11 Replies Latest reply: Oct 18, 2012 7:16 AM by abhijit222223 RSS

    Security scan fails to download some patches

    Rookie

      When i run a security scan, it fails to run certain installers.

       

       

      Last status:
      2 patches were found to run
      Last status: Done.  2 patches were found
      Last status: Failed
      Download Failure: Error 80004005 downloading http://CORESERVER/LDLogon/patch/skypesetupfull5.6.0.110.exe
      Last status: Failed: Could not download http://CORESERVER/LDLogon/patch/skypesetupfull5.6.0.110.exe
      Sending status to core
      In SendRequest: Action = SOAPAction: "http://tempuri.org/SetPatchInstallStatus"
      Wed, 01 Feb 2012 16:36:32 SendRequest: SOAPAction: "http://tempuri.org/SetPatchInstallStatus"
      Wed, 01 Feb 2012 16:36:34 Success

       

       

       

       

      Last status:

       

      Last status: Done

      Wed, 01 Feb 2012 16:36:35 Performing TCP connection with a timeout of -1 milliseconds

      Wed, 01 Feb 2012 16:36:37 Performing TCP connection with a timeout of -1 milliseconds

      Wed, 01 Feb 2012 16:36:39 Performing TCP connection with a timeout of -1 milliseconds

      Wed, 01 Feb 2012 16:36:41 Performing TCP connection with a timeout of -1 milliseconds

      Wed, 01 Feb 2012 16:36:42 Performing TCP connection with a timeout of -1 milliseconds

      Downloading http://CORESERVER/LDLogon/patch/Firefox Setup 10.0_ENU.exe

      Failed to download http://CORESERVER/LDLogon/patch/Firefox Setup 10.0_ENU.exe.  Error code 1

      Last status: Failed

      Download Failure: Error 80004005 downloading http://CORESERVER/LDLogon/patch/Firefox Setup 10.0_ENU.exe

      Last status: Failed: Could not download http://CORESERVER/LDLogon/patch/Firefox Setup 10.0_ENU.exe

      Sending status to core

      In SendRequest: Action = SOAPAction: "http://tempuri.org/SetPatchInstallStatus"

       

       

      Wed, 01 Feb 2012 16:36:44 SendRequest: SOAPAction: "http://tempuri.org/SetPatchInstallStatus"

       

       

       

       

      However other updates run, such as adobe reader x or firefox 9.0.1 correctly downloads and installs.  All the install files are in the same patch repository.  I don't understand why it would update firefox from 8.0.1 to 9.0.1 but not to 10.0.

        • 1. Re: Security scan fails to download some patches
          rmeyer SupportEmployee

          Put the following URL in IE on the client to see if you get the message asking if you want to run or save the file:

          http://CORESERVER/LDLogon/patch/Firefox Setup 10.0_ENU.exe

           

          Make sure that you remove the proxy settings from IE when you try this. If it fails you need to troubleshoot why the clients cannot access the URL.

          • 2. Re: Security scan fails to download some patches
            mrspike SSMMVPGroup

            Our company blocks access to Skype and we have this issue... but we do not forbid our laptop users from using Skype when on travel, etc, so we need to patch it.  I have to either work with our security guys to get around the sitewide proxy server, or download it off site and get it at work another way.

             

            You might be having the same issue... If ZMAN's way does not work, see if you can go to skype.com and manually download a file from there or not.. note, the download you will be offered there is different than the one LANDesk uses and will not work, but worth trying to download to see what your issue is.

            • 3. Re: Security scan fails to download some patches
              Rookie

              putting in that url gives me a credentials prompt.  After entering my credentials, it gives a HTTP Error 404 - File or directory not found.  I'm assuming anonymous authentication in IIS isn't working correctly because it's asking for credentials.

               

              I did change the password for the IIS anonymous authentication account, however i changed it in the IIS setting as well, so i'm not sure why it would not be working.

              • 4. Re: Security scan fails to download some patches
                Rookie

                skype is definately not blocked.  We also do not have a proxy server.

                • 5. Re: Security scan fails to download some patches
                  mrspike SSMMVPGroup

                  Sorry, first off, it was not ZMAN that had posted before.. just so used to him being among the first...s

                   

                  Also, I assumed the url that I saw was to the Skype file from Skype, the patch core.

                   

                  Let's start over....

                   

                  This patch requires you to manually download the file from Skype, if you open the properties of the patch the default tab will state to get it from here:

                   

                  http://community.skype.com/t5/Windows/New-Release-5-6-0-110/m-p/214046

                   

                  Unzip and follow these directions:

                   

                  We recommend that everyone upgrades to the newly released build.
                  In order to remediate this vulnerability/install the application you must manually download the zip file from http://community.skype.com/t5/Windows/New-Release-5-6-0-110/m-p/214046.
                  Once the file is downloaded, Unzip and copy the file to the \patch folder on the LANDesk core server,
                  \Program Files\LANDesk\ManagementSuite\ldlogon\patch. Rename the patch name to skypesetupfull5.6.0.110.exe,The vulnerability/application install can now be remediated through the normal LANDesk Patch Manager process.

