Patch Management Solution

{CWoC} PatchAutomation and ZeroDayPatch builds for 8.0 

Mar 14, 2016 06:50 AM

[END OF "SUPPORT" NOTICE]

Hello everyone, after close to 5 years maintaining various tools around Symantec Connect this legacy is turning to be more of a burden than anything else.

It's still is a great set of tool and they all have their use, but as such I'm not going to maintain them anymore.

The source code for this tool may still change over time, and can be found on Github: https://github.com/somewhatsomewhere?tab=repositories

[/END OF "SUPPORT" NOTICE]

ITMS 8.0 was release just a week ago, so it is time for the Patch Automation toolkit to receive it's new addition to the familly: Version 11, built for 8.0 :D.

This release doesn't have much else - but keeping up to date is good enough as the tool is now quite mature.

Finally, all the existing documentation related (and updated) to both tool still apply (both document contain the 7.1 builds as well):

7.5 builds are also available as downloads:

Whilst the 7.6 release are available on a blog entry:

Quick reference: ZeroDayPatch Command line help message

ZeroDayPatch (version 11) command line usage:

    /vulnerable
            Use this command line switch to install and run a custom stored
            procedure to retrieve candidate bulletins. The procedure will be
            installed is and named ZeroDayPatch_GetVulnerableMachines-0003.

    /targetguid=
            Use this option to set the target guid to be used with newly 
            created policies. This will over-write the default target defined
            globally.
			
            Note that you can specify more than 1 target guid. Just add more
            /targetguid= to you command line or config file. This
            is most useful if you are delegating computer targetting to other
            team (such as server , workstation administrators).

    /config=
        Reads the file at the provided path and parses each line for com-
        -mand line options. Here is a sample config file content:
            /severity=critical
            /custom-sp=CWoC_GetAllBulletins
            /vendor=google
            /dryrun
            /debug

    /test   
        Run the automate in test mode only. A maximum of 10 policies will
        be created in this mode.

    /dryrun 
        Run the automate in dry run mode. No changes will be made to the 
        system, but expected operation will be printed to the console.

    /severity=|*
        Set the severity used to select bulletins that will be handle by 
        the automate. The * wildcard can be use to match all severities.

    /patchall
        Use this command line if you want to manage bulletins from all
        vendors in the database. By default we only handle Microsoft bul-
        -letins.

    /released-before=
        Configure a date filter that will include bulletin released before
        the specified date. It is set by default to the current date.

    /released-after=
        Configure a date filter that will include bulletin released after
        the specified date. It is set by default to (current date -1 year).

    /custom-sp=
        This option allows the user to specify a custom stored procedure to
        be called during the execution. The stored procedure may be present
        on the database (if not the automate will return with no errors) and
        must contains the following columns that are used and needed:
            * _resourceguid [Software bulletin guid]
            * released [Software bulletin release date]
            * bulletin [Bulletin name]
            * severity [Bulletin Severity]
        You can also add a vendor column if you want to filter bulletins by
        vendor (see option /vendor)

    /vendor=|*
        Configure a vendor filter to only return bulletins that match the
        vendor string from a custom procedure. This is because the vendor
        field doesn't exist in default Patch Procedures used by this tool.

        If /vendor is specified with a custom-sp that doesn't contain the
        vendor field the setting will be ignored (all bulletins will be
        returned).

    /debug
        Output extra information on the command line to allow debugging or
        reporting problems to Symantec Connect.

    /duplicates
        Use this command if you want the tool to generate duplicate
        policies. This is useful if you want, for example, to migrate
        policies from a parent to a child SMP without disruption.

        Note! Duplicated and new entries will be added to the exclusion 
        table in the database for safety reasons.

    /exclude-on-fail
        Use this command to add bulletins to the excluded table if it fails
        3 times during the stagging or policy creation phases. If not uses
        the failing bulletin will only be skipped.

    /retarget
        Use this command if you want to switch existing policies to use a
        new target. The target guid should be provided with /targetguid=...

    /version
        Print out the current version of the tool.

    /?
        Print this help message to the console (stdout).

Update 1: Uploaded a new verison of ZeroDayPatch, with an increment on the schema version used for the /vulnerable command line switch. Thanks Mistral for the help troubleshooting and validating the changes!

Update 2: Adding tool command line help for quick reference.

