Beyond Patch: Shavlik Protect IT Scripts

As we continue in our “Beyond Patch” video blog series, let’s examine Shavlik Protect’s ITScripts capabilities.

Protect’s ITScripts allow you to run PowerShell scripts on targeted machines at a scheduled time.

Why is this important?

  • You can automate the performance of mundane maintenance tasks like Check Disk or defrags. Tasks that often get left undone due to time constraints can now be done automatically at a time of your choosing.
  • You can acquire information about the machines in your environment. For example, you can run scripts to report on disk space or when the machine was last rebooted.
  • Shavlik Protect provides a library of scripts you can use OOTB or…
  • You can create your own PowerShell scripts and use Protect to schedule and to deploy them. This means that nearly any operation can be automated.

Check out this video where Shavlik Product Evangelist John Rush walks you through the ITScripts capabilities within Shavlik Protect. For more information, please contact us at sales@shavlik.com.

Welcome to the World of Shavlik Product Documentation

Joe Andert

Joe Andert

Hi everyone, and welcome to my corner of the world at Shavlik. For those who don’t know me, I am a technical communicator at Shavlik and I’ve been providing documentation for Shavlik products for more years than I care to admit. I’ve been with the company for all these years because the people and the products are simply the best!

When I was offered the opportunity to write a series of blog articles, I jumped at the chance. I am not in marketing so I won’t be writing flowery prose about our products. Rather, I would like to use this forum to provide some real meat and potatoes material, information you can use right now to improve the way you use our wonderful products. Sort of like those “The More You Know” public service announcements you see on TV.

April Patch Tuesday Round-Up

We are one week past April Patch Tuesday.  Taking a look back, XP’s End-of-Life may have been overshadowed a bit with Heartbleed and Update 1 for Windows 8.1 and Server 2012 R2.  Let’s start off by recapping Patch Day.

For those of you who caught our Patch Day webinar (playback found here), you may recall the recommendations we gave.  High priority on MS14-017 (plugs publicly disclosed Word vulnerability) and MS14-018 (IE Cumulative which also happens to be Update 1 for 8.1 and 2012 R2 systems).  These two updates are Critical and plug a number of vulnerabilities.  While still important, the other two Microsoft updates are a bit overshadowed by the 3rd Party updates for Adobe Flash and Google Chrome that released on Patch Day as well.  These two updates are also a high priority this month resolving 35 total vulnerabilities between the two of them.  That is triple the vulnerabilities resolved by the 4 Microsoft updates this month.

Let’s take a closer look at MS14-018.  When assessing machines you will see one missing patch on most systems, but for 8.1 and 2012 R2 you will see the missing IE patch and 5 additional updates that make up Update 1 with the biggest and most important being KB2919355.  Without this last one you will not be getting the next round of OS updates on 8.1 or 2012 R2.  Our sources have confirmed what Microsoft stated in their blog on April 10th, that newer patches will apply to 8.1 and 2012 R2 only if they have Update 1 applied.  By the way, you will not see or be able to install 2919355 unless you have applied an important non-security update 2919442 (MSWU-905) as well.  In our Content release on 4/15 we changed the designation of MSWU-905 from Non-Security to Security to ensure the majority of Protect users will see this patch and deploy it so 2919355 will be applicable to the system.

Now, you may have seen a lot of press around Update 1 causing issues on systems.  The biggest was impacting WSUS 3.2 if running in specific configurations.  This will NOT affect Shavlik Protect customers as we have no reliance on WSUS 3.2.  Other issues identified seemed to be around properly licensed systems and got more obscure from there.  Microsoft will be releasing fixes for these issues possibly later today.  A fix for the WSUS 3.2 issues (2959977) appeared yesterday, but a patch did not release.  It will likely release soon.   Recommendation for our customers, get Update 1 applied before May Patch Tuesday, but make sure to test the rollout to your environment.

Last week Thursday’s Content Release was Non-Security related.  There were many updates released, but nothing of a Security nature.  Yesterday, however, Oracle released a Critical Update for Java 7 update 55.  This update plugs 37 vulnerabilities, 4 of which were given CVSS scores of 10.0 which is the highest you can get.  This should be added to your priority list for this month.

