Knowledge Center

How to prevent ePolicy Orchestrator 5.x from automatically updating to the latest posted Engine
Technical Articles ID:   KB77901
Last Modified:  9/27/2018


McAfee Agent (MA) 5.x, 4.x
McAfee Anti-Virus Scanning Engine 5.x.xx
McAfee ePolicy Orchestrator (ePO) 5.x


Anti-Virus Scanning Engine updates are first released as elective downloads that require manual installation. After review of the elective download, the latest Engine is moved to the AutoUpdate sites. Sometimes, you might not want to update all computers in your environment to the most current Engine. For example, you might want to carry out preliminary testing on a test network or perform a limited deployment.

This article explains how to configure ePO 5.x so it does not update automatically to the latest posted Engine.


  • The following process is divided into functional sections. Perform each section in the order it is presented.
  • Before beginning the following process, you must temporarily disable Global Updating in ePO.

    Global Updating deploys the Engine in one movement and cannot be stopped. See your ePolicy Orchestrator Product Guide for more information about Global Updating and prematurely deploying products and updates.

    For a full list of product documents, go to the ServicePortal at: http://support.mcafee.com. Click Knowledge Center, and select Product Documentation from the Knowledge Base list.

Disable all Global Updating
  1. Log on to the ePO 5.x server.
  2. Click MenuConfiguration, Server Settings.
  3. From the Setting Categories section, click Global Updating.
  4. At the lower right of the page, click Edit.
  5. In the Status section, select Disabled.
  6. Click Save.
    When viewing Global Updating after these steps are followed, you see a Disabled status.

Handle the existing and new Engine versions
Several options are available based on controlling how a Pull task from the update site to the Master Repository works, and how the agent policy and agent update task can be configured. This article assumes that 5900 is the old Engine currently in use, and that 6000 is the new Engine that will be prevented from auto-updating.

Option 1

Move or check in the 5900 Engine to the Evaluation branch of the Master Repository, then pull or check in the 6000 Engine, current DAT files, and all other packages to the Current branch of the Master Repository.

This does not require any change to the existing repository pull task. But all clients you want to retain at the 5900 Engine, must have their ePO Agent Configuration policy changed to use the Evaluation branch for Engine updates.
To change the client policy:

  1. Log on to the ePO 5.x console.
  2. Click Policy Catalog.
  3. From the Product drop-down list, select McAfee Agent.
  4. Click the Updates tab in the General policy you want to change for the McAfee Agent.

    NOTE: Policies for the agent are stored by category. The Update setting is found under the General category for the McAfee Agent policy.
  5. In the Repository Branch to use for each update type, change the drop-down option for the Engine from Current to Evaluation for each entry type.

    The following Engine types are available. Choose the appropriate Engine for your products:
    • Engine (Windows)
    • Linux Engine (Linux)
    • Mac Engine (OS X)  
  6. Click Save. The policy change will propagate out during normal agent-to-server communication and local policy enforcement. 

    • You have to make this change on all agent policies being used to prevent the new Engine from being pushed to clients. Any agent using a policy that is not modified will get the newer Engine deployed during an update.
    • You can use Policy Assignment queries to determine that the policy changes have been correctly applied to the clients.
Option 2

Pull all daily DAT files and the 6000 Engine into the Evaluation branch and leave the 5900 Engine in the Current branch of the Master Repository. Change the Branch option of the Repository Pull task  from Current to Evaluation, and then save the change. Move the new DAT file from Evaluation to Current daily.

This does not require any further change on the clients that you want to keep running the 5900 Engine, provided you do one of the following:

  • Manually copy or move the daily DAT file back into the Current branch from the Evaluation branch of the repository through the ePO console.
  • Manually download and check in the ePO-deployable DAT package into the Current branch of the repository.

You can find the daily ePO-deployable DAT package at: http://www.mcafee.com/apps/downloads/security-updates/security-updates.aspx?region=us. Under Security Updates - DATS, select DAT Package For Use With McAfee ePO. The file name is avvepo####dat.zip, where #### is the current DAT version. Example: avvepo8337dat.zip 

NOTE: A pull task updates more than just the DAT files and Engines in the repository. For example, spam definitions and SCP content are also pulled. Other products that require this extra content will expect it to be in the Current branch of the repository, and updates for those products might fail if it is not there. Because of this, Option 1 is recommended because it has less of an impact on other currently deployed products.

ePO 5.x has a scheduler server task type called Change The Branch For A Package. You can use this task to automate the daily movement of DAT files from the Evaluation to the Current branch of the Master Repository. 

