LANDesk Patch and Compliance. Common Troubleshooting steps for Vulnerability Remediation.

LANDesk Patch and Compliance Common Troubleshooting steps for Vulnerability Remediation.

Contents Introduction... 3 Scope... 3 Assumptions... 3 Logs used in Troubleshooting... 4 Vulscan Switches... 4 The Computer is being detected vulnerable when it shouldn t be.... 5 1) If the vulnerability was just remediated and the computer is still showing detected:... 5 2) The Vulnerability should never have been detected.... 6 The Computer is not being detected when it should be... 7 1) Verify the Vulnerability is in the Scan folder, and that the client is scanning for Vulnerabilities.... 7 2) Run a Security scan on the client.... 8 3) Verify that the client is not showing as vulnerable on the core.... 8 4) Check the most recent Vulscan log. Check to see if the vulnerability is in the log.... 9 The Client fails to download the Patch... 13 1) Verify the Core has downloaded the Patch.... 13 2) Verify the Client is able to download the patch.... 14 The Client fails to install the Patch.... 16 1) The most likely reason for an Office patch installation errors is failure to access the original installation source.... 16 2) Try running the install manually from the SDMCache folder as Local System.... 19 The Client is installing Patches it is not supposed to.... 19 The Client is rebooting when it is not supposed to... 24 Useful articles related to troubleshooting Patch Remediation.... 25 About LANDesk Software... 25

Introduction LANDesk Patch and Compliance enables you to remediate (repair) vulnerabilities on clients with the LANDesk Agent installed. There are several situations where this remediation will not complete, detects improperly, or does not act as desired. Scope The scope of this whitepaper is to walk through some of the basic troubleshooting steps to find why the Patch and Compliance scan is not working as desired. It will not cover troubleshooting install errors, or corrupt installs that are being caused by the patch the vulnerability definition is attempting to remediate. Assumptions The LDMS Core Server is Version 9.0, installed on a Windows 2008 R2 64 bit server. The end points have the 9.0 Client installed and are able to send inventory and vulnerability scans to the Core.

Logs used in Troubleshooting 1. Vulscan.log a. Windows 2000, 2003, and XP i. C:\Documents and settings\all users\application Data\Vulscan b. Windows Vista, 7, 2008 and 2008 R2 i. C:\ProgramData\Vulscan 2. 0_winxp_enu_########.xml a. Client -..\ldclient\sdmcache b. Core - \\<corename>\ldlogon\computervulnerability 3. MergedGetVulnerabilitiesoftype_X.<Core>.xml a. Windows 2000, 2003, and XP i. C:\Documents and Settings\All Users\Application Data\Vulscan b. Windows Vista, 7, 2008 and 2008 R2 i. C:\Program Data\Vulscan 4. SDMCache folder a. C:Program Files\LANDesk\LDClient\ Vulscan Switches AgentBehavior=AgentBehaviorID /ShowUI /AllowUserCancelScan /AutoCloseTimeout=Seconds /Scan=X, where X is the Type (listed below) 0-Vulnerabilities 1-Spyware 2-Security Threats 3-LANDesk Updates 4-Custom Definitions 5-Blocked Apps 8-Antivirus /Group=GroupID /AutoFix=True or False

The Computer is being detected vulnerable when it shouldn t be. 1) If the vulnerability was just remediated and the computer is still showing detected: a. Make sure the client has rebooted. i. If the patch requires changing a system or protected file, that change will not take effect until the client reboots. b. Run a Security Scan on the client. i. You can manually run the scan with the following command. 1. Vulscan /scan=0 /showui (Vulscan Switches) c. Verify that the client installed the patch and still shows as vulnerable on the core server. i. Open a LANDesk Management Suite Console. ii. From the Network View expand Devices and click on All Devices. iii. Locate the computer in question.

