Summary This article teaches you how to read and work with the public member functions and attributes provided in the Flexera Software Package System of the Software Vulnerability Manager. This information is essential to understand how to script your custom packages and create advanced package designs that suit your general or more specific use-case needs. After going through this article, you should be able to understand the SPS scripts and modify them in your own advantage.  Synopsis The functions outlined below are useful as standard functions to log messages, get file names, calculate the Sha1sum (security), extract files from the SPS package to a location and report the number of files within a package.  The script contains Public member functions usable in Jscript, PowerShell and VBScript. The examples below show how to integrate them: Discussion server. It can be defined as the machine where the package is executed and can also be the package itself. Explanation: server = Localhost.package Public member functions: logMessage ("Hello World") This will write Hello World to the log. getFilename (1) This function will derive the filename from the first file within the SPS package. getSHA1Sum (1) Returns the saved SHA1 sum of the first embedded file. extractFile (1, "C:\\Windows") Will extract file number 1 to the C:\\Windows\ path on the system getSHA1Sum ("C\\Windows\testinstaller.exe") Calculates the SHA1 sum of C\\Windows\testinstaller.exe numberOfFiles will return the number of files embedded in a package LOG SPS.EXE When creating an SPS file within the CSI console (Step 2 of the SPS Wizard) you can also create a log to s specific file. In order to do this, navigate (using CMD) to the location where the SPS.exe has been created and use the following command : sps.exe -d debug.txt -v This will create a custom log that can help you identify errors within the package execution flow script. Additional Information SPS SERVER CLASS REFERENCE Public Member Functions void logMessage (string message) Logs a message to the log file. string getFilename () Returns the name of the embedded file identified by the given index. string getSHA1Sum (int index) Returns the saved SHA1 sum of the embedded file identified by the given index. void extractFile (int index, string destination) Extracts the embedded file identified by the given index. string getSHA1Sum (string path) Calculates the SHA1 sum of any file. void sleep (int millisecs) Sleeps for the specified number of milliseconds. Public Attributes FastArray args Readonly. An array containing the command-line arguments to the program. int numberOfFiles Readonly. The number of embedded files, including the controlling script. Additional training video: “Secunia SPS Training: The Custom Package” is an older video that is still valid, however. You can use it for mastering custom packages configuration in the current Software Vulnerability Manager and re-use some of its examples in the current SPS system successfully.    ... View more

Summary A guide for creating a software compliance report in SCCM for SVM patch deployments.  Synopsis The Corporate Software Inspector usually publishes patches to WSUS. If Microsoft System Center Configuration Manager is used for deployment, the Available section in SVM does not reflect the deployment and compliance status. The following describes how to create a simple compliance report in SCCM 2012, showing the status of third-party patches created by the SVM and/or the SC2012 Plugin. Discussion Requirement: Reference ID of created patches = Secunia AND/OR Secunia Custom Naming was used when the patch was created in SVM or the SC2012 Plugin. 1.) In the SCCM console, navigate to the main menu Monitoring and then click the Reporting folder. 2.) Navigate to the sub-folder Software Updates - A Compliance, click on it and, on the right-hand side, right-click Compliance 2 - Specific software update, then Run. 3.) In the report window, right next to the Collection text field, click Values and then select the collection you would like to run the report on. For example All Systems, or All client computers and then confirm with OK. 4.) In the text field Update Filter, type in Secunia and then click View Report. Now you should see a list of all patches published from Software Vulnerability Manager or the SC2012 Plugin and their deployment and compliance statuses. ... View more

