Updating McAfee, Part 3
Novell Cool Solutions: Tip
By Mark Whitney
Digg This -
Posted: 22 Jun 2000
Updating McAfee, Part 3
Mark Whitney sent this nicely detailed solution to the persistent problem of how to best update the DAT files for McAfee VirusScan for NT. This is the third solution to this problem that we've received so far, and it shows once again that there are many ways to skin this particular cat. So far, what we've published includes:
- Updating McAfee for NT users (creating a bat file)
- Updating McAfee, Part 2 (scheduling an update as a policy event)
- This one: Updating McAfee, Part 3 (using the Automatic Update feature of VirusScan)
I recently read the tip on how to configure a batch file to run using ZEN, that would allow updating of DAT files for McAfee VirusScan NT. This was a good approach but had the drawbacks of running a batch file on each workstation and the administrator having to unzip the DAT files after they are downloaded. My approach takes advantage of the Automatic Update feature available with version 4.x of VirusScan.
First you need to understand the access levels used by VirusScan when it does an auto update. If the task is manually started by the user from the McAfee console, the service uses the user level access rights. If the task is initiated by the McAfee scheduler it uses the workstation's system level access.
The latter is what we desire because the workstation has the necessary rights to stop/start services and to update the registry. In the environment where I work the users are restricted from doing these two things. So here is the solution I came up with.
- First VirusScan must be configured to use a SYSTEM account, not a CUSTOM account. This allows it to use the workstation rights on the Novell servers.
- Next create a directory on a server for holding the DAT-xxxx.zip file that you download from McAfee.
- Once the directory is created, grant your workstation objects read and file scan rights to the directory. In my environment I have setup the workstation import policy to automatically add new workstations to a ZEN workstation group and this group has rights to the directory.
- Now you need to configure VirusScan to "Copy from a local network computer" and specify the server%5Cvolume%5Cdirectory that you created above.
- Now enable the scheduler and set it to run at startup. I did all of this on 900 workstations overnight by creating a ZEN package that made the necessary registry changes. All of the registry keys that are updated are in HKEY_LOCAL_MACHINE%5CSOFTWARE%5CMcAfee%5CVirusScan%5CTasks%5CUpdate. Make the needed changes on one workstation and the use regedit to export this key and import it into a ZEN application object for distribution.
- Now all the administrator has to do is download the ZIP file and place it, unopened, in the directory.
Important: The name must be exactly the same as what was downloaded. Each time a workstation starts, the McAfee services will compare the ZIP file name with the name stored in their registry. If the one on the server is newer than the one in the registry, VirusScan will download the file to a local directory, stop the services, unzip the new DAT files, restart the services, and update the registry. All of this happens in the background and the users never see anything happening. In fact the users cannot even see the directory where the ZIP file is stored, but the workstations can.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com