Modify the selective updating entry of the agents and remove or disable the McAfee Fallback repositories
Fallback repositories contain the latest Engine and DAT files.

To use selective updating to remove the Engine from the selected items in the update list:
  1. Log on to the ePO 5.x console. 
  2. Click System Tree.
  3. Ensure that My Organization is selected and click the Assigned Client Tasks tab. 
  4. Select the task where TaskType = Product Update.   
  5. Under the Package types, deselect Engine and click Save.

    The following Engine types are available. Choose the appropriate Engine for your products:
    • Engine (Windows)
    • Linux Engine (Linux)
    • Mac Engine (OS X)
  6. Repeat this procedure for each of the product update tasks configured.
  • Because this is a task change, it is applied on the next agent-to-server communication and policy enforcement. So, this change must be made before the repository is updated with the latest files and a client agent update task runs. If the agent update task runs before the policy is received by the client, the Engine will be applied regardless of the setting.
  • If the agent update fails over to the external Fallback repository (McAfeeFtp or McAfeeHttp), the 6000 Engine is updated on the client regardless of the method used in the ePO Agent Configuration policy. To avoid this, disable the appropriate Fallback site from the updates list.
  • The repository list used by the client is configured in the ePO Agent Configuration policy.
  • You might prefer to edit the parent objects in the ePO 5.x Task Catalog rather than editing tasks at the branch level in the System Tree. Changes to the Task Catalog entries automatically propagate down to the System Tree where they have been assigned.

Disable the McAfee Fallback repositories
  1. Log on to the ePO 5.x console. 
  2. Click Policy Catalog
  3. From the Product drop-down list, select McAfee Agent
  4. Select the policy you want to change where the category = Repository
  5. Find the repository listed as Fallback (either McAfeeFtp or McAfeeHttp) in the Repository list and click Disable
  6. Click Save
  7. Repeat this procedure for all unique agent policies.
  • An agent must have at least one valid repository. Be careful when you use the Exclude new distributed repositories by default option. Currently this option also marks existing repositories as disabled when the content has been edited. This can result in agents being assigned by default to the Master Repository.  
  • Because this is a policy change, it is applied on the next agent-to-server communication and policy enforcement. So, this change must be made before the repository is updated with the latest files and a client agent update task runs. If the agent update task runs before the policy is received by the client, the Engine is applied if the agent falls back to the website for updates.

Take action if MA 5.0.x peer-to-peer servers will serve the new Engine on your network
When an MA 5.0.x agent requires content updates with peer-to-peer enabled, it attempts to discover peer-to-peer servers with the content update in its broadcast domain. When agents that are configured as peer-to-peer servers receive the request, they check whether they have the requested content and respond to the agent that made the request. The requesting agent then downloads the content from the peer-to-peer server that responded first.

If an agent that is configured as a peer-to-peer server is also hosting the 6000 Engine, it might serve the 6000 Engine to any agents also configured to use peer-to-peer.

NOTE: The peer-to-peer service is enabled by default with MA 5.0.x. If you believe that this might serve the new Engine on your network and you do not want this to happen, you must either disable peer-to-peer or ensure that no peer-peer servers have a copy of the 6000 Engine.

To disable peer-to-peer services for a system:
  1. Log on to the ePO 5.x console.
  2. Click Menu, Systems, System Tree, Systems.
  3. Select a group under System Tree. All systems within this group appear in the details pane.
  4. Select a system, then click Actions, Agent, Modify Policies on a Single System.
  5. From the Product drop-down list, select McAfee Agent. The policy categories under McAfee Agent are listed with the system's assigned policy.
  6. If the policy is inherited, select Break inheritance and assign the policy and settings below.
  7. From the Assigned policy drop-down list, select a General policy. From this location, you can edit the selected policy or create a policy.
  8. Select whether to lock policy inheritance to prevent any systems that inherit this policy from having another one assigned in its place.
  9. On the Peer-to-Peer tab, select these options as appropriate:
    • Deselect Enable Peer-to-Peer Communication to stop the McAfee Agent from discovering and using peer-to-peer servers in the network.
    • Deselect Enable Peer-to-Peer Serving to stop the McAfee Agent from serving content to peer agents.
  10. Click Save.
  11. Perform an agent wake-up call.

Rate this document


This article is available in the following languages:

English United States

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.