The times I have seen this occur in the past, a task existed where "run at every policy enfocement" was checked on the previous version of the software and the new software was checked into the same branch (current/previous/evaluation).
If a task exists saying to query EPO and pull the software at each policy enforcement, the clients will search the repository for the software to download and run. If you install the new software into the repository (replacing v3 with v 9.1.1) the name of the software is the same in the repository and the client machine will execute the installation task as it's been told to do.
A good test would be to click "enforce policies" on the client machine's agent monitor and see if any tasks execute. If so, it's likely that the task was set to run at each policy enforcement. This option is not recommended for deployment tasks as it increases server load, network bandwidth and can cause deployment of upgrades.
Yes we always had tasks running at every policy enforcement to install DLP. I did also check the DLP into the same Current branch and it was a direct replacement from v3 to 9.1.1.
Most of the tasks were deleted an hour before i did the upgrade, although some individual machines and a few OU's had their client dlp install tasks delete after the upgrade.
We are still getting a very small number of machines that are upgrading automatically which seems odd, but it could be that they haven't been on the network since then and the task has run.
Interestingly McAfee telephone support said that it was impossible that what was happening could happen, but you say you have seen it before.
I presume if i had put the new DLP into the evaluation branch then it wouldn't have been able to upgrade it (as it was not the current branch) ?
Since the task was set to run at each policy enforcement, the computer checks the current branch (where the task was pointing) for the DATALOSS2000 application. The machine downloads and executes the files every 5 minutes, or however long you've defined in your policy for policy enforcement. When you checked in the new software, the machines still hit the current repository and executed their installation as defined by the task they were trying to run.
Installing into the Previous or Evaluation branches would not have run the task as there is no deployment task pointing to those groups.
Mcafee support including tier 3 were adamant that it COULDN'T happen but i said basically that it was currently happening!
Now the tasks have been deleted on the top level OU's (although a handful of machines may have a task modified on a single system still) should i see the machines upgrading stop?
Yes. It's likely that whatever machines have performed the upgrade are the ones that had the task to run to begin with. If the policy enforcement is set to 5 minutes, the default, then the agent with the task assignment has already requested the file and executed on the endpoint. Deleting the task now will just ensure that any machines that come on the network either thru vpn or physically being on the network should attempt to get the new task assignment (Deleted) and stop trying to upgrade.
Under Server settings check to make sure Global Updating is not enabled. I had this enabled once and it was pushing out DAT files out of schedule.