contents of this folder will contain the Deployment Tool Type (2016 or 2013) selected during the download and all relative installation data applicable to the options selected in the LANDESK Office 365 Utility for Patch and Compliance
application. The display below will outline the contents of both Deployments Tools (2016 and 2013).

If you have both 2016 and 2013 products in need of patching, the download has to be completed separately.

Office365Tool	Deployment Tool Options

2016 Content	2013 Content

2. Create an Office365 folder under the LDLogon\Patch share that contains the patch files(s):

\\Core_Server\LDLogon\Patch\Office365

Patch Location

^Updated Office 365 patching is not designed to take advantage of our download technology. The client device will NOT download o365 patch files from a preferred server or peer device. The files will be retrieved from the default or non-default patch location.

Non-Default Patch Location

This section is only applicable to those who have changed the default download location for patches. After downloading the Office 365 patch updates and installation data with the LANDESK Office 365 tool, the following SOURCE will be in the vulnerability definition:

Office 365 (2016)

httpSourcesURL="Core_Server/LDLogon/Patch/Office365/DeploymentToolType/Channel/Architecture"

Ex: httpSourcesURL=http://2016E/ldlogon/patch/office365/2016/current/x64

Office 365 (2013)
httpSourcesURL=http://Core_Server/LDLogon/Patch/Office365/DeploymentToolType

Ex: httpSourcesURL= http://2016E/ldlogon/patch/office365/2013

In order for the Patch Install Commands in the vulnerability definition to interpret the correct patch location, the Custom Variable will have to be set in every MSO365 vulnerability definition.

To do this open the properties on the definition and select the Custom Variables tab. By default the value specified will resolve to the default patch location.

You will need to explicitly set the value to reflect the location your patches reside.

The Patch Install Commands section of the definition utilizes a script that resolves the Custom Variable.

References

How to change the default Patch Location for Security and Patch Manager

Microsoft Office 2016 Deployment Tool

Microsoft Office 2013 Deployment Tool for Click-to-Ru

↧

Next Gen Microsoft Windows Vulnerabilities (beta) is not shown in the Patch Manager > Download updates > Windows > Vulnerabilities

October 24, 2017, 1:14 am

≫ Next: How to Give Support Information on False Patch Detections and Troubleshooting

≪ Previous: How to patch Office 365

Next Gen Microsoft Windows Vulnerabilities (beta) is not shown in the Patch Manager > Download updates > Windows > Vulnerabilities

To resolve the issue, click on and select "Microsoft Windows Vulnerabilites", click on button "Apply" and click on the button "Download now".

Once the download completes, go back to "Download updates" and the definition type "Next Gen Microsoft Windows Vulnerabilities ( beta ) will be shown.

↧

How to Give Support Information on False Patch Detections and Troubleshooting

October 27, 2017, 9:40 am

≫ Next: How to Tell if Ivanti Endpoint Manager is Rebooting Your Devices

≪ Previous: Next Gen Microsoft Windows Vulnerabilities (beta) is not shown in the Patch Manager > Download updates > Windows > Vulnerabilities

Note: Clicking on a photo will enlarge it.

This document will go over what to look for and do if you think you have a patch that is detecting incorrectly on your devices. Incorrect detections can happen if the detection logic is incorrect and still reports as needed but the patch has already been installed, is not applicable to the system or other issues. In this document, you’ll learn what to look for in the vulscan logs which are required to submit the incorrect patch detection for review.

This document assumes you know how to find individual patches, create a patch group and move patches to it in the console and create a repair task on a specific patch or group of patches in the console. It also assumes you have an understanding of repair tasks and how to add target devices to them and run the task.

Run a Repair Task

Running a repair task for the specific patch(es) gives supports the best information. The vulscan logs only showing one patch or two processing will show them detecting and installing and are more concise and easier to look over to find details. General vulscan logs are not Ideal as many only show the patch detecting but not installing and have a lot of unneeded information. Running a specific repair task with patches having the issue will provide the best logs.

You can create a repair task by going to Tools > Security and Compliance > Patch and Compliance. Click the Scan folder and find your patch. When you find the patch having the issue right click it and from the menu that appears click Repair. If you have a patch group or several patches you can do the same and create a repair task for several patches at the same time.

The Repair task dialog will open. Most settings you can leave as a defaults. You can add a target device at this time as well. If you have a maintenance window on your clients, be sure to check Ignore Maintenance Window if specified so the patch tries to install as well as scan in this repair task.

Once you have a target in your task run it and wait for it to complete.

Vulscan Log

The full vulscan log, created as a result of running the task, is needed for us to determine the issue of the false detection. This log is located on the target devices in the C:\programdata\Landesk\Log folder. They are named vulscan.log. Older logs have a number in the name. The correct log file will have a line at the top with the task ID in the name as shown in the example. This information changes with each task.

Thu, 26 Oct 2017 14:59:37 Command line: /policyfile="C:\ProgramData\LANDesk\Policies\CP.2353.RunNow._iOiXj4cedTDG&#474FOGYMztt+mWNQ=.xml"
Thu, 26 Oct 2017 14:59:37 client policy file: C:\ProgramData\LANDesk\Policies\CP.2353.RunNow._iOiXj4cedTDG&#474FOGYMztt+mWNQ=.xml
Thu, 26 Oct 2017 14:59:37 Reading policy parameters
Thu, 26 Oct 2017 14:59:37 scan=0
Thu, 26 Oct 2017 14:59:37 scanFilter=INTL_4049179_MSU;INTL_3089023_MSU
Thu, 26 Oct 2017 14:59:37 fixnow=True
Thu, 26 Oct 2017 14:59:37    maintEnable=False

Once you have found the correct vulscan log. Doing a search in the log file for the all capitals case sensitive “DETECTED” will yield the detection of the patch and the reason. In our example case it show the file version is out dated and that is the reason the patch is needed.

Thu, 26 Oct 2017 14:59:45 VUL: '3089023_MSU' (windows8.1-kb3089023-x64.msu) DETECTED.  Reason 'File C:\Windows\System32\flashplayerapp.exe version is less than the minimum version specified.'.  Expected '18.0.0.232'.  Found '11.3.300.265'.  Patch required 'windows8.1-kb3089023-x64.msu'.
Thu, 26 Oct 2017 14:59:45    Patch is NOT installed

You can see in the example the patch was detected as needed due to a file being at a lower version than in the patch. Now scroll down to the bottom of the log file. You’ll see a “Patch Installation” header and below that you will find details of what happened when the device attempted to install the patch. In our example the patch returned the error code 2149842967 converted to a hex value that gives a result of 0x80240017 Looking on the list of WUSA codes the patch returned a “Not Applicable”.

Thu, 26 Oct 2017 15:03:21 Command Interpreter running
Thu, 26 Oct 2017 15:03:21 Setting current directory: C:\Program Files (x86)\LANDesk\LDClient\
Thu, 26 Oct 2017 15:03:21 Executing C:\Windows\system32\wusa.exe "C:\Program Files (x86)\LANDesk\LDClient\sdmcache\windows8.1-kb3089023-x64.msu" /quiet /norestart
Thu, 26 Oct 2017 15:03:23 Exit Code: -2145124329 (0x80240017)
Thu, 26 Oct 2017 15:03:23 Error: "C:\Windows\system32\wusa.exe" returned failure exit code (2149842967)
Thu, 26 Oct 2017 15:03:23 ERROR(EXECUTEFILE) Failed to run command - 80004005
Thu, 26 Oct 2017 15:03:23 DownloadPatch ERROR: Failed to run commands (80004005).
Thu, 26 Oct 2017 15:03:23 Last status: Failed
Thu, 26 Oct 2017 15:03:23 Stopping wuauserv service.
Thu, 26 Oct 2017 15:03:23 Stop service wuauserv
Thu, 26 Oct 2017 15:03:25 Successfully controlled the service.
Thu, 26 Oct 2017 15:03:25 DeferredReportAction: name 'windows8.1-kb3089023-x64.msu', code '1', type '-1', status 'Error: "C:\Windows\system32\wusa.exe" returned failure exit code (2149842967)'
Thu, 26 Oct 2017 15:03:25 Running post-install/uninstall script
Thu, 26 Oct 2017 15:03:25 RunPatches completed.  1 processed.  0 installed. 1 failures.  Thu, 26 Oct 2017 15:03:25 Sending previous action history to core

