1 2 Previous Next 12 Replies Latest reply on Nov 16, 2010 6:47 AM by rrrobbo

    Unexpected patch update possibly from one-click

      Hi all, I am trying to work out why a large number of our PCs updated to VSE patch 4 when I endeavoured to roll a few out. This is what happened

       

      Sunday night. EPO 4.5 latest patch

      Global updating changed to not include VSE 8.7

      Tasks changed to not update VSE 8.7

      Test machines tagged and given a task to update

      Patch moved from Evaluation to Current

      Default update schedule is off and has been off for a long time

       

      Now, we have identified one problem. We have a task that updates that incuded VSE. This has the 'missed task' set for 10 minutes after boot.. We also have a task that runs 5 mins after boot to update policy and task. Many machines kicked in this missed task. On one I have looked at one machine and the policy/task update also failed (not sure why yet). So, I can understand this, but what I can't find out is if a 'missed task' gets updated by a task refresh if the detail in that task has changed. If not, it would have been curtains anyway of course and hands-up for bad procedure.

       

      On another PC, the log indicates that it manages to update even before any tasks have run. The is invoked by "Automatic update session for initiator EPOAGENT3000 started",  a repository check and then "Update list doesn't exist or is empty.  Performing one-click update". Now, I have looked into this one-click business and there is a mish-mash of advice about it being invoked here or there, maybe if you use superagents etc, but I can get no definitive answers. Sure, it does it if you update from a PC manually, but this did not happen. We do have a login script command that runs

       

       

      "%PROGRAMFILES%\mcafee\common framework\cmdagent" /C /E /P

       

       

      But I don't get the same effect when I run it manually. However, the machine did get an updated sitelist due to another action that occured over the weekend and I am wondering if that could trigger it.

       

      Ideas ?

        • 1. Re: Unexpected patch update possibly from one-click
          metalhead

          The global update section only configures which new package in the repository TRIGGERS an global update.

          But if a package (like a new DAT) triggers an update, a (not configurable) one-click-update task is launched on the client.

          This will also install your patch if the McAfee Agent´s policy is pointed to the current branch to update from.

           

          With McAfee Agent 4.5 patch 1 you get the ability to install patches from other branches. So with this version you can control patch deployment by setting a special McAfee Agent policy to update from the "Evaluation" branch and check the patch package in this branch.

          • 2. Re: Unexpected patch update possibly from one-click

            Thanks Tom, but that does not quite answer my question.

             

            You say

             

            "But if a package (like a new DAT) triggers an update",

             

            but what I really need to be definite on is which packages will trigger the one-click and what is the relevance, if any, of superagents in these scenarios on EPO 4.5 P4.

             

            We have latest patches and originally thought about the usage of the different branches, but we thought it did not quite fit in with our structure and did not want to apply updates to folders en masse. That said, I am currently piloting the use of said procedure having found the abilty to run selective reports and do 'Agent, set policy and inheritance' - this allows you to set Agent policy on a number of machines in different folders at the same time, as you probably know.

             

            Thanks again for the first stab though.

            • 3. Re: Unexpected patch update possibly from one-click
              metalhead

              "but what I really need to be definite on  is which packages will trigger the one-click and what is the relevance,  if any, of superagents in these scenarios on EPO 4.5 P4."

               

              Just to clarify - in the Global Updating settings you can specify which new package will trigger the global updating mechanism but NOT what will be updated - it is always a one-click update which will run (updating every available package from the current branch).

               

              You need at least one super agent per ip subnet if you want the global updating to work in this subnet.

              • 4. Re: Unexpected patch update possibly from one-click

                Thanks again

                 

                And if I don't have any superagents at all ? Just repositories ? Should global updating run then ?

                 

                I note that I get that 'one-click' if I force an update from may machine. That is expected. I also understand now what you are saying about the Global Updating - removing VSE from that did me no good at all as we have DATs included and it would have done it anyway, but I am still not convinced on the superagent side. The manual seems to suggest that I need them for this functionality and I don't have them. So, in theory, there should be no global-updating occuring at all on my systems at all....

                • 5. Re: Unexpected patch update possibly from one-click
                  JoeBidgood

                  rrrobbo wrote:

                   

                  Thanks again

                   

                  And if I don't have any superagents at all ? Just repositories ? Should global updating run then ?