iv. Right click on the computer and select Security and Patch Information v. Click on Clean/Repair History vi. Locate the patch and locate the Succeeded column. Verify it says Yes vii. Click on All Detected. viii. Look for the vulnerability in question. ix. Check the most recent Vulscan logs. x. Look for the vulnerability that is still showing as detected. xi. The log will show why the client is still showing as vulnerable. 1. Possible causes of why the client is still showing as vulnerable. a. The file or registry setting is not being properly updated by the Microsoft patch. i. Try uninstalling and reinstalling the patch. If detection works after this, the original patch failed to install the required files. b. The vulnerability detection logic needs to be adjusted. LANDesk Support will need the Vulscan log to submit a request to change the detection logic. 2) The Vulnerability should never have been detected. a. Run a Security Scan on the client. i. You can manually run the scan with the following command. 1. Vulscan \showui \scan=0

b. After the client runs a scan, check the most recent vulscan log in the vulscan folder. c. Look for the vulnerability that is still showing as detected. i. The log will show why the client is still showing as vulnerable. 1. Possible causes of why the client is still showing as vulnerable. a. Try to install the patch manually from the \\<corename>\ldlogon\patch folder. i. Most patches will give a message if the patch is not needed and why. b. Is the Patch showing as detected because there is a Dependency that needs to be installed? i. This will show in the Log File as: ii. To resolve this you will need to remediate the Dependency on the client. c. The Vulnerability Detection logic needs to be adjusted. LANDesk Support will need the Vulscan log to submit a request to change the detection logic. i. To resolve this you will need to remediate the dependency on the client. 2. The Vulnerability detection logic needs to be adjusted. LANDesk Support will need the Vulscan log to submit a request to change the detection logic. The Computer is not being detected when it should be 1) Verify the Vulnerability is in the Scan folder, and that the client is scanning for Vulnerabilities. a. Open a LANDesk Management Suite Console. b. Go to Tools Security and Compliance Patch and Compliance

c. Expand All Types, and click on All Items d. Use the Find window to search for the vulnerability. i. If it has a question mark next to it, it is in the Unassigned folder. ii. If it has a red circle next to it, it is in the Do Not Scan Folder. iii. If the vulnerability has one of these icons drag the vulnerability to the Scan folder. 2) Run a Security scan on the client. a. You can manually run the scan with the following command. i. Vulscan /showui /scan=0 3) Verify that the client is not showing as vulnerable on the core. a. Open a LANDesk Management Suite Console.

b. From the Network View expand Devices and click on All Devices. c. Locate the computer in question. d. Right click on the computer and select Security and Patch Information e. Click on Missing Patches. f. Verify the vulnerability is not listed. 4) Check the most recent Vulscan log. Check to see if the vulnerability is in the log. e. If the vulnerability is not in the log, check to make sure that the XML on the core has the vulnerability. i. The XML is located at \\<coreserver>\ldlogon\vulnerabilitydata\. And follows the following pattern. <Type>.<OS>.<Language>.<numbers>.xml 1. Type = Scan type. 2. OS = Operating System. 3. Language = Language type.

ii. Look for the XML with the latest date and make sure that it has an XMLZ file with the same file name. f. If the XMLZ file doesn t exist, is a.0 file, or is a.temp file, troubleshoot ASP.net problems on the IIS server. i. Restarting the IIS service or the server usually fixes this. 1. From the Run window type iisreset. ii. Register ASP.NET 3.5. a. Because.net 3.5 is an extension of.net 2.0 the aspnet_regiis command will be run from the 2.0 file directory. b. From the run window browse to C:\windows\microsoft.net\framework\v2.0.5####\ c. Run aspnet_regiis.exe exe with the i switch. This will register all the.net 2.0 files as well as the 3.5 files. iii. Delete all the files from the \\<coreserver>\ldlogon\vulnerabilitydata folder on the core server. They will be recreated when a client runs a security scan. iv. Reset the IIS service again (IISRESET) to reset the worker processes. g. Rerun a security scan on the client. h. If the Vulscan log is still showing the vulnerability as undetected, check the detection logic on the vulnerability and make sure that the client is missing the required files: i. Open a LANDesk Management Suite Console. ii. Go to Tools Security and Compliance Patch and Compliance iii. Expand All Type, and click on All Items iv. Use the Find window to search for the Vulnerability.

