The AVEngine values are correct. Meaning, that is what the product is actually using.
The McShield process writes these values after the service starts and it has successfully loaded the Engine/DATs into memory.
Should the values be old or missing, it's reason for concern.
The other key is maintained by the McAfee Agent, and is accurate inasmuch as it shows what the Agent believes it has done.
Adding to the complexity is what gets reported back to ePO.
Neither of these values are used though AVEngine will be the more accurate.
When full property collection occurs the data reported is obtained from memory - so if the DAT version shown in ePO is old or missing, you probably have an unhealthy client.
Further complicating matters for ePO users, is when an update task runs you'll get an initial event back from the Agent indicating what DAT version the client allegedly updated to - whether or not that update successfully occurred. It's not until a full property collection occurs, usually at your ASCI interval, that you really know what the client node is running. Therefore, you can trust the data if you know a full property collection has occurred.