Windows Update(WUSA) Error Codes

Result Code	Result String	Description
0x80240001	WU_E_NO_SERVICE	Windows Update Agent was unable to provide the service.
0x80240002	WU_E_MAX_CAPACITY_REACHED	The maximum capacity of the service was exceeded.
0x80240003	WU_E_UNKNOWN_ID	An ID cannot be found.
0x80240004	WU_E_NOT_INITIALIZED	The object could not be initialized.
0x80240005	WU_E_RANGEOVERLAP	The update handler requested a byte range that overlaps a previously requested range.
0x80240006	WU_E_TOOMANYRANGES	The requested number of byte ranges exceeds the maximum number (2^31 - 1).
0x80240007	WU_E_INVALIDINDEX	The index to a collection was invalid.
0x80240008	WU_E_ITEMNOTFOUND	The key for the item queried could not be found.
0x80240009	WU_E_OPERATIONINPROGRESS	A conflicting operation was in progress. Some operations (such as installation) cannot be performed simultaneously.
0x8024000A	WU_E_COULDNOTCANCEL	Cancellation of the operation was not allowed.
0x8024000B	WU_E_CALL_CANCELLED	Operation was cancelled.
0x8024000C	WU_E_NOOP	No operation was required.
0x8024000D	WU_E_XML_MISSINGDATA	Windows Update Agent could not find the required information in the update's XML data.
0x8024000E	WU_E_XML_INVALID	Windows Update Agent found invalid information in the update's XML data.
0x8024000F	WU_E_CYCLE_DETECTED	Circular update relationships were detected in the metadata.
0x80240010	WU_E_TOO_DEEP_RELATION	Update relationships that are too deep were evaluated.
0x80240011	WU_E_INVALID_RELATIONSHIP	An invalid update relationship was detected.
0x80240012	WU_E_REG_VALUE_INVALID	An invalid registry value was read.
0x80240013	WU_E_DUPLICATE_ITEM	Operation tried to add a duplicate item to a list.
0x80240016	WU_E_INSTALL_NOT_ALLOWED	Operation tried to install while another installation was in progress or the system was pending a mandatory restart.
0x80240017	WU_E_NOT_APPLICABLE	Operation was not performed because there are no applicable updates.
0x80240018	WU_E_NO_USERTOKEN	Operation failed because a required user token is missing.
0x80240019	WU_E_EXCLUSIVE_INSTALL_CONFLICT	An exclusive update cannot be installed with other updates at the same time.
0x8024001A	WU_E_POLICY_NOT_SET	A policy value was not set.
0x8024001B	WU_E_SELFUPDATE_IN_PROGRESS	The operation could not be performed because the Windows Update Agent is self-updating.
0x8024001D	WU_E_INVALID_UPDATE	An update contains invalid metadata.
0x8024001E	WU_E_SERVICE_STOP	Operation did not complete because the service or system was being shut down.
0x8024001F	WU_E_NO_CONNECTION	Operation did not complete because the network connection was unavailable.
0x80240020	WU_E_NO_INTERACTIVE_USER	Operation did not complete because there is no logged-on interactive user.
0x80240021	WU_E_TIME_OUT	Operation did not complete because it timed out.
0x80240022	WU_E_ALL_UPDATES_FAILED	Operation failed for all the updates.
0x80240023	WU_E_EULAS_DECLINED	The license terms for all updates were declined.
0x80240024	WU_E_NO_UPDATE	There are no updates.
0x80240025	WU_E_USER_ACCESS_DISABLED	Group Policy settings prevented access to Windows Update.
0x80240026	WU_E_INVALID_UPDATE_TYPE	The type of update is invalid.
0x80240027	WU_E_URL_TOO_LONG	The URL exceeded the maximum length.
0x80240028	WU_E_UNINSTALL_NOT_ALLOWED	The update could not be uninstalled because the request did not originate from a WSUS server.
0x80240029	WU_E_INVALID_PRODUCT_LICENSE	Search may have missed some updates before there is an unlicensed application on the system.
0x8024002A	WU_E_MISSING_HANDLER	A component that is required to detect applicable updates was missing.
0x8024002B	WU_E_LEGACYSERVER	An operation did not complete because it requires a newer version of server software.
0x8024002C	WU_E_BIN_SOURCE_ABSENT	A delta-compressed update could not be installed because it required the source.
0x8024002D	WU_E_SOURCE_ABSENT	A full-file update could not be installed because it required the source.
0x8024002E	WU_E_WU_DISABLED	Access to an unmanaged server is not allowed.
0x8024002F	WU_E_CALL_CANCELLED_BY_POLICY	Operation did not complete because the DisableWindowsUpdateAccess policy was set.
0x80240030	WU_E_INVALID_PROXY_SERVER	The format of the proxy list was invalid.
0x80240031	WU_E_INVALID_FILE	The file is in the wrong format.
0x80240032	WU_E_INVALID_CRITERIA	The search criteria string was invalid.
0x80240033	WU_E_EULA_UNAVAILABLE	License terms could not be downloaded.
0x80240034	WU_E_DOWNLOAD_FAILED	Update failed to download.
0x80240035	WU_E_UPDATE_NOT_PROCESSED	The update was not processed.
0x80240036	WU_E_INVALID_OPERATION	The object's current state did not allow the operation.
0x80240037	WU_E_NOT_SUPPORTED	The functionality for the operation is not supported.
0x80240038	WU_E_WINHTTP_INVALID_FILE	The downloaded file has an unexpected content type.
0x80240039	WU_E_TOO_MANY_RESYNC	The agent was asked by server to synchronize too many times.
0x80240040	WU_E_NO_SERVER_CORE_SUPPORT	WUA API method does not run on a Server Core installation option of the Windows 2008 R2 operating system.
0x80240041	WU_E_SYSPREP_IN_PROGRESS	Service is not available when sysprep is running.
0x80240042	WU_E_UNKNOWN_SERVICE	The update service is no longer registered with Automatic Updates.
0x80240FFF	WU_E_UNEXPECTED	An operation failed due to reasons not covered by another error code.
0x80241001	WU_E_MSI_WRONG_VERSION	Search may have missed some updates because Windows Installer is less than version 3.1.
0x80241002	WU_E_MSI_NOT_CONFIGURED	Search may have missed some updates because Windows Installer is not configured.
0x80241003	WU_E_MSP_DISABLED	Search may have missed some updates because a policy setting disabled Windows Installer patching.
0x80241004	WU_E_MSI_WRONG_APP_CONTEXT	An update could not be applied because the application is installed per-user.
0x80241FFF	WU_E_MSP_UNEXPECTED	Search may have missed some updates because there was a failure of Windows Installer.
0x80242000	WU_E_UH_REMOTEUNAVAILABLE	A request for a remote update handler could not be completed because no remote process is available.
0x80242001	WU_E_UH_LOCALONLY	A request for a remote update handler could not be completed because the handler is local only.
0x80242002	WU_E_UH_UNKNOWNHANDLER	A request for an update handler could not be completed because the handler could not be recognized.
0x80242003	WU_E_UH_REMOTEALREADYACTIVE	A remote update handler could not be created because one already exists.
0x80242004	WU_E_UH_DOESNOTSUPPORTACTION	A request for the handler to install (uninstall) an update could not be completed because the update does not support install (uninstall).
0x80242005	WU_E_UH_WRONGHANDLER	An operation did not complete because the wrong handler was specified.
0x80242006	WU_E_UH_INVALIDMETADATA	A handler operation could not be completed because the update contains invalid metadata.
0x80242007	WU_E_UH_INSTALLERHUNG	An operation could not be completed because the installer exceeded the time limit.
0x80242008	WU_E_UH_OPERATIONCANCELLED	An operation being done by the update handler was cancelled.
0x80242009	WU_E_UH_BADHANDLERXML	An operation could not be completed because the handler-specific metadata is invalid.
0x8024200A	WU_E_UH_CANREQUIREINPUT	A request to the handler to install an update could not be completed because the update requires user input.
0x8024200B	WU_E_UH_INSTALLERFAILURE	The installer failed to install (uninstall) one or more updates.
0x8024200C	WU_E_UH_FALLBACKTOSELFCONTAINED	The update handler should download self-contained content rather than delta-compressed content for the update.
0x8024200D	WU_E_UH_NEEDANOTHERDOWNLOAD	The update handler did not install the update because the update needs to be downloaded again.
0x8024200E	WU_E_UH_NOTIFYFAILURE	The update handler failed to send notification of the status of the install (uninstall) operation.
0x8024200F	WU_E_UH_INCONSISTENT_FILE_NAMES	The file names in the update metadata are inconsistent with the file names in the update package.
0x80242010	WU_E_UH_FALLBACKERROR	The update handler failed to fall back to the self-contained content.
0x80242011	WU_E_UH_TOOMANYDOWNLOADREQUESTS	The update handler has exceeded the maximum number of download requests.
0x80242012	WU_E_UH_UNEXPECTEDCBSRESPONSE	The update handler has received an unexpected response from CBS.
0x80242013	WU_E_UH_BADCBSPACKAGEID	The update metadata contains an invalid CBS package identifier.
0x80242014	WU_E_UH_POSTREBOOTSTILLPENDING	The post-reboot operation for the update is still in progress.
0x80242015	WU_E_UH_POSTREBOOTRESULTUNKNOWN	The result of the post-reboot operation for the update could not be determined.
0x80242016	WU_E_UH_POSTREBOOTUNEXPECTEDSTATE	The state of the update after its post-reboot operation has completed is unexpectedly.
0x80242017	WU_E_UH_NEW_SERVICING_STACK_REQUIRED	The operating system servicing stack must be updated before this update is downloaded or installed.
0x80242FFF	WU_E_UH_UNEXPECTED	This update handler error is not covered by another WU_E_UH_* code.
0x80243001	WU_E_INSTALLATION_RESULTS_UNKNOWN_VERSION	The results of the download and installation could not be read in the registry due to an unrecognized data format version.
0x80243002	WU_E_INSTALLATION_RESULTS_INVALID_DATA	The results of download and installation could not be read in the registry due to an invalid data format.