v. Right Click on the Vulnerability and click Properties.

vi. Right-click on the detection rule that includes that patch in question and select Properties. vii. Check the Files, and Registry Settings sections for the detection logic that is being used.

i. Verify that the client meets the vulnerability detection logic. j. If you are still sure that the client should be detected contact LANDesk Support. Please provide Vulscan log from the computer that is not detecting correctly. The Client fails to download the Patch. 1) Verify the Core has downloaded the Patch. a. Open a LANDesk Management Suite Console. a. Click on Tools Security and Compliance Patch and Compliance. b. Click on All Items.

c. Locate the Vulnerability in question. d. Right Click on the Vulnerability and click Properties. e. If the patch has been downloaded it will have a Yes in the downloaded column. i. If it has not been downloaded, right-click the patch and select Download Patch... ` 2) Verify the Client is able to download the patch. f. Check the latest Vulscan.log file. It will show the path that the client tried to download the patch from. Log file showing a successful download Log file showing a Failed Download of the Patch. g. Attempt to browse to that path from the client computer. If you are unable to access the path: i. Check the IIS Authentication methods to ensure that Enable Anonymous Access is selected:

1. Launch the Internet Information Service (IIS) Manager from Administrative Tools. 2. Browse to the Default Web Site. 3. Under IIS Click double click on Authentication

4. Verify that Anonymous Authentication is enabled. 5. Check the permission on the folder where the patch is located. The most important permission is the Internet Guest account. It needs to have Full control in order for Vulscan to have the required permissions when a patch is downloaded to the client. Required Permissions Everyone Read & Execute. IUSR Read & Execute. System Full Control. Network Service Full Control. LANDesk Management Suite Full Control. LANDesk Administrators Full Control. LANDesk Script Writers Read & Execute. Administrator Full Control. The Client fails to install the Patch. 1) The most likely reason for an Office patch installation errors is failure to access the original installation source. a. Check the registry to see what the source installation location is. If the source is a network share, Patch Manager may not be able to access the location. Patch Manager uses Local System when installing patches. Unless the network location has been given the correct rights (Domain Computers), Local System will not be able to access the location. i. Source Registry Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<GUID of Office version>\installsource 1. The Office installation GUID will always end in 0FF1CE

b. Adjust the Scan and Repair Setting to add a custom source for the scan. This will allow you to specify the location of the Office installation files. A separate Scan and Repair Setting for each version of Office will be needed. i. Open a LANDesk Management Suite Console. ii. Click on Tools Security and Compliance Patch and Compliance. iii. Expand Settings. iv. Expand All Settings. v. Click on Scan and Repair. vi. Right click on the Scan and Repair Setting that needs adjusting and choose Edit.

vii. Click on MSI information. viii. Enter the source location of the Office installation software. ix. Enter credentials that will give Patch Manager access to the source. c. Try the remediation task again using the Scan and Repair Setting that was just adjusted.

