8 Replies Latest reply on Oct 2, 2014 11:41 AM by dean.salter

    Which VSE version to choose for upgrade?

    dean.salter

      Scenario: A corporate server VSE upgrade project.

       

      The project is being driven by the 5600 Engine EOL and 5700 release (which for VSE 8.7 Patch 5 now requires a hotfix and a reboot for the 5700 engine, as of the Aug 27 2014 SNS announcement) and then by the ePO 4 EOL at the end of 2015 (ePO 5 does not support VSE 8.7).

       

      McAfee has released VSE 8.8 Patch 4 which is compatible with all Windows OSes. The question though is whether it is stable enough for a corporate environment of many (1000+) servers.

       

      The Known Issues document for Patch 4 includes 2 issues that appear to be quite risky for corporate server environments:

       

       

      954838KB81529Issue: A bugcheck 50 can occur randomly when files are being scanned. So far, this has been reported only on server-class systems.
      Workaround: Refer to the related article for details.

       

       

      928622KB81595

      Issue: The W3WP.exe process on web servers may exhibit high CPU, and Dropbox exhibits performance symptoms after installing VSE 8.8 Patch 4.
      Resolution: This issue will be resolved in VSE 8.8 Patch 5, which is not currently available. This article will be updated when the patch is Released To World (RTW). The patch is planned to be released in mid- to late fourth quarter.
      Workaround: Use the McAfee Profiler to identify which files are being accessed, and any (.config) file(s) should be excluded.

       

      The first issue is the most troublesome.

       

      I was told by McAfee that they would not create a hotfix for the first issue but would address it in VSE 8.8 Patch 5. Patch 5 will not likely be ready/proven stable in time for the upgrade project.

       

      Has this issue been a problem for any of you? If so what have you done about it?

       

      The second issue was a workaround of essentially reducing the security level through making some IIS components/processes Low-Risk (i.e. don't scan them or the files they touch). Not happy about that but it seems to be the only choice to keep IIS-based web servers stable.

       

      Trying to get a consensus of the stability/risk involved with using VSE 8.8 Patch 4 in a corporate server environment. Please comment with your experiences/ideas. I am sure it would be beneficial to all.

       

      How about VSE 8.8 Patch 2 with all published hotfixes? Would that be a better choice for a corporate server environment?

        • 1. Re: Which VSE version to choose for upgrade?
          willsonlebig

          Hello dean.salter,

          As far as I am concerned, I have deployed McAfee VSE 8.8 Patch 4 managed by EPO for many companies.

          Until now, these companies are not confronted with those issues.

           

          I recommand you to test VSE 8.8 Patch 4 on 5 or 10 computers during a week or 30 days.

          The result of the test will help you to take a right decision.

          • 2. Re: Which VSE version to choose for upgrade?
            dean.salter

            Thanks for your response.

             

            Were those systems servers or workstations?

             

            The more serious known issues only apply to servers and that is what I am concerned about.

            • 3. Re: Which VSE version to choose for upgrade?
              fitchsoccer342

              dean.salter wrote:

               

              Thanks for your response.

               

              Were those systems servers or workstations?

               

              The more serious known issues only apply to servers and that is what I am concerned about.

              The w3wp issue noted above will only affect servers running IIS as it is associated with the application pool within IIS. We are running patch 4 on 500+ servers, and have created a seperate policy for our web servers with exclusions for this.. its a simple workaround.

              • 4. Re: Which VSE version to choose for upgrade?
                dean.salter

                Thanks for that info. I had read posts on the workaround for that one (w3wp). I figure we can handle ours in the same way.

                 

                The issue that concerns me most is the random BSOD. Imagine the impact this would have on business when key servers crash due to this bug. The response would have to be downgrading VSE to either Patch 2 or Patch 3. If this were to happen too frequently it would call into question why Patch 4 was chosen in the first place, as well as a likely downgrade of all servers until McAfee resolved the issue. Because it can take months to get all of the business approvals and change windows to do the upgrade across so many servers, it is necessary that it be done correctly the first time (i.e. best version of VSE).

                 

                It is encouraging to know that you are running Patch 4 on 500+ servers. Are they varied in server OS (2003, 2008, 2008 R2, 2012)? Are any of them Citrix XenApp servers? Do some of those servers handle a lot of traffic on a regular basis, either from large numbers of simultaneous users or through interactions with other servers?

                 

                Have you ever had the random BSOD and if so, how often? What did you do to remediate it? Were you aware of the issue before deploying to your 500+ servers and if so how did you decide that it was an acceptable risk?

                 

                I have also been reading about installation issues for Patch 4, where Patch 4 will not install. The posts refer to certificate issues but there is not a simple permanent fix. Did you run into that issue?

                 

                Did you do a clean uninstall of the previous version followed by the Patch 4 install? Or were you able to install it on top of the previous version? Which version did you use previously?

                 

                Sorry for the number of questions but I do appreciate your responses.

                • 5. Re: Which VSE version to choose for upgrade?
                  fitchsoccer342

                  No problem. We obviously did not roll it to all servers at once, just gradually in different nodes of the system tree.

                   

                  Yes, we have a mix of 03/08/r2 and only a handfull of 2012. We do have Citrix servers running patch 4 as well; however for our Citrix VDI's we are leveraging McAfee's MOVE which does not utilize VSE on the virtual clients, which we are running v3.0 agentless.

                   

                  No BSOD issues so far thankfully.

                   

                  VSE deployment has been pretty stable through the client task, we've run into issues with our exchange servers and DC's during install and had to do some manually, and create seperate exclusions for them, but it worked out.

                   

                  I'd say about 97% of the patch 4 installs were done via client task without removing the old version first; we were running patch 2 prior.

                  • 6. Re: Which VSE version to choose for upgrade?
                    dean.salter

                    That's encouraging! Thanks for that. Was VSE 8.8 Patch 2 working well for you? There has been a known issue with On Demand Scans taking way too much memory that prevented us from going to that version. Again, can't afford unnecessary outages.

                     

                    How has MOVE been working out for you? It sure looks promising!

                    • 7. Re: Re: Which VSE version to choose for upgrade?
                      fitchsoccer342

                      The whole thing about on demand scans is creating the necessary exceptions; and while i agree that excluding things defeats the purpose, it is necessary, espcially on exchanges, DCs, and DB servers. Patch 2 worked great but with any scanning you always need exceptions to cut down on time/consumption.

                       

                      MOVE is working great; we did initially run into a lot of issues that were fixed by exclusions, and I wouldn definitely reccommend using these first:

                      http://blogs.citrix.com/2013/09/22/citrix-consolidated-list-of-antivirus-exclusi ons/

                       

                      Otherwise its pretty cool leveraging the SVA and having it do the scanning rather than having a agent on the VDI itself.

                      • 8. Re: Re: Which VSE version to choose for upgrade?
                        dean.salter

                        Nice! Thanks for your good comments and advice.

                         

                        Hoping to hear from a few others through this post as corroboration or contrary on VSE 8.8 Patch 4. Really appreciate your help!