Statistics
0 Favorited
7 Views
3 Files
0 Shares
0 Downloads
Attachment(s)
zip file
PatchAutomation-v11-8.0.zip   18 KB   1 version
Uploaded - Apr 10, 2020
zip file
PatchExclusion-v11-8.0.zip   12 KB   1 version
Uploaded - Apr 10, 2020
zip file
ZeroDayPatch-8.0b.zip   20 KB   1 version
Uploaded - Apr 10, 2020

Tags and Keywords

Comments

Jul 10, 2017 07:05 AM

I have completed the build for 8.1.

It's currently being released as a download, and should be soon available on (but not yet!):

https://www.symantec.com/connect/downloads/cwoc-patchautomation-and-zerodaypatch-builds-81

PS: I'll update this post once it's available.

PPS: ZeroDayPatch was tested against 8.1 and an update to the /vulnerable switch was also made, to match changes in the Compliance by Bulletin prodcut stored procedure.

Jul 07, 2017 10:37 AM

Hi Mistral,

I'll get a build for 8.1 soon.

Probably we've gotten to a point were some method have been finally deprecatted (after them causing compilation warning).

And hopefully it won't be anymore than that...!

Jun 02, 2017 06:06 AM

Hi Ludovic

Sorry to inform you, that ZeroDayPatch stopped working in 8.1 RU1 (or is it me?)

Processing bulletin MSNS17-05-4023136 (9a43b530-b18b-43cb-af28-2e7a39bbeb81) now.
Error message=Method not found: 'Altiris.Common.GuidCollection Altiris.PatchManagementCore.Policies.SoftwareUpdateAdvertismentSetPolicy.GetNonstagedUpdates(System.Collections.Generic.IList`1<System.Guid>)'.
Inner Exception=
Stacktrace=   at Symantec.CWoC.APIWrappers.PatchAPI.IsStaged(String bulletinGuids)
   at Symantec.CWoC.ZeroDayPatch.RunAutomation(GuidCollection bulletins)

Feb 27, 2017 05:18 AM

Hello there,

Well, if the new model pans out nicely you won't really need Zero Day Path or any other tools soon ^_^.

Afterall, creating a software update policy per month is not so painful anymore.

I can't see myself doing anything with regards to this, especially as it only applies to the Applicable use of the tool.

Feb 17, 2017 12:50 PM

With the new cumulative rollup model that MS is using, we're seeing some unexpected behavior with the ZeroDayPatch tool.  It appears to center around the fact that the stored procedure is looking at what's applicable, and getting results like MS17-001, but (thanks to the cumulative rollup model) there isn't an MS17-001 in the PMImport.  Instead there is CR17-001 and SB-001, both of which contain the same updates (as well as others) found in MS17-001.  Any thoughts on how to resolve?

Sep 13, 2016 03:55 AM

Hi Chris,

No, I don't think I could do that right now, or in the near future.

Mind you, I'm finishing of a new tool release to help better manage Unknown Software Component and create Software Products in an automated manner (well, at least wihtout too many point-and-click interactions).

If you really want to manage your patching cycle in a more extensive manner why don't you use the "/retarget" feature that is present in ZeroDayPatch?

With a custom sp to get the list of bulletins to be retargetted (for example based on the day since release or some custom fields of yours) you could get all of this nicely automated.

Sep 06, 2016 08:28 AM

Ludovic,

​Thanks for maintaining this excellent tool!  Any chance that the patch automation tool could be updated to allow for more than the current 3 cycles (test, validation, production)?  I'd like to have more phases so I can control the release of bulletins via targeting rather than through maintenance windows or software update plugin policies. 

Thanks again!

-Chris

 

Jul 20, 2016 12:30 PM

Great utility!

Jun 28, 2016 06:43 AM

Hi Ludovic,

Where can I find the install documentation?

Jun 23, 2016 05:43 AM

Hi Ludovic,

Question: Is it possible to run multiple Patch Automation scripts with different configurations regarding the retarget schedules?

Mar 16, 2016 06:06 AM

Works like a charm :)

We are back in business ... thanks a lot!

Mar 16, 2016 05:57 AM

FYI, the problem here is that I changed some code and it doesn't handle the case when nothing is returned.

Fixed that in the uploaded version at the bottom of this thread :D.

Mar 16, 2016 05:56 AM

Yup, you're right.

I corrected that in my SQL, and added a few checks in the code.

Attached is version 11 of ZDP + version 0004 of the schema. should all work for you now, unless you already have  a version 0004 in place (but it shouldn't be the case, right?).