0x80243003	WU_E_INSTALLATION_RESULTS_NOT_FOUND	The results of download and installation are not available; the operation may have failed to start.
0x80243004	WU_E_TRAYICON_FAILURE	A failure occurred when trying to create an icon in the notification area.
0x80243FFD	WU_E_NON_UI_MODE	Unable to show the user interface (UI) when in a non-UI mode; Windows Update (WU) client UI modules may not be installed.
0x80243FFE	WU_E_WUCLTUI_UNSUPPORTED_VERSION	Unsupported version of WU client UI exported functions.
0x80243FFF	WU_E_AUCLIENT_UNEXPECTED	There was a user interface error not covered by another WU_E_AUCLIENT_* error code.
0x80244000	WU_E_PT_SOAPCLIENT_BASE	WU_E_PT_SOAPCLIENT_* error codes map to the SOAPCLIENT_ERROR enum of the ATL Server Library.
0x80244001	WU_E_PT_SOAPCLIENT_INITIALIZE	Initialization of the SOAP client failed, possibly because of an MSXML installation failure.
0x80244002	WU_E_PT_SOAPCLIENT_OUTOFMEMORY	SOAP client failed because it ran out of memory.
0x80244003	WU_E_PT_SOAPCLIENT_GENERATE	SOAP client failed to generate the request.
0x80244004	WU_E_PT_SOAPCLIENT_CONNECT	SOAP client failed to connect to the server.
0x80244005	WU_E_PT_SOAPCLIENT_SEND	SOAP client failed to send a message due to WU_E_WINHTTP_* error codes.
0x80244006	WU_E_PT_SOAPCLIENT_SERVER	SOAP client failed because there was a server error.
0x80244007	WU_E_PT_SOAPCLIENT_SOAPFAULT	SOAP client failed because there was a SOAP fault due to WU_E_PT_SOAP_* error codes.
0x80244008	WU_E_PT_SOAPCLIENT_PARSEFAULT	SOAP client failed to parse a SOAP fault.
0x80244009	WU_E_PT_SOAPCLIENT_READ	SOAP client failed while reading the response from the server.
0x8024400A	WU_E_PT_SOAPCLIENT_PARSE	SOAP client failed to parse the response from the server.
0x8024400B	WU_E_PT_SOAP_VERSION	SOAP client found an unrecognizable namespace for the SOAP envelope.
0x8024400C	WU_E_PT_SOAP_MUST_UNDERSTAND	SOAP client was unable to understand a header.
0x8024400D	WU_E_PT_SOAP_CLIENT	SOAP client found the message was malformed (fix before resending).
0x8024400E	WU_E_PT_SOAP_SERVER	The SOAP message could not be processed due to a server error (resend later).
0x8024400F	WU_E_PT_WMI_ERROR	There was an unspecified Windows Management Instrumentation (WMI) error.
0x80244010	WU_E_PT_EXCEEDED_MAX_SERVER_TRIPS	The number of round trips to the server exceeded the maximum limit.
0x80244011	WU_E_PT_SUS_SERVER_NOT_SET	WUServer policy value is missing in the registry.
0x80244012	WU_E_PT_DOUBLE_INITIALIZATION	Initialization failed because the object was already initialized.
0x80244013	WU_E_PT_INVALID_COMPUTER_NAME	The computer name could not be determined.
0x80244015	WU_E_PT_REFRESH_CACHE_REQUIRED	The reply from the server indicates that the server was changed or the cookie was invalid; refresh the state of the internal cache and retry.
0x80244016	WU_E_PT_HTTP_STATUS_BAD_REQUEST	HTTP 400 - the server could not process the request due to invalid syntax.
0x80244017	WU_E_PT_HTTP_STATUS_DENIED	HTTP 401 - the requested resource requires user authentication.
0x80244018	WU_E_PT_HTTP_STATUS_FORBIDDEN	HTTP 403 - server understood the request, but declined to fulfill it.
0x80244019	WU_E_PT_HTTP_STATUS_NOT_FOUND	HTTP 404 - the server cannot find the requested Uniform Resource Identifier (URI).
0x8024401A	WU_E_PT_HTTP_STATUS_BAD_METHOD	HTTP 405 - the HTTP method is not allowed.
0x8024401B	WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ	HTTP 407 - proxy authentication is required.
0x8024401C	WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT	HTTP 408 - the server timed out waiting for the request.
0x8024401D	WU_E_PT_HTTP_STATUS_CONFLICT	HTTP 409 - the request was not completed due to a conflict with the current state of the resource.
0x8024401E	WU_E_PT_HTTP_STATUS_GONE	HTTP 410 - the requested resource is no longer available at the server.
0x8024401F	WU_E_PT_HTTP_STATUS_SERVER_ERROR	HTTP 500 - an error internal to the server prevented fulfilling the request.
0x80244020	WU_E_PT_HTTP_STATUS_NOT_SUPPORTED	HTTP 501 - server does not support the functionality that is required to fulfill the request.
0x80244021	WU_E_PT_HTTP_STATUS_BAD_GATEWAY	HTTP 502 - the server, while acting as a gateway or proxy, received an invalid response from the upstream server it accessed when attempting to fulfill the request.
0x80244022	WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL	HTTP 503 - the service is temporarily overloaded.
0x80244023	WU_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT	HTTP 504 - the request was timed out waiting for a gateway.
0x80244024	WU_E_PT_HTTP_STATUS_VERSION_NOT_SUP	HTTP 505 - the server does not support the HTTP protocol version used for the request.
0x80244025	WU_E_PT_FILE_LOCATIONS_CHANGED	Operation failed due to a changed file location; refresh internal state and resend.
0x80244026	WU_E_PT_REGISTRATION_NOT_SUPPORTED	Operation failed because Windows Update Agent does not support registration with a non-WSUS server.
0x80244027	WU_E_PT_NO_AUTH_PLUGINS_REQUESTED	The server returned an empty authentication information list.
0x80244028	WU_E_PT_NO_AUTH_COOKIES_CREATED	Windows Update Agent was unable to create any valid authentication cookies.
0x80244029	WU_E_PT_INVALID_CONFIG_PROP	A configuration property value was wrong.
0x8024402A	WU_E_PT_CONFIG_PROP_MISSING	A configuration property value was missing.
0x8024402B	WU_E_PT_HTTP_STATUS_NOT_MAPPED	The HTTP request could not be completed and the reason did not correspond to any of the WU_E_PT_HTTP_* error codes.
0x8024402C	WU_E_PT_WINHTTP_NAME_NOT_RESOLVED	The proxy server or target server name cannot be resolved.
0x8024402F	WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS	External .cab file processing completed with some errors.
0x80244030	WU_E_PT_ECP_INIT_FAILED	The external .cab file processor initialization did not complete.
0x80244031	WU_E_PT_ECP_INVALID_FILE_FORMAT	The format of a metadata file was invalid.
0x80244032	WU_E_PT_ECP_INVALID_METADATA	External .cab file processor found invalid metadata.
0x80244033	WU_E_PT_ECP_FAILURE_TO_EXTRACT_DIGEST	The file digest could not be extracted from an external .cab file.
0x80244034	WU_E_PT_ECP_FAILURE_TO_DECOMPRESS_CAB_FILE	An external .cab file could not be decompressed.
0x80244035	WU_E_PT_ECP_FILE_LOCATION_ERROR	External .cab processor was unable to get file locations.
0x80244FFF	WU_E_PT_UNEXPECTED	There was a communication error not covered by another WU_E_PT_* error code
0x80245001	WU_E_REDIRECTOR_LOAD_XML	The redirector XML document could not be loaded into the Document Object Model (DOM) class.
0x80245002	WU_E_REDIRECTOR_S_FALSE	The redirector XML document is missing some required information.
0x80245003	WU_E_REDIRECTOR_ID_SMALLER	The redirector ID in the downloaded redirector .cab file is less than in the cached .cab file.
0x8024502D	WU_E_PT_SAME_REDIR_ID	Windows Update Agent failed to download a redirector .cab file with a new redirector ID value from the server during the recovery.
0x8024502E	WU_E_PT_NO_MANAGED_RECOVER	A redirector recovery action did not complete because the server is managed.
0x80245FFF	WU_E_REDIRECTOR_UNEXPECTED	The redirector failed for reasons not covered by another WU_E_REDIRECTOR_* error code.
0x80246001	WU_E_DM_URLNOTAVAILABLE	A download manager operation could not be completed because the requested file does not have a URL.
0x80246002	WU_E_DM_INCORRECTFILEHASH	A download manager operation could not be completed because the file digest was not recognized.
0x80246003	WU_E_DM_UNKNOWNALGORITHM	A download manager operation could not be completed because the file metadata requested an unrecognized hash algorithm.
0x80246004	WU_E_DM_NEEDDOWNLOADREQUEST	An operation could not be completed because a download request is required from the download handler.
0x80246005	WU_E_DM_NONETWORK	A download manager operation could not be completed because the network connection was unavailable.
0x80246006	WU_E_DM_WRONGBITSVERSION	A download manager operation could not be completed because the version of Background Intelligent Transfer Service (BITS) is incompatible.
0x80246007	WU_E_DM_NOTDOWNLOADED	The update has not been downloaded.
0x80246008	WU_E_DM_FAILTOCONNECTTOBITS	A download manager operation failed because the download manager was unable to connect the Background Intelligent Transfer Service (BITS).
0x80246009	WU_E_DM_BITSTRANSFERERROR	A download manager operation failed because there was an unspecified Background Intelligent Transfer Service (BITS) transfer error.
0x8024600a	WU_E_DM_DOWNLOADLOCATIONCHANGED	A download must be restarted because the location of the source of the download has changed.
0x8024600B	WU_E_DM_CONTENTCHANGED	A download must be restarted because the update content changed in a new revision.
0x80246FFF	WU_E_DM_UNEXPECTED	There was a download manager error not covered by another WU_E_DM_* error code.
0x80247001	WU_E_OL_INVALID_SCANFILE	An operation could not be completed because the scan package was invalid.
0x80247002	WU_E_OL_NEWCLIENT_REQUIRED	An operation could not be completed because the scan package requires a greater version of the Windows Update Agent.
0x80247FFF	WU_E_OL_UNEXPECTED	Search using the scan package failed.
0x80248000	WU_E_DS_SHUTDOWN	An operation failed because Windows Update Agent is shutting down.
0x80248001	WU_E_DS_INUSE	An operation failed because the data store was in use.
