Was a rollback of the DAT performed?
How many repositories do you have? How are dats copied to each repository?
Also the logs:
McScript.Log and agent_<computername>.log found in C:\users\All Users\McAfee\Common Framework\DB (Or c:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\DB (not 100% sure on this path)
should show which repository was used to update the dat.
Also EPO has the information which repository was used. A query should be able to find it.
My suspicion is that you have a repository that is out of date but for some reason the client is downgrading using it. There are normally timestamps used to stop this happening, but I've seen cases where it didn't occur.
I assume this client is ePO managed. Please check if the McAfee Agent policy for this client is such, that the Updates\DAT file downgrades option is checked. If so, then if there is an out of date repository, it might downgrade regularly (whenever that repository is to take by the agent).
I'm not sure if this option otherwise corresponds to the Rollback DATs function in VirusScan console, but suppose it does not, otherwise after the first downgrade, you'd be stuck with the old DAT (as rollback DAT is a one-way action, I think).
I'm not sure if this option otherwise corresponds to the Rollback DATs function in VirusScan console, but suppose it does not, otherwise after the first downgrade, you'd be stuck with the old DAT (as rollback DAT is a one-way action, I think)
Indeed. Rollback sets a flag so that the machine will not update again to the "faulty" version of the dat. So it's not Rollback causing it.
Your point about "Allow dats to be downgraded" is what I was trying to make, but not sure I was clear enough in my explanation.
Sorry all, these machines are not being managed by ePO.... They are updating from the McAfee http and ftp sites.
Then please check if they update from V2 enabled sources: a "2" is to be appended to the end of the HTTP or FTP URL. Perhaps one site URL does not have this and although it is available, it has old versions.