5 Replies Latest reply on May 12, 2011 9:01 AM by Grumpy

    Virus scan upgrade via gpo




      I have around 5000 domain win 7 (sp0) machines running VirusScan Enterprise 8.7i patch 3 (vanilla install), which was installed via SCCM. I need to find a way of upgrading to patch 5 with a custom repository location via GPO. I know this is not supported and we should be using epo, but that is still about 3 months off and I'm being told this needs to be done now.

      Attempts so far have met with random results, (in some cases have resulted in machine with no AV installed). Nothing reliable enough to consider rolling out

      Any ideas as to the best way to accomplish this?


      Thanks in Advance.

        • 1. Re: Virus scan upgrade via gpo

          Have you tried using like wininstall or something and record the upgrade? So basically make a recorded MSI of the changes that makes to a machine and try pushing that out via group policy? Just a thought.

          • 2. Re: Virus scan upgrade via gpo

            Thanks for the reply.

            To be honest I have no idea how to go about making a recorded MSI, something I will look into, but I need to sort this quickly.


            I've set up a epo installation on an old pc. and set it up to replicate to a unc share. If I've got this correct all I need to do is change the sitelist.xml file on the clients to point at this share and the software should get updated to patch 5 etc. This would do for the short term.

            Question is What would be the best way of changing the file on the clients. A straight copy doesn't work, Fails with Access denied.


            Any thoughts?



            • 3. Re: Virus scan upgrade via gpo



              I am just curious. Are you or are you not using an EPO to manage those 5000 machines. A GPO can be really trick as you have already found out. I would suggest against doing that. Is there no way that you could deploy epO ?




              • 4. Re: Virus scan upgrade via gpo

                If you have the access protection set to block changes to McAfee files and settings there's probably no way you are going to get the patch installed unless you run it interactively (via users clicking next etc- via SCCM possibly- obviously you'd need to test this) or via ePO as you have found out with the sitelist.


                ePO is a fantastic tool. your company *really* needs to deploy this to manage your clients.




                • 5. Re: Virus scan upgrade via gpo

                  Thanks to everyone for replying,


                  We will be migrating to EPO over the next couple of months, once I've got my head around it. I'm completely new to this so it's a case of making it up as you go along. I won't be rolling EPO out until I've tested it satisfactorily within our environment, there's far to much chance of a high profile screw up posible here.


                  I thought the best approach would be to get all the clients updating from one source. Currently it's a mixture of UNC share and web updates, unc share also has modified client install.


                  So the way I thought I'd tackle this is:

                  • Create unc share via epo
                  • Export sitelist
                  • Import site list to clients via ftminst.exe /siteinfo command run via either a startup or shutdown script


                  I should then be able to customise the client settings and then push this out via the unc share.

                  If this all works, it should buy me some time to set up an epo server properly, get my head round it, and set this all up correctly.


                  As an extra to this, does anyone know of any good resources for epo apart from the McAfee site?