6 Replies Latest reply on May 3, 2012 2:24 PM by JoeyMc

    Upgraded DLP 3.0 to 9.1 - Auto upgrading DLP without tasks

      Hi All,

       

      We recently upgraded our EPO, DLP and Mcafee Agent on the server. The upgrades can be seen below. However despite no tasks been in place we have had over 300 machines upgrade their DLP version in the last 10 days out of our 6000+ estate. McAfee support have looked at all the tasks/SQL database/MER results but are not sure what the issue is and are currently looking into it. In the meantime is there anything i could check?

       

      I used to run a task to install DLP on every machine and if it was already on then it would say it was already present on the mcafee agent, however these tasks were removed. The total machine with 9.1 installed keeps creeping up.

       

      Any advice/pointing in the right direction would be much appreciated.


      Thanks in advance

       

      GM

       


      Software

       

      Old version

       

      Upgraded to:

       

      McAfee  EPO

       

      4.5.0  build 753 (No patches)

       

      4.5.5  build 1188 (Patch 5)

       

      DLP  Management Console

       

      3.0.0.711

       

      9.1.100.7

       

      McAfee  DLP Agent

       

      3.0.0.708

       

      9.1.100.1

       

      McAfee  Agent

       

      4.5.0.1270

       

      4.5.1852  Patch 3

       

      McAfee  Agent Module

       

      4.5.0.171

       

      4.5.0.196

       
        • 1. Re: Upgraded DLP 3.0 to 9.1 - Auto upgrading DLP without tasks
          tonyw

          The times I have seen this occur in the past, a task existed where "run at every policy enfocement" was checked on the previous version of the software and the new software was checked into the same branch (current/previous/evaluation). 

           

          If a task exists saying to query EPO and pull the software at each policy enforcement, the clients will search the repository for the software to download and run.  If you install the new software into the repository (replacing v3 with v 9.1.1) the name of the software is the same in the repository and the client machine will execute the installation task as it's been told to do. 

           

          A good test would be to click "enforce policies" on the client machine's agent monitor and see if any tasks execute.  If so, it's likely that the task was set to run at each policy enforcement.  This option is not recommended for deployment tasks as it increases server load, network bandwidth and can cause deployment of upgrades.

          • 2. Re: Upgraded DLP 3.0 to 9.1 - Auto upgrading DLP without tasks

            Hi Tonyw

             

            Yes we always had tasks running at every policy enforcement to install DLP. I did also check the DLP into the same Current branch and it was a direct replacement from v3 to 9.1.1.

             

            Most of the tasks were deleted an hour before i did the upgrade, although some individual machines and a few OU's had their client dlp install tasks delete after the upgrade.

             

            We are still getting a very small number of machines that are upgrading automatically which seems odd, but it could be that they haven't been on the network since then and the task has run.

             

            Interestingly McAfee telephone support said that it was impossible that what was happening could happen, but you say you have seen it before.

             

            I presume if i had put the new DLP into the evaluation branch then it wouldn't have been able to upgrade it (as it was not the current branch) ?

             

            Thanks

            • 3. Re: Upgraded DLP 3.0 to 9.1 - Auto upgrading DLP without tasks
              tonyw

              Correct. 

               

              Since the task was set to run at each policy enforcement, the computer checks the current branch (where the task was pointing) for the DATALOSS2000 application.  The machine downloads and executes the files every 5 minutes, or however long you've defined in your policy for policy enforcement.  When you checked in the new software, the machines still hit the current repository and executed their installation as defined by the task they were trying to run.

               

              Installing into the Previous or Evaluation branches would not have run the task as there is no deployment task pointing to those groups.

              • 4. Re: Upgraded DLP 3.0 to 9.1 - Auto upgrading DLP without tasks

                Mcafee support including tier 3 were adamant that it COULDN'T happen but i said basically that it was currently happening!

                 

                Now the tasks have been deleted on the top level OU's (although a handful of machines may have a task modified on a single system still) should i see the machines upgrading stop?

                • 5. Re: Upgraded DLP 3.0 to 9.1 - Auto upgrading DLP without tasks
                  tonyw

                  Yes.  It's likely that whatever machines have performed the upgrade are the ones that had the task to run to begin with.  If the policy enforcement is set to 5 minutes, the default, then the agent with the task assignment has already requested the file and executed on the endpoint.  Deleting the task now will just ensure that any machines that come on the network either thru vpn or physically being on the network should attempt to get the new task assignment (Deleted) and stop trying to upgrade.

                   

                  Message was edited by: tonyw on 5/3/12 8:56:20 AM CDT
                  • 6. Re: Upgraded DLP 3.0 to 9.1 - Auto upgrading DLP without tasks
                    JoeyMc

                    Under Server settings check to make sure Global Updating is not enabled. I had this enabled once and it was pushing out DAT files out of schedule.