Summary This guide provides a solution if you receive an error message 0x800b0109 when deploying third-party updates created by the Flexera Software Vulnerability Manager.  Symptoms You receive an error 0x800b0109 when installing any third party update while all Microsoft updates install successfully without any error. This error message would be shown in the control panel and windowsupdate.log file on the client machine. All third-party updates will fail to install. Cause By default, third-party updates are not trusted by Microsoft Windows. All updates installed by WSUS are signed by a Microsoft certificate and MS operating systems trust packages downloaded from Microsoft update. All third-party updates are created locally and signed by a WSUS code signing certificate. This cert should be trusted by client machines and you need to distribute the certificate to all machines receiving updates from WSUS. Windows Update should also be configured to trust packages that are signed by a local update authority like WSUS/SUP. Resolution Make sure that the WSUS publisher self-signed certificate is imported into the Trusted Root Certificate Authority and Trusted Publisher folders. You can verify that by opening a computer certificate of the machine where the update is failing. The certificate should be present in both Trusted Root Certification Authority and Trusted Publishers folders as shown below. You also have to verify that the Windows Update setting "Allow signed updates from an intranet Microsoft update service location" is enabled as shown below. Open it by typing gpedit.msc in the Start menu. Navigate to Computer Policy > Administrative templates > Windows Components > Windows Update. Once these settings are changed install the update again. It should now install successfully. To resolve the issue on multiple computers, make sure that these changes are pushed to the computers by a group policy. You can either generate the required GPO via Software Vulnerability Manager under Patching > WSUS/SCCM > Configure upstream server > Create group policy OR create the group policy manually. ... View more

Summary You are reviewing the SVM Daemon log file and you see the following message: Caught exception CWP40: -2147024770, The specified module could not be found. Cause This indicates that Microsoft Visual C++ 2012 Redistributable x86 is missing on the system. Resolution Install Visual C++ 2012 Redistributable x86 on the machine running the Daemon. https://www.microsoft.com/en-us/download/details.aspx?id=30679 ... View more

Summary When deploying an update package for Adobe Reader the package fails to install with error code 1638. Symptoms When an Adobe Reader update package is deployed the installation fails. Adobe Reader is not updated to the latest secure version The update package loops in Windows Update Error 1638 in windowsupdate.log and in secuniapackage.log Cause Adobe Reader comes in two versions. In this solution, we will refer to them as the consumer version and the enterprise version. The consumer version will refer to the .exe installer. The enterprise version will refer to the .msi installer. The differences are described below. Adobe Reader EXE Installer The .exe installed version, which is intended for consumers: - is meant to be updated through the Adobe Update Service known as ARM. It is possible to update the consumer version through incremental updates (.msp packages) but errors might occur. - does not allow for configuration prior to installation. Adobe Reader MSI Installer [used by Flexera] The .msi installed version, which is intended for enterprises: - is meant to be updated through incremental updates (.msp packages) deployed through whichever tool the enterprise uses for deploying updates (WSUS/SCCM/etc.). It is possible to update the enterprise version through the ARM service, but some enterprises report errors installing it. - The enterprise version allows for multiple configurations prior to deployment, and also supports the Adobe Customization Wizard tool. Flexera Patches  In order to make our package as resilient, error-free, easy-to-use and configurable as possible, as well as complying with Adobe's best-practice, we have included the enterprise (.msi) installer. The consumer version installer of Adobe Reader is not compatible with the enterprise version installer, and the two were unable to interact with each other without resulting in an error code of 1638. Resolution We, therefore, implemented the clean install workaround, which allows the package to uninstall previous versions of Adobe Reader, and then install the enterprise version, which is what Adobe recommends: http://www.adobe.com/devnet-docs/acrobatetk/tools/AdminGuide/basics.html#installation-best-practices The drawback of this workaround is the loss of settings, but a clean install has always been completely dependent on the uninstaller of the product, so this was inevitable. Since the workaround ensured that the enterprise version would be installed instead, the workaround only had to be applied once, after which the bug would no longer appear. This means that the bug would be a one-time-inconvenience with our workaround, rather than continuously causing issues. ... View more

Summary Step by step guide to allow third-party product families in the System Center Configuration Manager. Synopsis This short guide describes how to allow products for Software Update points using the System Center Configuration Manager console. Once products are allowed, the applicable third-party patches that have been published to the Software Update point will appear in the Software Library after a Software Synchronization has taken place. Discussion 1. Launch the System Center Configuration Manager Console 2. Start by running an initial Software Sync. This allows the SCCM Console to see that there is a Secunia product waiting. 3. Once the sync is complete, navigate to Administration > Site Configuration > Sites 4. Right-click the Site and go to Configure Site Components > Software Update Point   5. Click the Products tab to view a listing of the current product categories (allowed products have check-marks). Here you can allow packages you've published to the Software Update Point via the Software Vulnerability Manager interface. If you've enabled "Use Flexera Custom Naming" while creating your packages you'll see a Secunia company category showing up in the Product category window.    Additional Information If you don't select allowed product categories in the SCCM administration console then these updates will not be synchronized by SCCM and will not be displayed in the SCCM Console as available updates. ... View more