                   

                   

                  Yes, it should. (This functionality existed in ePO 3.6, was broken in ePO 4, but I think has been corrected now.)  If you have global updating enabled but no superagents, then what should happen is that the next time the agents communicate with the server, they will run a one-off update at that point.

                   

                  Just for the record, a "one-click" update is run when any of the following things happen:

                   

                  1) A global update is triggered

                  2) An "update now" or "update security" task is invoked from the agent tray icon

                  3) The default autoupdate task runs (if it has "get other updates" selected)

                  4) A deployment task performs an operation - i.e. it actually installs or uninstalls something, as opposed to just running and not doing anything.

                   

                  HTH -

                   

                  Joe

                  • 6. Re: Unexpected patch update possibly from one-click

                    Excellent. We are getting close to the truth I feel ! Our default auto-update is disabled, but I can concur with the others. That fits. I remain uncomfotable with this though


                    "Yes, it should. (This functionality existed in ePO 3.6, was broken in  ePO 4, but I think has been corrected now.)  If you have global updating  enabled but no superagents, then what should happen is that the next  time the agents communicate with the server, they will run a one-off  update at that point"

                     

                    I think you are right about whether it should work or not as I believe we are seeing global updating here. Of course, I need to look at a few logs I guess. I need to be certain on this. But I don't like the agent communication theory. Mine is set to run every 4 hours and I don't see that many one-click entries in my log. I also don't like it much from the perspective of that actaully happening as it would be an 'undocumented feature' and rather dangerous in terms of bandwidth. Do you mean you will only see the 'one-click' if there is actually something set to do ? I don't think that this can be the case as the one-click seems to come before it knows what is there. Or does it recognise that it needs tro do a global update and then say 'right, I'm doing one-click............'

                     

                    I am also having trouble finding out if a 'missed task' can be updated by forcing an update from EPO to that task. Say a sheduled missed task is set to run on a PC 60 minutes after boot and you actually disable that task in EPO and push to the client before it runs - does it disable the missed task, or just the scheduled task ? At the moment, my McAfee support rep does not even understand the question. maybe I need another thread.

                    • 7. Re: Unexpected patch update possibly from one-click
                      JoeBidgood
                      ... as it would be an 'undocumented feature' and rather dangerous in terms of bandwidth.

                       

                      I'm not sure what you mean here - as far as I know it's always been documented? I'm also not sure what you mean by "dangerous in terms of bandwidth" - can you clarify a bit?

                       

                      Do you mean you will only see the 'one-click' if there is actually something set to do ?

                      Yes    When a global update is triggered the DB is updated with new information. The next time the agent communicates it sees that the information on the server is later than its own and runs a global update task, which in turn updates its own information to match the server. On the next communication, assuming that another global update has not been triggered, there is nothing new in the DB and so the agent does not run a global update task.

                       

                      I am also having trouble finding out if a 'missed task' can be updated by forcing an update from EPO to that task. Say a sheduled missed task is set to run on a PC 60 minutes after boot and you actually disable that task in EPO and push to the client before it runs - does it disable the missed task, or just the scheduled task ?

                       

                      From the test I just did, it disables the entire task - so the missed task does not run.

                       

                      HTH -

                       

                      Joe

                      • 8. Re: Unexpected patch update possibly from one-click

                        I agree on the task - McAfee support have actually just managed to confirm that too. This actually blows one of my theories on why I had 7000 machines update, as I had disabled the VSE update part in that task and have a wake up call to kick in before the missed task.

                         

                        When I am wondering about the agent communication invoking an update, it is simply that. I don't see how such communication can invoke an update to products and don't see that documented. If I did not expect it and I had turned off everything else before checking something into 'current' that should invoke a controlled update, and then an agent communication invoked an update, my network might just get rather flooded. They only talk ever 240 mins though.

                         

                        I sense I might be mis-interpreting what you mean.

                         

                        What about a change to the sitelist file and a "cmdagent -c -e -p". Would THAT invoke an update of anyhting other than policy ?

                        • 9. Re: Unexpected patch update possibly from one-click
                          metalhead

                          In case a global update is "waiting" to be processes an "cmdagent /P /E /C" would invoke a one-click update.

                           

                          For future deployment I would use the evaluation branch for a controlled deployment of patches. Then your whole problem with global updating simple does not happen.

                          1 of 1 people found this helpful
                          1 2 Previous Next