Showing results for 
Search instead for 
Did you mean: 

Upgraded DLP 3.0 to 9.1 - Auto upgrading DLP without tasks

Hi All,

We recently upgraded our EPO, DLP and Mcafee Agent on the server. The upgrades can be seen below. However despite no tasks been in place we have had over 300 machines upgrade their DLP version in the last 10 days out of our 6000+ estate. McAfee support have looked at all the tasks/SQL database/MER results but are not sure what the issue is and are currently looking into it. In the meantime is there anything i could check?

I used to run a task to install DLP on every machine and if it was already on then it would say it was already present on the mcafee agent, however these tasks were removed. The total machine with 9.1 installed keeps creeping up.

Any advice/pointing in the right direction would be much appreciated.

Thanks in advance




Old version


Upgraded to:


McAfee  EPO


4.5.0  build 753 (No patches)


4.5.5  build 1188 (Patch 5)


DLP  Management Console


McAfee  DLP Agent


McAfee  Agent


4.5.1852  Patch 3


McAfee  Agent Module

6 Replies
Level 12
Report Inappropriate Content
Message 2 of 7

Re: Upgraded DLP 3.0 to 9.1 - Auto upgrading DLP without tasks

The times I have seen this occur in the past, a task existed where "run at every policy enfocement" was checked on the previous version of the software and the new software was checked into the same branch (current/previous/evaluation). 

If a task exists saying to query EPO and pull the software at each policy enforcement, the clients will search the repository for the software to download and run.  If you install the new software into the repository (replacing v3 with v 9.1.1) the name of the software is the same in the repository and the client machine will execute the installation task as it's been told to do. 

A good test would be to click "enforce policies" on the client machine's agent monitor and see if any tasks execute.  If so, it's likely that the task was set to run at each policy enforcement.  This option is not recommended for deployment tasks as it increases server load, network bandwidth and can cause deployment of upgrades.

Re: Upgraded DLP 3.0 to 9.1 - Auto upgrading DLP without tasks

Hi Tonyw

Yes we always had tasks running at every policy enforcement to install DLP. I did also check the DLP into the same Current branch and it was a direct replacement from v3 to 9.1.1.

Most of the tasks were deleted an hour before i did the upgrade, although some individual machines and a few OU's had their client dlp install tasks delete after the upgrade.

We are still getting a very small number of machines that are upgrading automatically which seems odd, but it could be that they haven't been on the network since then and the task has run.

Interestingly McAfee telephone support said that it was impossible that what was happening could happen, but you say you have seen it before.

I presume if i had put the new DLP into the evaluation branch then it wouldn't have been able to upgrade it (as it was not the current branch) ?


Level 12
Report Inappropriate Content
Message 4 of 7

Re: Upgraded DLP 3.0 to 9.1 - Auto upgrading DLP without tasks


Since the task was set to run at each policy enforcement, the computer checks the current branch (where the task was pointing) for the DATALOSS2000 application.  The machine downloads and executes the files every 5 minutes, or however long you've defined in your policy for policy enforcement.  When you checked in the new software, the machines still hit the current repository and executed their installation as defined by the task they were trying to run.

Installing into the Previous or Evaluation branches would not have run the task as there is no deployment task pointing to those groups.

Re: Upgraded DLP 3.0 to 9.1 - Auto upgrading DLP without tasks

Mcafee support including tier 3 were adamant that it COULDN'T happen but i said basically that it was currently happening!

Now the tasks have been deleted on the top level OU's (although a handful of machines may have a task modified on a single system still) should i see the machines upgrading stop?

Level 12
Report Inappropriate Content
Message 6 of 7

Re: Upgraded DLP 3.0 to 9.1 - Auto upgrading DLP without tasks

Yes.  It's likely that whatever machines have performed the upgrade are the ones that had the task to run to begin with.  If the policy enforcement is set to 5 minutes, the default, then the agent with the task assignment has already requested the file and executed on the endpoint.  Deleting the task now will just ensure that any machines that come on the network either thru vpn or physically being on the network should attempt to get the new task assignment (Deleted) and stop trying to upgrade.

Message was edited by: tonyw on 5/3/12 8:56:20 AM CDT
Level 10
Report Inappropriate Content
Message 7 of 7

Re: Upgraded DLP 3.0 to 9.1 - Auto upgrading DLP without tasks

Under Server settings check to make sure Global Updating is not enabled. I had this enabled once and it was pushing out DAT files out of schedule.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community