Summary You published a new SPS patch through the Software Vulnerability Manager to a Windows Server Update Services server (WSUS), but even when you have clicked to "Approve" the update through the incoming options window, your patches are still being deployed to more systems than what you've approved.  Symptoms You may have noticed that the Software Vulnerability Manager package is actually set to approve before you did it yourself. This blocks you from executing the planned package distribution because even when you set an approval, it doesn't seem to work or take the expected effect.  For example, when you decide to not approve a patch immediately but to do it from the "Available" section under the Patching menu.  Cause There are a few things to understand here. SVM Packages are classified as Security/Critical Update after published to a WSUS (+SCCM) server. WSUS (SCCM's SUP ) has been configured to auto-approve Security/Critical updates to all hosts.  Once any package is approved at WSUS, you cannot override the first with a direct second.  This may happen without you realizing how this happened and when because it is pretty common auto-approvals to be set for e.g. Windows Defender security definition updates. The Software Vulnerability Manager surrenders the package to the WSUS server after publishing and you 'll have to tweak your WSUS to adjust its configuration to be working for you. Or, you may not have to.  Resolution You can take one of three options:  Disable the Automatic approval rule from your WSUS if that is not going to prevent your other security patch management programs. This will allow you granular deployment control.  Keep the Automatic approval rule and decline the updates at the "Available" menu of the web interface of the Software Vulnerability Manager, as soon as you publish them.  Modify the existing rule to apply only to specific Microsoft products. ... View more

Summary The Software Vulnerability Manager can scan the SQL database of active SCCM servers and acquire nicely the collected by the Software Inventory capability of CCM program data from each system. This program metadata is then being analyzed by SVM against the Secunia Research Vulnerability Tracking database and the security states of all programs for each system across the network is determined.  Synopsis The Software Vulnerability Manager can be configured to use Software Inventory data from SCCM as scan information. To be maximum efficient and produce optimal vulnerability intelligence insights, SVM needs the maximum amount of data of application metadata that can be collected from each system. But as this can often be a problem as it impacts the SCCM database, some customers prefer to adjust the amount of information to be analyzed to specific executable file types, for example only EXE and DLL.  Flexera recommends all file types, however, as this is in the interest of your own security oversight.  The following file types should be inventoried by SCCM exactly as they are being written next: *.exe *.dll *.ocx Discussion 1. In SCCM/Administration/Client Settings, open the properties of the client settings that contains the Software Inventory configuration. 2. Under Software Inventory, click Set Types... 3. Add *.exe, *.dll and *.ocx and remember to include the Windows folder which is disabled by default. (As shown in the screenshot below) ... View more

Summary The above error occurs while publishing package due to WSUS certificate missing Private key. Symptoms Failed to publish package Code -2146233079 Failed to sign in package, error was 2148081670 Cause This error occurs when Private key is missing from the certificate in WSUS store on WSUS server. Resolution 1. Login to Software Vulnerability Manager 2018. 2. Navigate to Patching -> WSUS / System Center -> Configure Upstream Server. 3. Go to Step 2 -> Click "Automatically create and install certificate" 4. This will install certificate as shown in the figure. . Additional Information You would need to remove / delete the previous certificate from Certificate Store before creating a new one via SVM console. ... View more

Summary This article explains the correct method to create software packages in the Software Vulnerability Manager to match updates with different architectures. We provide this tutorial with a random example of a VLC Player package for a better context.  Synopsis When publishing an update package for VLC Player via SPS, options are available for both 32-bit and 64-bit systems. On 64-bit machines, depending on the version, the programs are either installed on Program Files (x86) or Program Files. By default, all 32-bit programs are installed in the Program Files (x86) folder and 64-bit in Program Files. When deploying an update package via the SPS system, if the package and path selection is not correct, it may result in a failure publishing the package or the package not being updated to the latest version. Discussion To overcome this issue, follow the instructions for applications that have both 32- and 64-bit versions and for cases where the update is not automatically installed on the default path (VLC in this instance). When creating an update package for VLC Media Player 32- and 64-bit versions, the package can be created as follows and must be approved separately to both 32- and 64-bit systems. 32-bit package for 32-bit systems: Create a 32-bit update package via SPS Verify that the installation path is C:\Program Files\VideoLAN\VLC\ Select the package for 32-bit systems only Publish the package 32-bit package for 64-bit systems: Create a 32-bit update package via SPS Verify that the installation path is C:\Program Files(x86)\VideoLAN\VLC\ Select the package for 64-bit systems only Publish the package 64-bit package for 64-bit systems: Create a 64-bit update package via SPS Verify that the installation path is C:\Program Files\VideoLAN\VLC\ Select the package for 64-bit systems only Publish the package ... View more

