1 2 Previous Next 15 Replies Latest reply on Feb 22, 2012 10:06 AM by diwi

    How do you test new McAfee VirusScan Patches in your ePO-environment?

    diwi

      Hello everybody,

       

      please let me know how you test new McAfee VirusScan Patches in your ePO-environment avoiding that the patch gets installed on every machine!

       

      So far that's what I know how it's suggested to be done...

       

      1) Disable global updating

      2) Disable selective updates in your directory-tasks

      3) Disable local Auto Update tasks

      4) Disable the tray icon for the McAfee Agent

      5) Show minimal menu options

       

      (That's what's suggested in KB57905, though the settings described there are all based on McAfee ePO 3.6.x instead of ePO 4.0.0/4.5.0/4.6.0)

       

      I did a test in my ePO 3.6.1 test-environment. This ePO has McAfee VirusScan 8.7.0 Patch 5 checked-in. The update task settings do not allow the distribution of VirusScan 8.7.0 patches or service packs. An agent was deployed to a Windows XP computer, but unfortunately the patch 5 of VirusScan 8.7.0 was installed as well! Obviously, I cannot prevent this behaviour in ePO 3.6.1 or has someone successfully deployed VirusScan without patches, even if the patches are checked-in into the master repository?

       

      Will this work in ePO 4.5.0 or will it work in ePO 4.6.0 ?

       

      We have a production ePO 4.5.0 Patch 5 server with over 1500 machines (continually growing amount of machines) and I would like to avoid, that the new patch 1 for VirusScan 8.8.0 gets installed on every machine, even though no update task allows the distribution of the patch! What about the 'Update now' button? Does this update a machine with all patches, so that I have to disable the tray icon? In this case, still someone can trigger an update via the command line, right?

       

      McAfee recommends to test new patches on a small number of machines before rolling it out to every machine! Well, so do I recommend this step, but is this only possible with a seperate ePO-server?

       

      I really appreciate any helpful comment.

       

      Regards,

      DiWi

       

      Message was edited by: diwi on 1/10/12 7:38:12 PM CET
        • 1. Re: How do you test new McAfee VirusScan Patches in your ePO-environment?
          masten

          I would recommend that you upgrade to ePO 4.6.x. In this version you could prepare an agent policy "tied" to a tag that requests patch updates for VirusScan from the Evaluation branch. On a high level view you then only have to apply a tag to systems that should download and install the patch.

           

           

          Short step by step preparation guide:

          1.Download and check in the patch in the Evaluation branch (Use the SW DownloadManager in ePO 4.6)

          2.Create a McAfee Agent General policy, on the "Updates" tab select that patches and service packs for VirusScan should use the Evaluation branch

          3.Create a tag; name it for example "PatchTest VirusScan"

          4.Create a Policy Assignment Rule and configure that the policy created in point 2 should be assigned to systems with the tag "PatchTestVirusScan"

          5.Done


           

          As an additional step you could also create a Client Task tied to the "PatchTest VirusScan" tag that immediately runs an Update task. In this way you could send out an agent wakeupcall to trigger the update. In ePO 4.6 you also have the option to run a client task on demand from the ePO console as well which could be used as an alternative (this requires Agent 4.6 if I'm not mistaken).

           

           

          Good Luck

           

          /Magnus

           

          on 1/10/12 9:08:25 PM CET
          • 2. Re: How do you test new McAfee VirusScan Patches in your ePO-environment?
            diwi

            Hello masten,

             

            first of all, thank you very much for your proposal. Well, actually it is not my intention to upgrade to ePO 4.6.x so fast. The evaluation branch is available in ePO 4.5.x as well. Is there no possibility, even if it's manually to limit patch updates to a certain context?

             

            You were talking about a McAfee Agent General policy, is this possible with ePO 4.5.x as well? I must further investigate, what you proposed.

             

            Cu later,

            DiWi

             

            Message was edited by: diwi on 1/11/12 2:15:15 PM CET
            • 3. Re: How do you test new McAfee VirusScan Patches in your ePO-environment?
              masten

              Yes, you could use the same "design" in ePO 4.5, the patch branch download setting is done in the McAfee Agent policy (from agent 4.6 the agent policy is devided into three sub policies.)

              You could also take advantage of tags in ePO 4.5 but you need to create your own "automatic" policy assignment by creating a query listing all systems with the tag and then a server task that assigns a policy based on the query.

               

              /Magnus

              • 4. Re: How do you test new McAfee VirusScan Patches in your ePO-environment?
                diwi

                Hello masten,

                 

                i am already aware of the TAG possibilities and I also use them. If I understand you correctly, I must use the McAfee Agent 4.6.x instead of the McAfee Agent 4.5.x ? We just use McAfee Agent 4.5.0 Patch 3.

                I am already in contact with Gold support about this, they are investigating. I told them that I am unable to check-in the patch into the evaluation branch, the option is grayed-out!

                 

                Later,

                DiWi

                • 5. Re: How do you test new McAfee VirusScan Patches in your ePO-environment?
                  masten

                  Have you turned the main switch under Configuration- Server Settings - Repository packages, set Allow package check-in for any repository branch: Yes

                  • 6. Re: How do you test new McAfee VirusScan Patches in your ePO-environment?
                    diwi

                    Hello masten,

                     

                    no I haven'nt! It's done now and I can continue my tests.

                     

                    Later

                    DiWi

                    • 7. Re: How do you test new McAfee VirusScan Patches in your ePO-environment?
                      diwi

                      Hello again,

                       

                      ok, your proposal in post no.5 did the trick to check-in McAfee VirusScan 8.8.0 Patch 1 into the repository evaluation branch. Just to let you know again, at the moment, we have ePO v4.5.5 Build 1188 running together with McAfee ePO Agent v4.5.0 Build 1852. Is there any way to pick up the Patch 1 from the evaluation branch and put it onto a machine?

                       

                      Regards,

                      DiWi

                      • 8. Re: How do you test new McAfee VirusScan Patches in your ePO-environment?
                        masten

                        In the McAfee Agent policy on the Updates tab, do you have the ability to change the download branch for VirusScan patches? If so create a new agent policy and only assign this policy to your testmachines, either manually or automatically as described above.

                         

                        /Magnus

                        • 9. Re: How do you test new McAfee VirusScan Patches in your ePO-environment?
                          diwi

                          Before I read you last post, I read your post no.3 again and found what you suggested. I suppose that's what I was looking for

                           

                          Many thanks again! Will summarize that again and post it here for everybody.

                           

                          Regards,

                          DiWi

                          1 2 Previous Next