Overshadowing everything this month is the OpenSSL vulnerability Heartbleed, which has quickly become a household name.  MPR, radio commercials, notifications to home users regarding services they use, pretty much everyone has now heard of Heartbleed.  Many vendors are still investigating their product portfolios to see how far reaching this vulnerability affects them.  As I posted last week on the Shavlik Blog, Protect customers, our products and services are covered, so you have nothing to worry about.  Evaluate all products running in your environments.  Check with your vendors as they are posting details around products and versions affected.  VMware, Oracle, and many others are still investigating some product lines, but most are identified as being vulnerable or not.  For VMware, the only version of the Hypervisor affected is ESXi 5.5.  Protect customers can upgrade to Protect 9.1 later next week when we make it available via an Early Access release, which will support updates on ESXi 5.5.  ESXi versions 5.1 and earlier, supported by Protect 9.0, are not affected.

 

Protecting my Mom – New Generation of Attacks Threaten us All

Most days I sit comfortably at my desk behind multiple layers of defenses keeping myself and my machine from harm. I sip my coffee and don’t even think about defending threats from myself, instead most of my energy is focused on how do we push forward in our industry against those armies of darkness that seek to compromise our privacy, security and exploit information for their own cause. This week, was different. In three different cases, I found myself at the center of the attack. It was humbling, and at the same time reminded me of how much work we have to get done.

What scares me the most is the unsuspecting prey that countless hackers stalk?  I’m knowledgeable about what and how hackers try to exploit victims. But I worry about my friends and family members that don’t have that same savvy knowledge. I think about my Mom, using the internet for her banking and the occasional check of Facebook… little does she know she’s in the epicenter of the attacks.

So this Blog is the first of a series of three chronicling my last week. I want to share with you three attacks that happened to me in the hopes that it gives you a flavor for where attacks are coming from nowadays. No longer is it the rogue link to install software or the email bomb that just annoys you.  It’s a whole new world where callers, innocent internet checks, and group emails all lead towards exposure.

MONDAY:  Attack 1 – “Windows Service Center”

Last Thursday, I ended up getting home a bit early from a week of travel.  It was about 4:00 p.m. in the afternoon and the house phone rang. It was just me and my kids at home. My kids range in age from seven to eleven and in most cases, it would have been them to answer the phone, but I happened to be there. I grabbed the phone, looked at the number and saw it was a originating from New York. With family on the East coast, I didn’t think twice about grabbing the phone. After five seconds with no one speaking, I should have just hung up, but I stuck this one out. Then it happened… the attempted hack started.

Access DeniedThe caller identified himself and began, “Hello this is XXXXXX from the Windows Service Center.”  Intrigued, I decided to let him continue. “We have detected you have a computer virus on your machine and we’re here to help fix it.” At this point, my hack-o-meter instantly was pegged and I knew this was a scam, but for fun, I decided to let this play out. I asked, “how do you know I have a virus?”  He responded, “because we have systems that detect these sort of things.”  I asked, “how do you know it is my machine?” He retorted, “because we in America spy on our citizens.”  I had to laugh at this one, to use that approach was fascinating, and more curiously, based on background noise, I firmly believe this call was not originating in the United States. Again, I pushed a little bit harder, “I have two machines in my house, which one is it?”  He then responded, “I’m sure it is all of them, so we’ll fix them both.

If memory serves me right, I was cutting some tops off of strawberry’s at this point in the kitchen and he asked me to go over to my computer. I told him I was in front of my computer at this point even though I was still cutting up strawberry’s. He started off by asking me to go to my control panel in Windows and told me that my Windows Firewall wasn’t active. WOW! I thought to myself, this is an impressive scam!  Sure enough he successfully told me what to click (if I actually was in front of the computer) to navigate to my windows firewall and then told me the instruction to disable it because “bad software had taken it over.” Pretending I did, we continued. I asked him, “Are we done now?”  To which he responded that he’d need access to my machine to make sure. I told him that I didn’t know how to do that and he asked me to go to some website by an IP address. Of course, at this point he began to see through my ruse. I told him I couldn’t get there but asked him what was there and he told me it was something “like a WebEx or online meeting” where he could control my machine.

He pushed really hard to get me there, but after a few more questions from me he started to get VERY mad. Not to mention I had moved onto rinsing some peppers and the water running was likely giving me away too. He told me, “You could be arrested if you don’t eradicate this virus” and even played off the emotional heart-strings, “you are exposing your family to harm.”  Then he crossed a line that I’ve never seen before, “I’m not asking you to go here, I’m telling you that you must” as his voice took on a threatening tone.