0x80248002	WU_E_DS_INVALID	The current and expected states of the data store do not match.
0x80248003	WU_E_DS_TABLEMISSING	The data store is missing a table.
0x80248004	WU_E_DS_TABLEINCORRECT	The data store contains a table with unexpected columns.
0x80248005	WU_E_DS_INVALIDTABLENAME	A table could not be opened because the table is not in the data store.
0x80248006	WU_E_DS_BADVERSION	The current and expected versions of the data store do not match.
0x80248007	WU_E_DS_NODATA	The information requested is not in the data store.
0x80248008	WU_E_DS_MISSINGDATA	The data store is missing required information or has a null value in a table column that requires a non-null value.
0x80248009	WU_E_DS_MISSINGREF	The data store is missing required information or has a reference to missing license terms, a file, a localized property, or a linked row.
0x8024800A	WU_E_DS_UNKNOWNHANDLER	The update was not processed because its update handler could not be recognized.
0x8024800B	WU_E_DS_CANTDELETE	The update was not deleted because it is still referenced by one or more services.
0x8024800C	WU_E_DS_LOCKTIMEOUTEXPIRED	The data store section could not be locked within the allotted time.
0x8024800D	WU_E_DS_NOCATEGORIES	The category was not added because it contains no parent categories, and it is not a top-level category.
0x8024800E	WU_E_DS_ROWEXISTS	The row was not added because an existing row has the same primary key.
0x8024800F	WU_E_DS_STOREFILELOCKED	The data store could not be initialized because it was locked by another process.
0x80248010	WU_E_DS_CANNOTREGISTER	The data store is not allowed to be registered with COM in the current process.
0x80248011	WU_E_DS_UNABLETOSTART	Could not create a data store object in another process.
0x80248013	WU_E_DS_DUPLICATEUPDATEID	The server sent the same update to the client computer, with two different revision IDs.
0x80248014	WU_E_DS_UNKNOWNSERVICE	An operation did not complete because the service is not in the data store.
0x80248015	WU_E_DS_SERVICEEXPIRED	An operation did not complete because the registration of the service has expired.
0x80248016	WU_E_DS_DECLINENOTALLOWED	A request to hide an update was declined because it is a mandatory update or because it was deployed with a deadline.
0x80248017	WU_E_DS_TABLESESSIONMISMATCH	A table was not closed because it is not associated with the session.
0x80248018	WU_E_DS_SESSIONLOCKMISMATCH	A table was not closed because it is not associated with the session.
0x80248019	WU_E_DS_NEEDWINDOWSSERVICE	A request to remove the Windows Update service or to unregister it with Automatic Updates was declined because it is a built-in service and Automatic Updates cannot fall back to another service.
0x8024801A	WU_E_DS_INVALIDOPERATION	A request was declined because the operation is not allowed.
0x8024801B	WU_E_DS_SCHEMAMISMATCH	The schema of the current data store and the schema of a table in a backup XML document do not match.
0x8024801C	WU_E_DS_RESETREQUIRED	The data store requires a session reset; release the session and retry with a new session.
0x8024801D	WU_E_DS_IMPERSONATED	A data store operation did not complete because it was requested with an impersonated identity.
0x80248FFF	WU_E_DS_UNEXPECTED	There was a data store error not covered by another WU_E_DS_* code.
0x80249001	WU_E_INVENTORY_PARSEFAILED	Parsing of the rule file failed.
0x80249002	WU_E_INVENTORY_GET_INVENTORY_TYPE_FAILED	Failed to get the requested inventory type from the server.
0x80249003	WU_E_INVENTORY_RESULT_UPLOAD_FAILED	Failed to upload inventory result to the server.
0x80249004	WU_E_INVENTORY_UNEXPECTED	There was an inventory error not covered by another error code.
0x80249005	WU_E_INVENTORY_WMI_ERROR	A WMI error occurred when enumerating the instances for a particular class.
0x8024A000	WU_E_AU_NOSERVICE	Automatic Updates was unable to service incoming requests.
0x8024A002	WU_E_AU_NONLEGACYSERVER	The old version of Automatic Updates has stopped because the WSUS server has been upgraded.
0x8024A003	WU_E_AU_LEGACYCLIENTDISABLED	The old version of Automatic Updates was disabled.
0x8024A004	WU_E_AU_PAUSED	Automatic Updates was unable to process incoming requests because it was paused.
0x8024A005	WU_E_AU_NO_REGISTERED_SERVICE	No unmanaged service is registered with AU.
0x8024AFFF	WU_E_AU_UNEXPECTED	There was an Automatic Updates error not covered by another WU_E_AU * code.
0x8024C001	WU_E_DRV_PRUNED	A driver was skipped.
0x8024C002	WU_E_DRV_NOPROP_OR_LEGACY	A property for the driver could not be found. It may not conform with required specifications.
0x8024C003	WU_E_DRV_REG_MISMATCH	The registry type read for the driver does not match the expected type.
0x8024C004	WU_E_DRV_NO_METADATA	The driver update is missing metadata.
0x8024C005	WU_E_DRV_MISSING_ATTRIBUTE	The driver update is missing a required attribute.
0x8024C006	WU_E_DRV_SYNC_FAILED	Driver synchronization failed.
0x8024C007	WU_E_DRV_NO_PRINTER_CONTENT	Information required for the synchronization of applicable printers is missing.
0x8024CFFF	WU_E_DRV_UNEXPECTED	There was a driver error not covered by another WU_E_DRV_* code.
0x8024D001	WU_E_SETUP_INVALID_INFDATA	Windows Update Agent could not be updated because an .inf file contains invalid information.
0x8024D002	WU_E_SETUP_INVALID_IDENTDATA	Windows Update Agent could not be updated because the wuident.cab file contains invalid information.
0x8024D003	WU_E_SETUP_ALREADY_INITIALIZED	Windows Update Agent could not be updated because of an internal error that caused setup initialization to be performed twice.
0x8024D004	WU_E_SETUP_NOT_INITIALIZED	Windows Update Agent could not be updated because setup initialization never completed successfully.
0x8024D005	WU_E_SETUP_SOURCE_VERSION_MISMATCH	Windows Update Agent could not be updated because the versions specified in the .inf file do not match the actual source file versions.
0x8024D006	WU_E_SETUP_TARGET_VERSION_GREATER	Windows Update Agent could not be updated because a Windows Update Agent file on the target system is newer than the corresponding source file.
0x8024D007	WU_E_SETUP_REGISTRATION_FAILED	Windows Update Agent could not be updated because regsvr32.exe returned an error.
0x8024D008	WU_E_SELFUPDATE_SKIP_ON_FAILURE	An update to the Windows Update Agent was skipped because previous attempts to update failed.
0x8024D009	WU_E_SETUP_SKIP_UPDATE	An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file.
0x8024D00A	WU_E_SETUP_UNSUPPORTED_CONFIGURATION	Windows Update Agent could not be updated because the current system configuration is not supported.
0x8024D00B	WU_E_SETUP_BLOCKED_CONFIGURATION	Windows Update Agent could not be updated because the system is configured to block the update.
0x8024D00C	WU_E_SETUP_REBOOT_TO_FIX	Windows Update Agent could not be updated because a restart of the system is required.
0x8024D00D	WU_E_SETUP_ALREADYRUNNING	Windows Update Agent setup is already running.
0x8024D00E	WU_E_SETUP_REBOOTREQUIRED	Windows Update Agent setup package requires a reboot to complete installation.
0x8024D00F	WU_E_SETUP_HANDLER_EXEC_FAILURE	Windows Update Agent could not be updated because the setup handler failed when it was run.
0x8024D010	WU_E_SETUP_INVALID_REGISTRY_DATA	Windows Update Agent could not be updated because the registry contains invalid information.
0x8024D011	WU_E_SELFUPDATE_REQUIRED	Windows Update Agent must be updated before search can continue.
0x8024D012	WU_E_SELFUPDATE_REQUIRED_ADMIN	Windows Update Agent must be updated before search can continue. An administrator is required to perform the operation.
0x8024D013	WU_E_SETUP_WRONG_SERVER_VERSION	Windows Update Agent could not be updated because the server does not contain update information for this version.
0x8024DFFF	WU_E_SETUP_UNEXPECTED	Windows Update Agent could not be updated because of an error not covered by another WU_E_SETUP_* error code.
0x8024E001	WU_E_EE_UNKNOWN_EXPRESSION	An expression evaluator operation could not be completed because an expression was unrecognized.
0x8024E002	WU_E_EE_INVALID_EXPRESSION	An expression evaluator operation could not be completed because an expression was invalid.
0x8024E003	WU_E_EE_MISSING_METADATA	An expression evaluator operation could not be completed because an expression contains an incorrect number of metadata nodes.
0x8024E004	WU_E_EE_INVALID_VERSION	An expression evaluator operation could not be completed because the version of the serialized expression data is invalid.
0x8024E005	WU_E_EE_NOT_INITIALIZED	The expression evaluator could not be initialized.
0x8024E006	WU_E_EE_INVALID_ATTRIBUTEDATA	An expression evaluator operation could not be completed because there was an invalid attribute.
0x8024E007	WU_E_EE_CLUSTER_ERROR	An expression evaluator operation could not be completed because the cluster state of the computer could not be determined.
0x8024EFFF	WU_E_EE_UNEXPECTED	There was an expression evaluator error not covered by another WU_E_EE_* error code.
0x8024F001	WU_E_REPORTER_EVENTCACHECORRUPT	The event cache file was defective.
0x8024F002	WU_E_REPORTER_ EVENTNAMESPACEPARSEFAILED	The XML in the event namespace descriptor could not be parsed.
0x8024F003	WU_E_INVALID_EVENT	The XML in the event namespace descriptor could not be parsed.
0x8024F004	WU_E_SERVER_BUSY	The server rejected an event because the server was too busy.
0x8024FFFF	WU_E_REPORTER_UNEXPECTED	There was a reporter error not covered by another error code.