Summary Sometimes you will find yourself in a situation to be missing some important menus. That could be "Remote Scanning via SVM" or the entire "Flexera Software Package System", or "Active Directory" and other menus as well. This could happen due to couple of reasons and we explain them here.  Symptoms You can see Vendor Patch Module but the Flexera SPS is missing Cause In order to have access to some menus like Patching, Active Directory, Quick Scan and System Center Inventory Import you need to download and install the SVM Plugin for Internet Explorer. Resolution Solution 1: Download and install the SVM Plugin. If this is the first time you are using SVM on your machine then you need to download and install the SVM Plugin using the red download link on the bottom of the page. Solution 2: You are not using Internet Explorer. Currently, the Flexera SVM Plugin is only supported on Internet Explorer. To view Results and Reports you can use other browsers? if you would like to access Patching, Active Directory, Quick Scan and System Center Inventory Import you will need to open the Flexera SVM 7 in Internet Explorer. Solution 3: The SVM Plugin is installed but you are not running the latest version. After we have a maintenance release you will need to upgrade to the latest version of the SVM Plugin as well. To do that you can just re-download the plugin using the red download link on the bottom of the page. Solution 4: The SVM Plugin is not able to communicate with the Flexera backend. If the latest version of the SVM Plugin is installed, you are using Internet Explorer, and the Patching menu is still not displayed then the plugin might not be properly communicating with the Flexera backend. Add https://*.secunia.com into the Trusted Sites of the Internet Explorer configuration options. This is always a good thing to check.  ... View more

Summary This article describes how to activate verbose logging for the Software Vulnerability Manager 2019 Daemon service (installs as "Flexera Corporate Software Inspector Daemon").  This can be very helpful to debug technical problems with "System Center Inventory Import" schedule executions, or any other activity that is being delegated and therefore executed by the Daemon service.  Synopsis Logging is useful for troubleshooting purposes. A log file can reveal if the Flexera Daemon service is working correctly and performing all scheduled tasks at regular intervals. By modifying and/or creating registry keys it is possible to enable logging for the Flexera Daemon service. Discussion To enable logging of the Daemon service, follow the steps outlined below: 1) Open Regedit with an elevated administrative account. Browse to: HKLM\SYSTEM\CurrentControlSet\Services\Flexera Corporate Software Inspector Daemon\ 3) Modify the ImagePath value, and append logging arguments -d "C:\<folder>\<logfile.txt>" -v -v -v For instance:  "C:\Program Files\Flexera Software\Corporate Software Inspector Daemon\daemon.exe" --service-launch -d "C:\Logs\MyDaemonLog.txt" -v -v -v 4) Restart the Flexera Corporate Software Inspector Daemon service.  Restarting the service should work out-of-the-box and it should complete without errors. If you encounter an error, review the ImagePath string and make sure you haven't missed quotes, etc.  Once the service restarted without errors, the log file you specified in the ImagePath should be created. You will need to leave the Daemon for a few hours in order to collect data from its own executions.  To enable enhanced logging for the SVM Daemon service, take the following steps: 1) Open Regedit. Navigate to: HKCU\Software\Secunia\Daemon 3) Create the following registry keys (if not present): String Value named LogFile Enter the path of the log file, e.g. C:\Enhanced Daemon Log\Daemon.log. Create DWORD (32 bit) Value named LogFileMax  Enter the maximum size of the log file, e.g. 8000000 (8 MB). Create DWORD (32 bit) Value named Logging Enter the level of logging 1-4, recommended level is 3. Restart the Flexera Daemon service. Additional Information Possible reasons of why the Flexera SVM Daemon service might fail to include:  The Run-as-User account for the Flexera Daemon service does not have the appropriate permissions to connect to the SCCM database via ODBC (SQL permissions; Select and Connect).  The Secunia Daemon service is unable to fetch the configuration script from the back-end server due to incorrect CSI User authentication (HTTP 400 errors). The Proxy information provided during Daemon service installation is currently being incorrect. ... View more