At this point, I told him that I needed to speak with a supervisor to validate this was the right thing to do. A man got on the line, didn’t identify himself and when I asked where they were and what company they worked for, you could tell I now was the one trying to go after them.  After I told them how shallow it was to attack innocent people like this, he blurted out a few expletives and mumbled some other inappropriate comments before hanging up.

If I had played his game, I have no doubt that the website I would have gone to likely would have been a way for them to remote control into my computer and more than likely it would have been used to download some Malware onto my machine. Things like key-loggers to capture my every password, my access, and even troll around my machine for some good documents that I might have. No doubt, my machine would have gone from a well-protected one to one that was riddled with Malware with a firewall turned off. All scary realizations for me.

…But could this have turned out differently?

What’s more scary though is I still play this story out with the “what-if” scenarios. What if my son had answered the phone? What if my wife had answered the call? Would they have played along or have gotten off the phone before damage was done? If they had played along, would the call have ended so innocently that they’d not have shared what happened with me? Could they have used my home machines (which don’t have valuable data) as a conduit to my work one, which definitely is more sensitive? The caller had the skills to make themselves sound believable, and the pressure-cooker capabilities of a time-share salesperson. They were well skilled to have seen this be a success.

On the heels of this event, I did everything I could to trace this attack back. It turns out the NY phone number was masked and it was originating from an exchange in India. The IP address website I was asked to access was from China. The call-back information was obviously invalid and I didn’t take the charade far enough to get more data to track them Typing on computerdown. Hindsight being 20/20, I wish I had spun up one of my Malware Virtual Machines to access their website and see what else they did or at least trace the traffic from that event back to a more authoritative location so I could snoop back at them. More than likely they were using the computer of their previous victim, so that likely would have led nowhere, but nonetheless, I came up short on sleuthing this one.

Beyond the attack on me, I went online and began to search for the keywords from this conversation, “Windows Service Center” and a few others. It turns out there were more than a few dozen of these attacks reported, each recounted a story like mine, and in many cases, the victims acknowledged they were successfully exploited as part of this attack.

The Moral of Part One

What’s the moral of this story?  There is no safe phone call and there is no innocent phone call. Unfortunately, it won’t take you long to go online and search and find other scams like this. Just this week we heard of the IRS phone scam defrauding millions from people impersonating the IRS. Some tips for all of us (and my mom) on this one:

  1. If someone calls, unfortunately, don’t trust them and make sure you validate their identity.
  2. Watch for key signs that the call is illegitimate. Ask yourself, does the caller ID number make sense? If it is “Unknown” really question it. If it is from outside of your home country, question it as well.
  3. If they are legitimate, they should be fine with you calling them back. Ask for their number and extension and ring them to validate you have a good number for them. At the same time however, if they give you an out of country number, DON’T CALL IT. This is a different type of scam…
  4. Never put yourself at risk doing something you know is wrong. Your firewall is there for a reason. We write patch-management software for a reason, never let someone ask you to take it down.
  5. If someone asks you to do something suspicious like go to an unverified website… don’t do it.
  6. Never… EVER… let them pressure you with commands or threats to do something you don’t want to.
  7. Call the authorities and email us. This activity is illegal and is a cybercrime. By you reporting it, people like me find out about it and then we go after these criminals.
  8. When in doubt, call/email me before you do anything… and I’m not just talking about emails from my mom… I’ll take emails from anyone on subjects like this.

I wish there was a switch on the wall that I could flip for us all to turn off the darkness.  Unfortunately, there isn’t. In the interim though, we’re here to make it safe for us all as best as we can. Be safe everyone.

Coming Soon! Shavlik Protect 9.1

Hey All,

Shavlik Protect 9.1 getting closer to release.  I wanted to share some details about the release with you and also let you know that in March you will get an opportunity to take 9.1 for a test drive.  We are rapidly nearing the Protect 9.1 beta so if what you see below is of interest shoot an email to us at beta@shavlik.com to sign up for the beta today.

germanUI

The Protect Console has been localized into ten languages.  Check out the screenshot of the Protect UI in German:

 

 

 

 

 

Protect now supports IPv6 and has enhanced resolution features to allow the assessment to discover a machine by FQDN, Hostname, IPv4, or IPv6 more effectively.

 
deploymentWe have cleaned up and enhanced the agentless deployment workflows in Protect.  Now you will see more high level summary and more detailed information about deployments as they occur.  Check out this screenshot showing a machine level status and how many patches were deployed and how many executed.  Also see the patch level and the description showing the return code from the patch:

 

 

 

We have expanded the filters in the Scan template to include vendor severity which allows for more flexibility to scan for what you need without a lot of configuration of patch groups.