2) Try running the install manually from the SDMCache folder as Local System. a. This will show if there are problems installing the patch. Messages that the patch is not needed, a corrupt file, missing file, or other messages that explain why the patch cannot be installed will be displayed. In general, patches are installed using the local system account b. You can launch a CMD window as local system with the following commands:. i. Command to launch a CMD window. <LANDesk Client directory>\localsch.exe /cmd=cmd.exe ii. Second Method 1. Open a LANDesk Management Suite Console. 2. Locate the Computer in question in the network view. 3. Right-click on the computer select Remote Control. 4. Choose Remote Execute. 5. In the Run box Type CMD and click enter. The Client is installing Patches it is not supposed to. 1. LANDesk will install patches utilizing 3 different methods: Autofix, Repair, or a Custom Group that is set to repair immediately. None of these methods will install a patch on a client that doesn t show as detected for the vulnerability associated with the patch. a. Troubleshoot why the computer shows as detected. 2. If the patch was not supposed to install and did, check the Vulscan log created during the patch installation. Use the information you find to determine why it was repaired. a. At the top of the log look for the command that Vulscan was launched with. Look for the Switches: i. Repair Shows that a repair job was created. ii. Group Shows that a specific group was scanned. iii. Look for the Agent Behavior line. b. Check the Scan and Repair settings used in the scan.

i. Open a LANDesk Management Suite Console. ii. Click on Tools Security and Compliance Patch and Compliance. iii. Expand Settings. iv. Expand All Settings. v. Click on Scan and Repair. vi. Locate the Scan and Repair setting as noted from the log and double-click it. vii. Click on the Scan Options viii. Check for the Enable Autofix. AutoFix must be enabled both on the Scan and Repair setting and the vulnerability definition for it to remediate on the client.

1. Check to see if the vulnerability is marked as Autofix a. Locate the Vulnerability in the scan folder. b. Scroll over until you see the Autofix column. i. Right-clicking on the Vulnerability will give you an option to disable Autofix if it has been enabled.

ix. Check for the Group option with Immediately repair all detected items checked as well. 1. Check the Custom Group for the vulnerability in question. a. Adjust the Scan and Repair setting to match the desired result

The Client is rebooting when it is not supposed to 1. If the Scan and Repair Setting has Reboot set to Always the computer will reboot after installing any patch. 2. Vulscan will check for 2 registry settings when looking to see if the Client needs to reboot. a. PendingFileRename Value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager. This key is added when a Patch is installed that updates Protected Files or Registry Settings. This allows the changes to be made on the next reboot. b. VulscanReboot Value in HKLM\Software\LANDesk\ManagementSuite\Winclient. This key is created when a Component of the LANDesk Agent requires a reboot. For example the install of the LANDesk Antivirus. 3. A Security scan will check for both of these registry settings during its scan. The reboot tab in the scan and repair setting will determine how and if the Security scan will reboot the computer if it detects a reboot is necessary.

Useful articles related to troubleshooting Patch Remediation. Error: "Failed. Cannot Interpret Data" when running a Vulnerability Scan. How to change the Default Scan and Repair settings on a client. Security and Patch Repair: "Cannot complete the requested action. The device must be rebooted first." How to change the default Patch Location for Security and Patch Manager? Error: 8004005 when patching Microsoft Office installs. How do I Scan and Repair against a custom group? How to read a vulnerability scan (vulscan.log) log file About LANDesk Software The foundation for LANDesk s leading IT management solutions was laid more than 20 years ago. And LANDesk has been growing and innovating the systems, security, service and process management spaces ever since. Our singular focus and our commitment to understanding customers real business needs and to delivering easy-to-use solutions for those needs are just a few of the reasons we continue to grow and expand. LANDesk pioneered the desktop management category back in 1993. That same year, IDC named LANDesk the category leader. And LANDesk has continued to lead the systems configuration space: pioneering virtual IT technology in 1999, revolutionizing large-packet distribution with LANDesk Targeted Multicast technology and LANDesk Peer Download technology in 2001, and delivering secure systems management over the Internet and hardware-independent network access control capabilities with LANDesk Management Gateway and LANDesk Trusted Access Technology in 2005. In 2006, LANDesk added process management technologies to its product line and began integrating the systems, security and process management markets. LANDesk also extended into the consolidated service desk market with LANDesk Service Desk, and was acquired by Avocent to operate as an independent division. Today, LANDesk continues to lead the convergence of the systems, security, process and service management markets. And our executives, engineers and other professionals work tirelessly to deliver leading solutions to markets around the globe.