Mar 16, 2016 05:42 AM

Looks like you just forgot the "ELSE 1" when removing the PendingSince

Broken: SUM( CASE WHEN sui.UpdateGuid IS NULL THEN 0 END )

Working: SUM( CASE WHEN sui.UpdateGuid IS NULL THEN 0 ELSE 1 END )

Mar 16, 2016 05:37 AM

The non existing view in a clean install explaines why the timestamps are not updated anymore ^^

Mar 16, 2016 05:35 AM

Thanks Mistral,

I'll go back to my git log to find out what changes happened between version 3 and 4 (somewhat I feel like it must have come from you :D).

I'll revert happily if it proves to work better now :D.

PS: on a fresh 8.0 install the vPMCore_ComputersPendingRebootByPackage view doesn't even exist.

Mar 16, 2016 05:05 AM

arg ... did press submit twice.

 

Just read your first comment.

Damn, i didn't get notified about it and i didn't even see it yesterday (and i checked several times till 3pm).

 

Yes ... i removed the reboot already yesterday and it was fine (see above attachment).

 

Mar 16, 2016 05:03 AM

It became "worse" (285 rows now) :/

What works for me is the 003-Version, after i just removed the PendingSince (i dont care if a reboot is pending anyway - its patched)

 

Mar 16, 2016 04:47 AM

Hi Mistral,

Can you let me know if the attached SQL returns the correct results for you?

My test server DB is not in a relevant state for this case.

Once we're good with the sp I'll push out a new version of ZDP.

Mar 15, 2016 10:41 AM

Nice troubleshooting Mistral,

I guess the "Vulnerable" stored procedure is quite old as I recommanded to my customers long ago to not take the reboot into account (if we can reboot the computer we're safe, if we can't it shows like we're not doing our job when we are).

So, I guess we can remove it form the sp there.

Can you test this out? I'm flat out today!

Mar 15, 2016 03:41 AM

I did analyze what happens with this 15 bulletins.

 

The reason ist the PendingSince (ses.PendingSince in your stored procedure) from vPMCore_ComputersPendingRebootByPackage.

The field has dates inside, but they did reboot and all reports tell me the computer has no reboot pending.

 

Seems like something changed in ITMS 8 ... as now you can even see the reboot state of an update in the agent.

Mar 14, 2016 11:53 AM

Here is one example

Report:

Bulletin Severity Custom Severity Release Date Compliance Applicable (Count) Installed (Count) Not Installed (Count)
MSWU-953 Unclassified Not Set 5/28/2014 12:00:00 AM 100.00 1 1 0

ZeroDayPatch_GetVulnerableMachines-0003:

_ResourceGuid Bulletin Severity Released Applicable (Count) Installed (Count)
6C276C83-C0E2-4C8E-A6ED-3F7F1DF86D33 MSWU-953 Unclassified 2014-05-28 00:00:00.000 1

0

Run (of course):

Processing bulletin MSWU-953 (6c276c83-c0e2-4c8e-a6ed-3f7f1df86d33) now.
        This bulletin is already staged.
        Checking if we need to create a new policy now.
        A policy already exists for this bulletin.

Mar 14, 2016 11:35 AM

Using ZeroDayPatch-v10-7.6.exe recreated my stored procedure.

But there are still this (15 btw) "vulnerable" Bulletins i am not vulnerable.

Mar 14, 2016 11:30 AM

Thanks for this Ludovic

I testen zerodaypatch and it gave me a list of 16 Bulletins i am vulnerable.

But:

- Patch reports say i am 100% compliant (I am)

- the tool didnt download anything and said all 16 policies do already exist.

 

So i thought maybe my stored procedure is old and deleted it (shouldn't the tool create the stored procedure when it does not exist?)

This is what i get now since the stored procedure is gone (the dry run doesn't make any difference):

Runtime Configuration data:
        Debug = False
        Dry run = True
        Help needed = False
        Patch all vendors = False
        Released after = 1/1/2000 12:00:00 AM
        Released before = 3/14/2016 4:29:42 PM
        Severity = *
        Test run = False
        Vendor name = *
        Custom stored procedure =
        Vulnerable = True

ZeroDayPatch 11 starting.

Unhandled Exception: System.NullReferenceException: Object reference not set to
an instance of an object.
   at Symantec.CWoC.ZeroDayPatch.procedure_installed()
   at Symantec.CWoC.ZeroDayPatch.GetExistingBulletins()
   at Symantec.CWoC.ZeroDayPatch.GetSoftwareBulletins()
   at Symantec.CWoC.ZeroDayPatch.Main(String[] args)

And the window saying "ZeroDayPatch-8.0.exe has stopped working"

 

... kinda lost

Related Entries and Links

No Related Resource entered.