And for those of you with reporting customization needs, we have added several report views and documentation on the relationships so you can customize your own reports.  You can also use them to build reports from SQL Reporting Services or other 3rd party reporting tools.

Again, if any of these features are of interest to you we are looking to start the beta in early March before patch Tuesday.  Shoot us an email at beta@shavlik.com to get on the beta list.

 

 

 

Protect Console Migration Tool Early Access

We have been developing a tool to easy the burden of moving a Shavlik Protect Console from one system to another.  It could be done with some manual effort.  Moving certificates, swapping out the name of the system so agents would just start talking to the new one once you had moved everything, but it was a pain.  With the performance benefits of 64 bit and the EOL of Windows XP (Apr 2014) and Server 2003

Security Resolutions for 2014

The holidays are nearly over and many of us are starting to think of resolutions as we start a new year.  You may be contemplating diets, kicking a habit, getting a gym membership or excise equipment at home, but at the office, think about ways to improve your security in 2014.  Here are some suggestions to contemplate.  These are probably already problems or projects you have been thinking about and maybe you already have them solved or planned out to solve this next year.  If you haven’t, keep in mind all of these are possible with Shavlik Protect.

Increase patching frequency for your end user machines:

  • Microsoft may only release patches once a month, but the 3rd party apps on your systems are updated throughout the rest of the month.  Products from vendors like Adobe, Java, Google, Apple, Mozilla, and others are a prime target for hackers as many companies neglect to update them.  Our Content Team releases new data multiple times each week which includes security updates for these products.
  • Talk to vendors who are holding you on a vulnerable version of software due to a dependency on their application.  A good example of this is Java Runtime.  If you have software dependent on an older version of Java this is a risk to your environment.  I can’t tell you how many companies I talk to that have a dependency on a version of Java 6 due to a software vendor who has a dependency on a specific version of Java.  There are known exploits and off the shelf software to take advantage of them making this an easy target for hackers.
  • Check for End of Life software on your systems.  Shavlik shows software titles that have reached EOL with their vendor.  Any titles that are no longer supported become a risk to your environment and should be updated or removed if possible.

Secure your virtual infrastructure: 

  • Securing the Guest OS is all fine and good, but if you do not patch the infrastructure it is running on you are still putting the most secure VM at risk.  With Protect you can patch Citrix, Hyperv-V, and VMware ESXi (Protect 9.0+) infrastructures.
  • Update VMware Tools.  VMware Tools are required for a lot of functionality on VMware VMs.  They are also a security risk.  Ensure you are updating the Tools version on your VMs.  Keep in mind if you do not update the Hypervisor tools version then the status for VMware Tools being up to date is not accurate.  You should ensure you have the latest tools updates applied to your Hypervisors.  There can be a delay and possibly a VM reboot before the Tools version shows out of date after you update the tools version of your Hypervisor.  Protect will detect and push the latest version of tools to systems which may be newer than the version your Hypervisor is evaluating against.

Extend your coverage outside your environment: 

  • Laptops that move in and out of your network regularly can be a risk to your environment.  It is important to ensure these systems are updated more frequently.  They move beyond your corporate perimeter security measures and often reside on public networks exposing them to greater risk.  With Protect 9.0 you can now enroll your console in the ProtectCloud.  This enables agents on your laptops to keep up to date even outside your network.  Policy updates and results are exchanged through the ProtectCloud so you are still able to see machines being updated and ensure they take policy changes you apply.

 

 

 

How to migrate a Shavlik Protect Console

The Shavlik Protect Team has been working on a tool to assist our customers in moving off of older platforms.  Whether you are on x86 and want to move to x64 architecture, want to move from a physical server to a virtual one, or want to move off of older operating systems (XP2003) you are trying to decommission this tool is EXACTLY what you are looking for.  We have been field testing the tool for the past few weeks and have migrated six production Shavlik customers.   So you may ask yourself:
Q: What is the Protect Migration Tool?
A: The Migration Tool is an easy to use utility that backs up the DB, certificates, credentials, groups, templates, scheduled tasks, settings, licensing, etc and allows you to restore to another server.
Q: Why should I migrate my console?
A: There are several reasons, but most common would be:
  • Migrate off an operating system that has been marked for end-of-life (Windows XP, Windows Server 2003, etc.)
  • Migrate from a 32-bit architecture to a 64-bit architecture
  • Migrate to better, faster hardware
  • Migrate off an operating system that is no longer supported by the latest version of Shavlik Protect
Q: Where do I get the Migration Tool?
A: We are starting with an Early Access release in January.  Sign up for the How to Migrate your Shavlik Protect Console in January.  We will announce availability of the tool on the webinar.