                  • 6. Re: Security scan fails to download some patches
                    Rookie

                    already done that.  The skype patch used to work.  However, in an effort to try and get these security scans to download patches over the gateway, i might have broken something with permissions in IIS.  I changed the password to the anonymous authentication account and changed it in the IIS settings.  Since then, i've been having problems with patches that used to work, because now some of them are not downloading correctly.

                     

                    2nd problem (which caused me to mess with IIS) is that none of the remote machines that we have are able to download patches over the gateway.  ALL .exe patches fail to download.  Which is what led me to believe there was something wrong with IIS.

                     

                    I really need to get this resolved.  The system admin and I are both somewhat new to this company and we were thrown into a situation where we have no documentation relating to how landesk works in our organization.  We have no password lists or anything.  So i'm kind of in a bind.  Creating cases via self service portal does not give a fast enough response.  My supervisor is already seriously thinking of dumping landesk.

                     

                     

                     

                     

                    So i specifically need to know where the IUSR_computername account is used in aside from IIS anonymous authetication and what permissions that account needs to make it work with security scans locally on our domain AND over the gateway.

                     

                    Thanks all for any insight you might be able to give me.

                    • 7. Re: Security scan fails to download some patches
                      LANDave SupportEmployee

                      Anthony,

                       

                      The following document may be of some use to you:

                       

                      IIS Virtual Directories and File Permissions for Security and Patch Manager

                       

                      This document details the various NTFS and IIS permissions necessary for the various directories used in the Vulnerability Scan process.

                       

                      In addition here is some information regarding the IUSR password.

                       

                      http://blogs.msdn.com/b/jiruss/archive/2006/05/24/606107.aspx

                       

                      The LANDesk clients need to be able to access the patch repository in order to download patches.

                       

                      The permissions in the first document above should spell out the specific permissions for the directories, both at the NTFS level and at the IIS virtual directory level.

                       

                      Some information about the key directories:

                       

                      As the client is scanning the following directories are accessed:

                       

                      Default patch storage directory: LDLOGON\Patch

                       

                      This is where the patches are stored that the clients download and install through Patch Manager.

                       

                      This can be changed if necessary: http://forum.landesk.com/support/docs/DOC-2133

                       

                      LDLogon\VulnerabilityData directory: (This is where the .XML data is stored that tells the vulnerability scanner what to scan for)

                       

                      As the client only needs to be able to access and and download these XML and XMLZ (compressed XML) files, Read and Directory browsing is suffiicient for IUSR in this instance.

                       

                      LDLogon\VulscanResults: As the vulnerability scanner is scanning, the information regarding what has been scanned (Scan history) is sent back to the core server, is placed in the Vulscan results folder as a .VRZ file (Compressed vulscan results) and is then processed into the database.

                       

                      Due to the fact that the client needs to write the .VRZ files into this directory, the anonymous (IUSR) account needs Full control to this directory.

                       

                      LDLogon\IncomingData: The PostCGI.EXE file within this directory needs to be able to be accessed by the IUSR account in order for the core to process the incoming Vulscan Results files from the client.

                       

                      Once these permissions have been set and verified as functioning properly, it is recommended to make a backup of the IIS configuration.

                      • 8. Re: Security scan fails to download some patches
                        LANDave SupportEmployee

                        In the end with this issue we discovered that it was an issue with Proxyhost.exe that has been resolved in Service Pack 3.  

                         

                        http://community.landesk.com/support/docs/DOC-1001

                        • 9. Re: Security scan fails to download some patches
                          sterling22 SupportEmployee

                          Anthony,

                           

                          In looking at your IIS logs Error: 404.2 - Web service extension lockdown policy prevents this request.
                          http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/0f4ac79a-dc2b-4a5f-89c1-d57266aa6ffe.mspx?mfr=true

                          1) On the core server go to Start | All Programs | Administrative Tools | Internet Information Services (IIS) Manager
                          2) Go to Web Sites | Default Web Site
                          3) Right click on the new web share that has been created and click Properties
                          4) On the General tab look for Execute Permissions
                          5) Set Execute Permissions to "Scripts Only"
                          6) Click OK and close IIS
                          7) Go to Start | Run: iisreset

                          • 10. Re: Security scan fails to download some patches
                            zman Master

                            Seeing this sporadically on our SP2+ clients in Patch and SD downloads. Good to know it is fixed in SP3.

                            • 11. Re: Security scan fails to download some patches
                              abhijit222223 Rookie

                              Hi David,

                               

                               

                              I am getting exactly the same problem, LANDesk 9 service pack 3 installed.

                              I have changed patch manager download from http to UNC … same problem

                               

                              Thanks in advance

                              Abhijit