Windows Update Agent Result Codes

Manually Testing the Patch

It is best practice that you download the patch to the device and manually run in in the GUI. The patch should display a message giving the same reason for not installing in a dialog. Once you have verified why the patch will not install manually, contact support and be sure to upload the vulscan log from the repair task to the case.

Detection Issues That Support Likely Will Not be able to Resolve

Certain false detection issues can occur that support will likely be unable to troubleshoot or resolve. The most likely of these is with our powershell scripts running on Windows 7 devices. The example from another vulscan log below shows a script error when trying to run on a device.

Mon, 23 Oct 2017 14:58:48 File OSVERSION version within specified
Mon, 23 Oct 2017 14:58:48 Prod Windows 7 Service Pack 1 (ID:WIN7SP1) verified OSVERSION, found: 6.1.7601.1
Mon, 23 Oct 2017 14:58:48 Prod Windows 7 Service Pack 1 (ID:WIN7SP1) verified C:\Windows\explorer.exe, found: C:\Windows\explorer.exe
Mon, 23 Oct 2017 14:58:48 Running detection script
Mon, 23 Oct 2017 14:58:48 Content filename: 'RollupFixB201710.ps1'
Mon, 23 Oct 2017 14:58:48 Writing script content to file 'C:\Windows\TEMP\RollupFixB201710.ps1' starting at line 5
Mon, 23 Oct 2017 14:58:48 Launching external script processor: <powershell.exe>
Mon, 23 Oct 2017 14:58:48 args: <-executionpolicy bypass C:\Windows\TEMP\RollupFixB201710.ps1>
Mon, 23 Oct 2017 14:58:48 External timeout: 60
Mon, 23 Oct 2017 14:58:48 Called CreateProcess: "powershell.exe"
Mon, 23 Oct 2017 14:58:48 Error 2 launching application <powershell.exe>
Mon, 23 Oct 2017 14:58:48 4041681_MSU detected
Mon, 23 Oct 2017 14:58:48 VUL: '4041681_MSU' (windows6.1-kb4041681-x86.msu) DETECTED. Reason 'Unexpected error in custom script source. See agent log for details'. Expected ''. Found ''. Patch required 'windows6.1-kb4041681-x86.msu'.

Mon, 23 Oct 2017 14:58:48 Patch is NOT installed
Mon, 23 Oct 2017 14:58:48 Last status: Done

You can see from the log that the script attempted to run but got a 'Unexpected error in custom script source. See agent log for details' error. In all cases where we cannot get a proper detection from our scripts Ivanti errs on the side of caution and will throw a DETECTED and will try and install the patch just to be safe.

Issues that arise from script errors are difficult to impossible for us to troubleshoot. The likely cause is a security setting or Antivirus/Malware program that prevents the script from running. GPOs and powershell policies can also interfere if they are enabled in the customers environment. Since issues like this are impossible to replicate in our teat labs and are unique to the customers environment, the customer is advised to do some troubleshooting and see if security settings and restrictions can be lowered on a test device to try and get the script to run properly before contacting support.

↧

How to Tell if Ivanti Endpoint Manager is Rebooting Your Devices

October 19, 2017, 9:51 am

≫ Next: How To: Create a Custom Vulnerability Definition in Security and Compliance Manager

≪ Previous: How to Give Support Information on False Patch Detections and Troubleshooting

Note: Clicking on a photo will enlarge it.

If prompted by UAC, then click on Yes (Windows 7/8/10) or Continue (Vista).

In the left pane of Event Viewer, double click on Windows Logs to expand it, click on System to select it, then right click on System, and click on Filter Current Log.

Standard Shutdown Events

Click on the drop down arrow to the right of Event Sources, check the USER32 box.

In the Includes/Excludes feild, type: 1074, then click on OK.

This will give you a list of power off (shutdown) and restart Shutdown Type of events at the top of the middle pane in Event Viewer.

You can scroll through these listed events to find the events with power off as the Shutdown Type. You will notice the date and time, and what process was responsible for shutting down the computer per power off event listed.

You can see in this example highlighted that vulscan called the reboot. If Endpoint Manager calls a reboot this is typically what you will see. Any other process that calls a reboot is not being controlled by Ivanti.

To See the Dates and Times of All Unexpected Shut Downs of the Computer

These are typically crashes, while the information might not be complete, it can be useful to troubleshooting unexpected shutdowns.

Click on the drop down arrow to the right of Event Sources, check the USER32 box.

In the Includes/Excludes field, type: 6008, then click on OK.

This will give you a list of unexpected shutdown events at the top of the middle pane in Event Viewer. You can scroll through these listed events to see the date and time of each one.

When finished, you can close Event Viewer.

↧

How To: Create a Custom Vulnerability Definition in Security and Compliance Manager

June 10, 2009, 12:16 pm

≫ Next: How to upgrade to Windows 10 Anniversary Edition using LANDESK Patch Manager

≪ Previous: How to Tell if Ivanti Endpoint Manager is Rebooting Your Devices

- Description
  - Possible implementations
  - Assumptions
- Creating a Custom Vulnerability Definition

Description

This article illustrates how to create a custom vulnerability definition in Security and Compliance Manager. Creating custom definitions is not part of the regular support that Ivanti offers, so this Community article will serve the purpose of assisting customers in creating these definitions.