Did you know about all these great resources?

One thing that is always hard to keep up with is all the different resources available from a vendor regarding their products.  I started to make a list of all the training and support resources, media feeds, and other sources of information that a Shavlik customer would find valuable and decided to share them in this post.

Support and Training:

  • Support.shavlik.com – Your one stop shop for most everything you will need on the support side.  Has a complete set of links to online video training, online documentation, self help offline activation portal, knowledge base, submit support tickets etc.
  • Community.shavlik.com – Knowledge base with a wealth of self help information.

Content Announcements:

  • Shavlik Content Announcements – The same feed that shows up in the Shavlik Protect home page showing what new updates are available in each content release.  You can subscribe to this feed by email, by RSS
    (http://protect7.shavlik.com/feed/), or by following @ShavlikRSS on Twitter.
  • Shavlik Patch Tuesday Webinar – Get more in depth on what comes out on Patch Tuesday.  This webinar discuss all the Microsoft Security Bulletins release with recommendations on what to prioritize.  We also discuss the 3rd Party release around Patch Tuesday, other Security Threats and Advisories, and summarize the release between Patch Tuesdays. Sign up on our webinars page for this and other webinars.

Social Media: To keep up to date on product, security, and other related topics.

Have a great weekend everyone!

 

A day in the life of a Shavlik Administrator

We recently caught up with Randy Bowman to learn more about how Shavlik helps him in his role as network engineer for the Presbyterian Church of the USA in Louisville, Kentucky.

The Details:

The System: The Presbyterian Church of USA licenses Shavlik for 50 servers with 450 endpoints disbursed in Louisville and Stone Point, New York.

The Team:  Consists of a two member networking team that takes care of the servers and server patching on a monthly basis as well as a team member that administers desktop support.  The desktop team member also takes care of patching the individual computers, which frees up network staff.

Q: Shavlik: What motivated you to look for a security solution?

A: Randy Bowman: About 8 years ago I came on board after some significant staffing changes.  For practical reasons we did not have very much available in the way of documentation.   We had to make up for lost time in our patching and we ended up getting a virus.  The result was that we were down for three days.

Q: Shavlik: How did you come to use Shavlik?

A: Randy Bowman: One thing I took on as legacy software was UpdateEXPERT (Shavlik acquired UpdateEXPERT in 2007). From there it was an easy transition to Shavlik Protect.  We find it makes things a lot simpler for us.  It allows us to patch several servers at one time and patch them in the evening when they are free of traffic.  We have the flexibility to reboot the servers or do them manually. If the server is open we can throw on the patching right then and there and have it reboot.

Q: Shavlik: What made Shavlik so appealing?

A: Randy Bowman: Time savings. Being able to quickly implement the patches and download them when they come on Patch Tuesday is a huge benefit. We usually wait until Friday or wait for a notification from Shavlik saying it’s okay for the patches to be installed. Here we’ve got 50 plus servers.   I can patch half one night and half the next night, and that would be the first patch. Even if it takes two passes to go through and get a server completely patched, it still saves us time. We are patched in less than a week, where before we would have to do some even manually. Patching is a piece of cake really. In comparison to what we’ve had before, it saves us so much time. Another thing is, if there’s an agent that needs to be on the server like if you brought a new server out, even if it’s just a test server, you can open Shavlik and tell it to push the new agent and BOOM it’s done. 

Q: Shavlik: Once you chose to use Shavlik, how long did it take you to get up and running?

A: Randy Bowman: In 2 days we had it going. It actually would have taken 1 day but we were having some separate technical issues with the servers that caused delays.

Q: Shavlik: For this installation, did you have people helping you or was it just plug-and-play?

A: Randy Bowman: It was plug-and-play, more or less. A fellow network engineer did the last upgrade to 9.0. He was on the phone with support and got it done in an hour.

Q: Shavlik: What is your favorite Shavlik feature?

A: Randy Bowman: I like how you can go through and scan the machines in a machine group and it will tell you how many patches are missing. You can run the report and in 5 minutes you’ve got results emailed to you about what patches are missing. When it comes to critical security patches, we sat down years ago and decided this is what we need. It’s easy for Shavlik to go through and look for these and let us know what’s patched and what’s not, and if it’s critical or not.