We are not yet ready to install the new 5800 Scan Engine on our systems and I would like to prevent the DAT containing the 5800 engine from being installed on my systems. I have read McAfee KnowledgeBase - How to prevent ePolicy Orchestrator 5.x from automatically updating to the la... but I also wondered if just simply disabling my Client task to install the DAT that day would prevent the engine update. I would then re-enable the DAT update task the next day once the new DAT has been checked into our ePO server. Would this work or would I still get the 5800 engine when installing the DAT released on January 21, 2016?
No, disabling the task one day and turning it back on the next would not prevent the engine update. If you want to preserve the 5700 engine, you'd want to follow the steps in the KB article you referenced above. The engine will be downloaded into ePO, and then clients would pull from ePO. So you'd need to prevent it from getting into ePO in the first place to then prevent it from getting to clients.
I would strongly advise deploying the 5800 engine as soon as feasibly possible as it does bring improved detection capabilities and performance enhancements.
I pushed out the new engine to most of my systems prior to January 20, 2016 and I figured the rest would just get updated with the DAT that was released on that date. When I looked at the ones that hadn't been updated by me they were still showing that the 5700 engine was still installed even though they have been getting the daily DAT updates. I thought that these systems would have updated to scan engine 5800 with the DAT released on January 20, 2016. Did I misunderstand something? We do have the 5800 scan engine checked into the Eval branch but I didn't think that would make a difference as the DAT was supposed to update the engine.
Do those systems have a regularly scheduled update task to pull down new updates for the Engine? If you're schedule client tasks for doing this activity, it is possible to specify an update task that only updates the DAT file, not the Engine.
What branch are your clients looking for updates from for the Engine? This is an Agent policy; if they're scheduled to, say, look at Previous, and you only have the 5800 engine in Eval, they shouldn't get the Engine.
I understand that the DAT and Engine updates can be separated but from what I read from McAfee is that the actual DAT was supposed to contain the new engine and be updated via DAT rather than through the normal engine updating process. The SNS read as follows...
"On January 20, 2016, VirusScan Enterprise and other Intel Security Enterprise products that use the Anti-Malware Engine will automatically update to the 5800 Engine as part of the daily DAT update. The DAT update on this day will include an additional ~3.5MB of data due to the 5800 Engine binary being included.
If you do not want to automatically update to the 5800 Engine, Intel Security recommends that you make the necessary changes in your configuration before the update occurs."
Please refer to https://kc.mcafee.com/corporate/index?page=content&id=KB66741 and take a look at "Stopping Automatic Updates" near the bottom of the article. THi smay help to direct you how to prevent 5800 being installed after the Auto Update release date.
Certified McAfee Product Specialist - ePO
McAfee Volunteer Moderator
I read through that section however when I contacted McAfee support I was told that if I took the DAT it would upgrade my engine as well. Here is McAfee's response to my case...
"• Explained that the On January 20, 2016, VirusScan Enterprise and other Intel Security Enterprise products that use the Anti-Malware Engine will automatically update to the 5800 Engine as part of the daily DAT update. The DAT update on this day will include an additional ~3.5MB of data due to the 5800 Engine binary being included. • Even if we skip the DAT on Jan 20th,the next day will update to scan engine 5800 once it receive the next update will automatically update to scan engine 5800. "
So which is true? Do I only get the engine update if I have a client task to update my engine or was the DAT supposed to update the engine automatically?
I called in to tech support about this issue and the guy was like "What are you talking about? The DAT and the Engine are separate components and the DAT would never include the engine". The engine needs to be deployed separately from the DAT. It is possible that on Jan 20th, the Engine would get checked in to the Master Repository automatically.
Maybe if the DAT is downloaded directly from McAfee rather than via EPO repositories it would update automatically.
At any rate, I can say for certain that I have taken every DAT since Jan 20, and none of my clients have automatically updated to Engine 5800 as part of taking those DAT updates.
This sounds like the old days when there were "SuperDATs" that contained the engine - and those don't exist anymore. I am not sure what that email was talking about with the DAT including an engine update.
That sounds exactly correct, and matches well with my experience with the 5700 engine release. Clients that are updating directly from McAfee will get the new engine with that specific DAT release, and the new engine will be placed in the Current branch of the repository at that date, but you can still control the release with ePO in various ways.