In Ivanti Security and Compliance Manager the ability to create a "user-defined" vulnerability definition provides an extremely flexible and powerful tool that can be used to implement and maintain computers in your environment.

Create Custom vulnerability definitions (and detection rules) to scan managed devices for any operating system, application, single file, registry condition, or use custom VBScript for various conditions to have the client be detected in order to implement various solutions.

Possible implementations

Implementations of the custom vulnerabilities are almost limitless. It can be used to update any application on managed devices. It can be used to apply any single file executable to a managed device based on detection rules defined by the Ivanti LANDESK administrator.

The following step-by-step example shows how to create a custom vulnerability to update or install a fictitious "in-house" application.

Assumptions

The administrator should be able to install the Ivanti Endpoint Manager Core Server and clients. The core and managed devices should be configured with the latest LDMS version and service pack.

Creating a Custom Vulnerability Definition

Vulnerability Definition Help Page

We will now create the custom vulnerability to detect a condition. In this case, Iwe will use "File Detection" logic to look for a minimum allowed version of "SuperSpecialInHouseApplication.dll".

From the Management Console on the Core Server or a Remote console open the Security and Compliance tool group.
Open the Patch and Compliance tool and click on the Create Custom Definition icon. (Green circle with + in the middle)
The following window will open which shows the General information for your Custom Definition:
Enter an ID, Title, Severity, and Notes. This will show up in your Custom Definitions list in the following way:

Detection Rules

Under Detection Rules click Add to add detection rules.
Detection Rule Help
Detection rules define the conditions that will cause the computer to be deemed "vulnerable" or simply needing an update, configuration change, installation of an application, etc.
Sometimes multiple detection rules are necessary to install patches, make configuration changes, based on conditions.
A common use of multiple detection rules is when you have separate patches for 32-bit patches and 64-bit patches.

The following Properties for Rule # window will appear.

Give the rule a name, title, and comments as depicted below:

Vulnerability definitions are processed from the top down, and the following detection checks are taken:

Selecting Affected Platforms

Affected Platforms Help Guide

The scanner checks to see if the client is running an affected platform (in this case as defined by the user).
This is the operating system that is running on the client computer. It is possible to differentiate between 32-bit and 64-bit versions of the Operating Systems, Etc.
The following is an example of the Platform pick-list:

If the client computer is not running an affected operating system all other detection criteria is ignored and the computer is not deemed "vulnerable" as it has not met the first detection criteria.
It the client computer is running an affected operating system (platform) the scanning will continue to "Affected Products".

Creating a custom Affected Product

Affected Products Help

The "Affected Products" check is to see if the Product exists on the client computer. This is a top-level criterion, and will typically check for the mere existence of a file or registry key associated with the product. Sometimes a VBScript is used.
If writing a custom definition for a product that is already in the EPM database, you can simply click "Configure" and select that product.
Otherwise, in our case of writing a custom definition for "Super Special In-House Application" we will create a new Product based on file detection of "SuperSpecialIn-HouseApplication.exe".

Click "Configure" in the Properties for Rule # properties window.
Click Add and file in the ID, Name, Vendor, and Version information (as applicable)

Creating a custom product or selecting an already existing products adds another level of detection making other detection processes later in these steps more flexible.
For example, if the scanner doesn't detect that Super Special In-House Application is installed it will leave the detection process.
Move down to the "Files" section of the Detection logic and enter SuperSpecialIn-HouseApplication.exe (or of course your filename you are concerned with).
Enter in a range for the Minimum Version the file has to be and the Maximum version. In this case we will enter 0.0.0.0 for Minimum version, and 99.99.99.99 so that any version found will be applicable.
Click OK to save the newly created Custom Product.
Now that the Product has been created, it will need to be included in the Rule. Select the new Product from the bottom pane of the Select Affected Products window and then click on Include to move it to the Affected Products pane.
Click OK.

Query Filter

Now move down to the Query Filter section. All detection fields are optional. Typically the Query Filter pane is used to include or exclude clients from the detection based on EPM queries.
An existing query can be selected or a new query created. For our example, we will not use a Query Filter.

Files Detection Logic

Files used for detection help

Registry settings used for detection help

Custom script detection help

Move to the Files pane.
Our example will use "File Version" for detection. However, there are various methods of detection that exist file Files detection:
Since SuperSpecialIn-House.dll is used in our detection process, and our new file is version 1.5, we will check to see if anything older than 1.5.0.0 exists. Note that the top of the window says "Detection will occur if any of these conditions are not met".
Several different criteria can be added (stacked up) in the File detection section. If any one condition is not met, the computer will be deemed vulnerable. However, typically only one criterion will be added here.
For path, you can enter in a static directory and filename (C:\Program Files (x86)\SuperSpecialIn-HouseApplication.dll) or use variables. In order to use variables, right-click the FILEPATH entry and you will be presented with variables that can be used.
In Min version enter "1.5.0.0". This will indicate that if the scanner sees any version of the .DLL that is earlier than 1.5.0.0 (the version of the .DLL in the update to be installed) the computer will be deemed vulnerable.
Note: For our example, we will not use the Registry Settings detection or the Custom Script detection however, if any combination of detection criteria for all three detection types are not met, the computer will be deemed vulnerable.
Additional important note: There is an important difference between "File must exist", "File must NOT exist" and "File may exist". "Must" means that the file needs to exist. If it does not exist the computer is deemed vulnerable. This is important because if you have not defined a product and are simply using detection criteria, the fact that a file does not exist will cause the computer to be detected to be vulnerable, even if an affected product is not installed. "May" means that if the file does not exist, that is fine - detection will not happen and the computer will not be deemed vulnerable. However, if the file DOES exist, the detection criteria must be met, in our case the file must be at version 1.5.0.0 or higher or detection will occur.

Patch Information

Patch Information Help

There are three options available regarding Patch Information:

"Repairing this issue requires downloading a patch" is used when you want to install a patch, an upgrade file, or an application.
"This issue can be repaired without downloading a patch" is used when you intend to use scripting, additions/changes to the registry, copying files, starting or stopping a service, etc to "repair" the computer.
"This issue cannot be repaired by Security and Compliance Manager" is used when you simply want to use detection only and do not plan to patch, upgrade or otherwise configure the client.

For our example, we will use the "This issue requires downloading a patch".

Select "This issue requires downloading a patch"
If you have a source to download from, enter the FTP or HTTP address into the "Manufacturer's patch URL:" section.
Select "Auto-downloadable" and set it to "Yes". If the patch is not downloadable, the patch file will need to be placed in the default patch location. (Also see this document: How to change the default Patch Location for Security and Patch Manager)
Each file that is installed by Patch Manager must be given a unique filename when it is downloaded. This filename can differ from the original filename that existed on the source for the download. Enter in a unique filename or the existing filename if manually copying the file into the default patch location rather than downloading from an FTP or HTTP source.
Once the file is in place, you will need to generate a hash for the file to ensure that it is secure and cannot be replaced with another file surreptitiously.
To do so, click the Calculate Hashes button and you should see the red X's above turn to a green checkmark, you will also see the "File Size" line populated with the file size.
If your application requires a reboot, enter the appropriate choice in the "Requires Reboot" section.
If your application can be installed silently select the appropriate choice in the "Silent Install" section.
(Note: These fields are used for purely informational purposes. The "Patch Install" section of the rule controls the silent switches, and the Distribution and Patch Settings control the reboot options.

Detecting the Patch

Various criteria can be used to detect whether the patch is installed. Both File Detection and Registry Detection can be used. This detection criterion is the opposite of the detection criteria to detect the vulnerability. Note that this section says "The patch will be detected if all these conditions are met, along with all registry and script conditions". The Detection Logic sections says if the criteria is NOT met. This is an important distinction. Due to this, the exact same criteria can possibly be used both in the Detection Logic section and in the Detecting the Patch section.

Patch Installation and Removal

Patch Install and Uninstall Help

Stop Processes

If processes need to be stopped prior to your install, update or configuration change, you can list the process name as it would appear in Task Manager in windows. Several entries can exist.

This will cause any of these processes to be "killed" (stopped) prior to the patch install actions.

Additional files

This will allow you to specify additional files that will be downloaded to the client along with the main file that is listed under the Patch Information section. Enter the HTTP and/or UNC path, then click the blue arrow to browse to that location and then select the file(s) you wish to include from the "Available files" listing. After adding the files you will be presented with options to hash the files.

Patch Install Commands

Various combinations of actions can be added to the Patch Install commands section:

These actions will be run in the order that they are listed. You can re-arrange them with the Move Up and Move Down buttons after they are entered.

As in other areas of the Rule properties, variables can be used, this is typically displayed by right-clicking an appropriate field such as "Path".

Patch Uninstall Commands

Path uninstall commands are the same as the Patch Install commands. A combination of actions can be defined to uninstall a patch, undo a configuration change, etc.