Summary This article helps to remove SVM Agents from clients by utilizing an alternative method of deployment of a logon script that will run a small bat file that will then run the Uninstall.exe removal tool of the Agent.  Synopsis The below steps list the process of creating a GPO deployment of a logon script that will uninstall your SVM2018 Agents from Clients in the domain: Create your Logon script or just reuse the one we provided hereby: ------------------------------------------------------------------------------- @echo off if EXIST "C:\Program Files (x86)\Flexera Software\Corporate Software Inspector Agent\Uninstall.exe" GOTO uninstallx86 if EXIST "C:\Program Files\Flexera Software\Corporate Software Inspector Agent\Uninstall.exe" GOTO uninstall exit :uninstallx86 echo "unistallx86" cd "C:\Program Files (x86)\Flexera Software\Corporate Software Inspector Agent\" Uninstall.exe /S echo "SVM2018 Agent Uninstalled" exit :uninstall echo "uninstall" cd "C:\Program Files\Flexera Software\Corporate Software Inspector Agent\" Uninstall.exe /S echo "SVM2018 Agent Uninstalled" exit -------------------------------------------------------------------------------   Save your script as Uninstall.bat file (to execute as a batch task) Create a New GPO that will be used to carry out the Logon script to your machines (best-practice) Open the Group Management Console Active Directory 2012: Server Manager/Tools/Group Policy Management Active Directory 2008: Start/Administrative Tools/Group Policy Management Expand the AD Domain Tree, right-click on the Domain/OU you want to apply the policy on, and select 'Create GPO in this domain and Link it here' In the new dialog, give the GPO a corresponding name, then click OK. Right-click on the GPO and select Edit. In the Group Policy Management Editor, go to User Configuration/Policies/Windows Settings/Scripts (Logon/Logoff) Double-click Logon in the right pane. Click Show Files (a folder whose name ends in User\Scripts\Logon is displayed) Note the folder and Copy your 'Uninstall.bat' script into it. In the Logon Properties window, click Add. Click Browse to open the logon script directory, then select your logon script file and click OK. Verify that the logon script appears in the list of the Logon Properties window, then close with OK.   ... View more

Summary In this article, you will learn to configure SSL at WSUS and integrate SVM with it for secure publishing. This provides all the steps, but it should act as an example. You should always implement your services through the most current encryption and security standard. Discussion The following will take you through all steps.  Requirements You installed Windows Server Update Services (WSUS) role on a Windows Server machine You have surpassed the initial configuration of the server in terms of products and classifications.  Your Windows account is added to the WSUS-local security group "WSUS Administrators".  NOTE: This article provides examples for Windows Server 2012 R2 installation of WSUS, but you will likely be able to apply the same, or similar steps for higher versions of Windows Server Update Services.  Configure SSL at Microsoft Internet Information Services 8.5 1) Open the Server Manager, navigate to Tools > Internet Information Services (IIS) Manager. 2) Click the server node in the tree. Double-click on "Server Certificates". 3) Here you have two options. Use your own CA SSL certificate (highly suggested): Choose "Import", Proceed with step 4.a. Create a self-signed SSL certificate  choose "Create Self-Signed Certificate.": Go with step 4b. 4a) Select your CA SSL certificate [PFX format], provide the password and choose "Web hosting".  4b) Provide a friendly name for the certificate. Choose. "Web Hosting" store and close it with OK. 5) Choose "WSUS Administration" in the left-hand sided tree list. 6) Choose "Bindings" in the Actions column. 7) Click on "https 8531" and choose "Edit" 😎 Select the SSL certificate in the drop-down box and click "View...". 9) Make a note of the FQDN of the "Issued to" server and click OK. 10) Provide the FQDN hostname from the previous step and click OK. 11) Click Close. 12.) Click on WSUS Administration Console, select SSL Settings, then enable 'Require SSL'  next.  12) Expand "WSUS Administration" . Choose "ClientWebService". Double-click "SSL Settings". 13) Mark the checkbox "Require SSL" . Click Apply. 14) Repeat steps 12 and 13 for "DssAuthWebService",  "ServerSyncWebService", and "SimpleAuthWebService". Close the "Internet Information Services (IIS) Manager". Validate changes with WsusUtil.exe 15) Run command prompt in Administrator mode. 16) Change to directory C:\Program Files\Update Services\Tools. 17) Run "WsusUtil.exe configuressl <FQDN>". The output should be similar as shown below.  Export and Distribute SSL Certificate  The next step is to export this certificate and provide it to all systems connecting to WSUS. 18) Run MMC as admin. Click File and choose "Add/Remove Snap-in" 19) Click Certificates and then click Add. 20) Enable "Computer account" and click Next. 21) Choose "Local computer" and click Finish. Click OK after that.  22) Expand the Certificates (Local Computer) \ Trusted Root Certification Authorities. 23) Click on Certificates. Locate the certificate that matches the FQDN of this server. 24) Right-click and choose "All Tasks" and "Export" Now the certificate has been exported, you will need to provide this certificate to all systems that will need to connect to the WSUS server (SCCM, WU agents, SCCM clients).  This certificate should be imported to the "Trusted Root Certification Authorities" (This can also be achieved by creating a GPO). WSUS should be configured to use SSL and you should be able to integrate the Software Vulnerability Manager interface with the WSUS server using SSL. Connect SVM to WSUS via SSL 25) In the Patching menu, navigate to Patching, choose Configuration -> WSUS/System Center. 26) Provide the FQDN as the WSUS server name (as in step 9). 27) Enter the correct WSUS SSL port, enable "Use SSL Connection" checkbox, then press Connect. 28) Verify the connection in the connection status. Successful WSUS SSL Implementation and SVM Connection ... View more