Tips and Tricks

In order to see examples of vulnerability definitions and rules, you can right-click any existing definition (custom or not) and select "Clone". This will create a duplicate of the definition that will show up in the Custom Vulnerabilities category and can be edited.

This is a great way to learn how to create detection logic and installation commands.

↧

How to upgrade to Windows 10 Anniversary Edition using LANDESK Patch Manager

August 25, 2016, 8:00 am

≫ Next: How to Upgrade to Windows 10 Release 1511 Using LANDESK Patch Manager

≪ Previous: How To: Create a Custom Vulnerability Definition in Security and Compliance Manager

This article describes how to use LANDESK Patch Manager to upgrade to Windows 10 Anniversary Edition using LANDESK Patch Manager.

For information about upgrading to Windows 10 Creators Edition (1703) see How to upgrade to Windows 10 Creators Edition using Ivanti Patch Manager

Windows 10 Anniversary Edition is also known as Windows 10 RS1 or Windows 10 1607.

Goal

Upgrade the clients to Windows 10 version 1607.

Steps

These steps use the LANDESK Patch and Compliance Manager definition called "W10V1607". A prerequisite for installing this version to a client computer is that the target computer must have 2GB of memory or higher. If the client computer does not have 2GB of memory or higher it will be detected but it will not attempt to install the update.

Download or otherwise acquire the Windows 1607 media for the version of Windows that you are updating (Education, Professional, or Enterprise)

This can be done by following the instructions in this link.

* MediaCreationTool.exe from http://go.microsoft.com/fwlink/?LinkId=691209 can create only two editions: Windows 10 Professional or Windows 10 Home. There is no option to download and create editions Windows 10 Enterprise or Windows 10 Education. Also within a Windows 10 ISO file created using the MediaCreationTool.exe there is no ..\sources\install.wim file and the verification of what edition Windows 10 is, cannot be performed using dism.exe -- "dism.exe /get-wiminfo /wimfile:F:\sources\install.wim"

If using a copy from MSDN this is likely an all-in-one image, only the product key changes the version.

Place this .ISO into the \ManagementSuite\LDLogon\Patch\ directory on your core server. If you have changed the patch storage location, place it in the equivalent directories.
Open the LANDESK Management Suite Console and go to the Security and Compliance Tool group
Open the Patch and Compliance Tool
Ensure that you have downloaded the latest updates in the Vulnerabilities category.
After downloading the vulnerabilities category, find the "W10V1607" definition. This is the definition that we will be using to upgrade Windows.
Next, examine the properties of the definition by double-clicking it.

You will notice that there is a list of rules in the definition. You need to select the correct rule that matches the version of Windows you are trying to upgrade.
Note the following in the description tab of the definition:
Double-click the rule that matches the version of Windows you are trying to upgrade. Be careful to choose the selectx86 or x64 version.
You will need to make sure that your .ISO file for the Windows upgrade matches exactly the filename within the rule in the Patch information section under Unique filename. In order to do this highlight the filename and make sure to go all the way to the end just prior to ".ISO" and then press Ctrl-C to copy the file name except the extension.
Right-click and rename your .ISO file from step 1 and paste in the name you just copied from the definition rule. Make sure it still has the .iso extension and that it is not named ".iso.iso" or anything like that. It must match exactly with the Unique Filename in the rule.
Run Download Updates one more time to ensure that the "Downloaded" Yes/No column in the rule is updated to "Yes". If it does not update, check your storage location and the name of the .ISO to make sure it matches.
Run a scan and repair as usual.

Further information about the Patch Manager definition release can be seen here.

↧

How to Upgrade to Windows 10 Release 1511 Using LANDESK Patch Manager

May 3, 2016, 6:23 am

≫ Next: About the security and compliance scan (vulscan) log files

≪ Previous: How to upgrade to Windows 10 Anniversary Edition using LANDESK Patch Manager

This article describes how to use LANDESK Patch Manager to upgrade from the Windows 10 RTM Release (10240) to the Windows 10 1511 update.

For steps to update to Windows 10 Anniversary Edition (Build 1607) see How to upgrade to Windows 10 Anniversary Edition using LANDESK Patch Manager .

For steps to update to Windows 10 Creators Edition (Build 1703) see How to upgrade to Windows 10 Creators Edition using Ivanti Patch Manager

Goal

Upgrade the clients to Windows 10 version 1511.

Steps

These steps use the LANDESK Patch and Compliance Manager definition called "W10V1511". A prerequisite for installing this version to a client computer is that the target computer must have 2GB of memory or higher. If the client computer does not have 2GB of memory or higher it will be detected but it will not attempt to install the update.

Download or otherwise acquire the Windows 1511 media for the version of Windows that you are updating (Education, Professional, or Enterprise)
Place this .ISO into the \ManagementSuite\LDLogon\Patch\ directory on your core server. If you have changed the patch storage location, place it in the equivalent directories.
Open the LANDESK Management Suite Console and go to the Security and Compliance Tool group
Open the Patch and Compliance Tool
Ensure that you have downloaded the latest updates in the Vulnerabilities category.
After downloading the vulnerabilities category, find the "W10V1511" definition. This is the definition that we will be using to upgrade Windows.
Next examine the properties of the definition by double clicking it.

You will notice that there is a list of rules in the definition. You need to select the correct rule that matches the version of Windows you are trying to upgrade.
Note the following in the description tab of the definition:
Double-click the rule that matches the version of Windows you are trying to upgrade. Be careful to choose the select x86 or x64 version.
You will need to make sure that your .ISO file for the Windows upgrade matches exactly the filename within the rule in the Patch information section under Unique filename. In order to do this highlight the filename and make sure to go all the way to the end just prior to ".ISO" and then press Ctrl-C to copy the file name except the extension.
Right-click and rename your .ISO file from step 1 and paste in the name you just copied from the definition rule. Make sure it still has the .iso extension and that it is not named ".iso.iso" or anything like that. It must match exactly with the Unique Filename in the rule.
Run Download Updates one more time to ensure that the "Downloaded" Yes/No column in the rule is updated to "Yes". If it does not update, check your storage location and the name of the .ISO to make sure it matches.
Run a scan and repair as usual.

Note: Microsoft released two different media or .ISO files for Windows 10 Version 1511. There was a November release (Hence the 1511 name) and then another release in February that still bears the 1511 name. Either media or .ISO will work, it just has to be named the same as the UniqueFilename in the definition rule.

↧

About the security and compliance scan (vulscan) log files

March 24, 2008, 11:35 am

≫ Next: Error: "Server Busy" When Running a Vulnerability Scan

≪ Previous: How to Upgrade to Windows 10 Release 1511 Using LANDESK Patch Manager

↧

Error: "Server Busy" When Running a Vulnerability Scan

December 3, 2009, 3:38 pm

≫ Next: How to use Application Blocking in Patch and Compliance Manager

≪ Previous: About the security and compliance scan (vulscan) log files

Issue

The error "Server Busy... retrying" or "Server Busy... Failed." appears when running a vulnerability scan.

The Vulscan.log (Located in C:\Documents and Settings\All Users\Application Data\Vulscan) may contain lines similar to the following:

Thu, 03 Dec 2009 16:45:57 Action SOAPAction: "http://tempuri.org/ResolveDeviceID" failed, socket error: 0, SOAPCLIENT_ERROR: 5. Status code: 503, fault string: 616 Retrying in 9 seconds...

Resolutions

There can be various causes for this issue. It mainly centers around connectivity from the core to the client to the proper web services and web pages.

Core Server Reboot

Often rebooting the core server will clear up an issue like this. This should be attempted before changes are made.

Database credentials are incorrect or core cannot contact the database

Ensure that the Core server is pointed to the right database.
Ensure that the proper credentials are configured on the core in Configure Services | General Tab | Database
Ensure general connectivity to the database. Ensure the database is up and running. Perhaps rebooting the database and/or core server could be a solution.

**The identity of the application pool does not have the Replace a process level token user right.**

This cause usually results in an HTTP 403.19 error. If you are seeing this error in the IIS logs please review this Microsoft KB Article.

http://support.microsoft.com/kb/942048

Incorrect alternate Core Server name specified in Scan and Repair settings

Verify what Scan and Repair Settings the client is using.

Open that Scan and Repair setting and check the server name under "Communicate with alternate core server" on the Network Settings tab.

The web services log file on the core server can be useful for troubleshooting:

Run a vulnerability scan and then check the following log on your core server:

c:\windows\system32\logfiles\w3svc1\(latest log file)

Within this log file there will be lines similar to the following:

2009-12-03 23:48:59 W3SVC1 192.168.0.69 POST /WSVulnerabilityCore/VulCore.asmx - 80 - 192.168.0.45 Microsoft-ATL-Native/8.00 200 0 0

If the HTTP result code (A red "200" in the example above) is in the 400's or the 500's, this can indicate a server-side error.

An internet search of "HTTP ERROR CODES" can aid in diagnosis.

It is also important that the Core Server was not renamed after IIS installation. Verify that the IUSR_<coreservername> and IUSR_<coreservername> accounts truly match the current name of the core server. (Check account names in IIS Manager or Computer Management vs. what is returned by running "hostname" in a command prompt" window.

IIS Configuration and/or Permissions Issue

At this stage in the Vulnerability Scan process, the Vulnerability Scanner attempts to contact the core at http://<coreservername>/WSVulnerabilityCore/VulCore.asmx.

A basic connectivity test can be done:

1. In Internet Explorer go to Tools --> Internet Options --> Advanced and uncheck the box next to "Show friendly HTTP error messages."

2. Browse from Internet Explorer on the client to http://<coreservername>/WSVulnerabilityCore/VulCore.asmx.

Take note of any error that appears. If the page returns normally, it should look something like this:

If this fails, directory and virtual directory missions should be verified within IIS (Internet Services Manager) on the core server.

For information on the proper permissions that should be applied to directories, see this article.

Additionally, the .NET Framework may need to be re-registered and IIS reset as pictured below (Note: The directory for the .NET Framework version may vary)

Modifying the Identity used by the WSVulnerability Application Pool

At times there have been Group Policy changes that have restricted the rights to the "Network Service" that the Application Pool normally uses. Changing this Identity to use "Local System" has at times resolved this issue.

1 - In the IIS manager, if you have not already create a new application pool then add the wsvulnerability web service to it. If you already have the pool then skip this step 1.
2 - On the application pool for WSVulnerability right-click and select properties.
3 - On the properties window select the Identity tab.
4 - Change the Predefined to "Local System"
5 - Open a Command Prompt and run "IISRESET"

Additional information regarding the Optimization of IIS can be found here.

Description

When running a Security Scan on the clients, vulscan returns the above error and the window closes. This happens on every device. The vulscan.log file reads: "Action SOAPAction: "http://tempuri.org/GetHashForFile" failed, socket error: 0, SOAPCLIENT_ERROR: 7. Status code: 500, fault string:"

ASP.NET and CBA_anonymous accounts

On the core server, make sure that the local accounts ASP.NET and cba_anonymous are created and enabled.

GPO Policies on Core Server

Go to Start | Administrative Tools | Local Security Policy.
Expand Local Policies.
Highlight User Rights Assignment

Make sure that the Adjust memory quotas for a process value provides permissions for these accounts:

Local Service
Network Service
IUSR
Administrators

Note: These are the default accounts. The Application pool is running as Network Service and requires this ability.
Note: To test if this is the cause, set the identity of the Application Pool to be Local System. If this works, then permissions is definitely the cause.
Note: It may be necessary to put the Core Server in its on OU and have absolutely no GPOs applied to the OU, not even the default policy.

IP Address or Domain Name Restrictions in IIS

Using the Internet Service Manager (Microsoft Management Console), open the Internet Information Server (IIS) snap-in and select the Web site reporting the 403.6 error. Right-click the Web site, virtual directory, or file where the error is occurring. Click Properties to display the property sheet for that item.
Select the appropriate Directory Security or File Security property page. Under IP Address and Domain Name Restrictions, click Edit.
In the IP Address and Domain Name Restrictions dialog box, if the Denied Access option is selected, then add the IP address, network ID, or domain of the computer that requires access to the exceptions list.
In the IP Address and Domain Name Restrictions dialog box, if the Granted Access option is selected, then remove the IP address, network ID, or domain of the computer that requires access to the exceptions list.

Ensure that the proper Web Service Extensions are enabled

On the Core Server in IIS ensure that the following Web Service Extensions are enabled:

**The identity of the application pool does not have the Replace a process level token user right.**

This cause usually results in an HTTP 403.19 error. If you are seeing this error in the IIS logs please review this Microsoft KB Article.

http://support.microsoft.com/kb/942048

Patchbiz.dll versions not in sync with other patch manager related files

Install the latest Service Pack for your version of the Product

Client access certificate not approved - LDMS 2016 Enhanced Security Mode

↧

How to use Application Blocking in Patch and Compliance Manager

June 9, 2015, 8:55 am

≫ Next: How To: Manage Superceded Patches in Security and Compliance Manager

≪ Previous: Error: "Server Busy" When Running a Vulnerability Scan

Creating a Custom Blocked Application

The steps below outline the steps for configuring Application Blocking

Important: This only applies if you are going to block applications on every device in your system or use different configurations for your groups. If you anticipate needing to separate systems and block applications only on some devices or need to block different applications for different groups, please skip to “Blocking Applications Using Custom Groups.”

Click on Tools | Security and Compliance | Patch and Compliance
Change the type to Blocked Applications
Under Blocked Applications (All items) right-click the Block folder and select Add File.
Enter the file name that you would like to block, enter a Title, and enter any other desired information in the other sections.
Important: Blocked applications will block any executable with the name you enter. Creating a file with the name "setup.exe" with the intent of blocking a specific install will block any install that uses the name "setup.exe"

Ensure that the Vulnerability Scanner includes the Blocked Applications type
Make sure that in theDistribution and Patch Settingshave theBlocked Applicationsdefinition type selected.

Open the Security and Compliance tool group
Select the Agent Settings tool
Double-click the Distribution and Patch setting that you would like to edit.
Under Patch-Only settings and Scan Options ensure that under Type you have the check mark next to Blocked Applications checked.
This will cause the Security and Compliance scanner to include Blocked Applications in the type of content that it will scan for.

Blocking applications using Custom Groups
There are times when blocking the application for everyone in your environment may not be desired. For example, some Administrators choose to block Windows Media Player from the majority of their production users but choose to allow other employees in the company to have access to the Windows Media Player. The steps below will outline the process of blocking an application or group of applications for a particular client computer or group of computers, but still allow the other devices in the network to run those same applications without having to change the agent configuration.

Click on Tools | Security and Compliance | Patch and Compliance
Change the type to Blocked Applications
Create the applications you need to be blocked, or use the pre-defined list that comes down in LANDESK Content when downloading definitions in the Windows | Security | Applications to Block group within the Download Updates tool.

Create and populate Custom Group(s)

Within the left-hand pane of the Patch and Compliance tool, expand the tree to show Groups | Custom Groups | My Custom Groups or Public Custom Groups
Right-click My Custom Groups or Public Custom Groups and select New Group
Give the new group a descriptive name and press Enter
At this point, you can create sub-folders under this newly created group. Reasons for this may vary. One reason may be that you want to set the Distribution and Patch settings for distinct folders of Blocked Applications restrictions.
Locate the applications that you wish to block in the Block folder under Blocked Applications (All Items) at the top of the left-hand pane.
If the application you are trying to block is not in the Block folder it will not be blocked.The application may exist in the Do Not Block or Unassigned folder. If the application does exist in one of those folders, drag it to the Block folder in order for it to be blocked. If the application does not exist in any of the folders you can right-click the Block folder and select the Add File option.

Configure Distribution and Patch Settings to include the Blocked Applications type and focus on your custom group
If necessary you can create a new Distribution and Patch settings that includes scanning for and enforcing the Blocked Applications type.

Open the Security and Compliance tool group
Select the Agent Settings tool
Under My Agent Settings or Public Agent Settings right-click the Distribution and Patch setting group and select New.
Under Patch-Only settings and Scan Options ensure that under Type you have the check mark next to Blocked Applications checked.
Then you can select either All Blocked Apps or Only Apps in Group and browse to your custom group.
This will cause the Security and Compliance scanner to include Blocked Applications in the type of content that it will scan for and in the group you have created.

Unblocking an Application Using Custom Groups.Once a scan has been run on a client to block an application, that application will continue to be blocked until another scan is run on the client that does not have that application listed as an application that should be blocked. This applies to a scheduled push or a policy. If the task was scheduled as a push you will have to reschedule the task after you have removed the definition from the group folder or the blocked folder. If the task was scheduled as a policy and you want to stop blocking the application for everyone in that group simply remove the definition and the next time the policy syncs it will not be blocked. Deleting the policy will still leave the applications blocked.

Scheduling the Security Scan to Block Applications

Go back to Patch and Compliance and click on the Create task (Calendar with clock) icon and select Security scan from the drop-down menu.
Select the option to Create a scheduled task.
Give the task an appropriate name.
Under the Agent Settings section in the left-hand pane, select the Distribution and Patch setting you just created.
Select any other options you wish to select in these dialogs
Click Save to save the task. At this point, the Scheduled Tasks tool will open.
Locate the devices that you wish to block the application on and drag them to the task.
Start the task.s

Helpful Tip: Create a query for the group of computers you would like to have the application blocked for and schedule it as a policy. As you add computers they will get the blocked apps and when you add apps they will get updated on the next policy sync. Also if your target machine already has blocked applications and you set it to scan against a different set, the new set will remove all of the old settings.

↧