Summary This article explains the recommended steps to issue log files with the SVM Agent in the command-line interface of Windows, or Linux and Mac terminals. The SVM Agent supports great set of configuration parameters that make it integrate seamlessly and in a stellar manner at all types of networks.   Synopsis Running manual scans with the Software Vulnerability Agent in command-line or a terminal of any kind can be required in many scenarios, for example: There is a technical problem and you need to collect log file data that can be sent to Support.  Some software did not appear in the scan results and you need a log file to show if it is ever found. Networking issues arise and you need collected connection information to troubleshoot access. You must run the command-line with Administrative account, else the Agent might be blocked by UAC. When you run the agent like that, Windows uses the permissions of the account that ran CMD. Command-line interactions do never capture the LocalSystem context, and cannot test against it.  Run the following command to obtain a basic scan log file.  csia.exe -c -d "C:\temp\agentdebug.log" -v Run the following command to obtain basic scan log file, just differently. csia.exe -c -v > "C:\temp\agentdebug.log" Both of the following will work too. Each `-v` parameter (max=3) adds more verbose.  csia.exe -c -v -v > "C:\temp\agentdebug.log" csia.exe -c -d "C:\temp\agentdebug.log" -v -v -v To see all switches available use the following command: 'csia.exe -h'. Basically the -d and the -v is added to the last command line instruction in the script. Agent Installation Logging when deploying with WSUS/SCCM Go to Patching/Agent Deployment and click "Create Agent Deployment Package". At step 2, scroll down to the location shown in the below screenshot: If a Run-as-User has been specified at the top of the script you must use the top example (-i -R ), if not the bottom example must be used (-i -L).  The log file name can include a location, i.e. C:\SecuniaLogs\agentlog.txt, or just agentlog.txt. If you don't set a location, it will be saved in the default Agent package installation directory. SVM Agent installs at C:\Program Files (x86)\Flexera Software\Corporate Software Inspector Agent folder.  All Agents installed with the package will create registry keys needed to generate a log file every time it performs a scan and even when it checks-in with its master server. This can be useful when you need to see what happens during installation on many hosts and you don't have time to be doing it manually.  Related KB Articles Full list of Agent Parameters SVM Agent Deployment Logic - Avoid Proxy Blocking - Community Agent Package Deployment Uninstall Agent via WSUS/SCCM Deployment  Troubleshoot Certificate Revocation Problems Additional Information (SVM Next) The information in this KB relates primarily to SVM 2019 solution, but the parameters and approach of command-line interaction are the same and SVM Next users should feel free to download their agents from their interfaces and use this article to the best of their advantage.      ... View more