SEP agent upgrade can be a real pain, mainly because of the double reboot requirement. In production you can do it only during the maintenance windows, meaning at night. Scripting is your best friend in this case, unless off course you are a night person 🙂
My environment is a mix of Windows 2003 and 2008, therefore VBScript is still the best choice to ensure interoperability. Script is needed to uninstall existing SEP11 version. Reboots and installation of the new version can be executed with no script, just usual Windows tools. All you need to do is copy required files and run these commands in the command line:
at 03:00 C:\Software\sep11uninstall.vbs
at 03:15 shutdown.exe -r -f -c "Planned restart to complete SEP11 uninstall" -t 10
at 03:35 C:\Software\setup.exe
at 03:50 shutdown.exe -r -f -c "Planned restart after SEP12 is installed" -t 10
Continuing the global fight against Symantec Endpoint Protection 🙂 here is a possible way to ensure that old virus definitions are not staying on the C drive.
First of all we need to temporarily turn the Tamper Protection off for the whole environment. It can be done from the SEP Manager console for a particular group. Go to Clients view, on the left hand side you will see a list of groups. Select your target group and then on the right hand side select Policies tab:
There is a well known issue with Symantec Endpoint Protection clients – they are not able to delete old definitions. This is a really big trouble as the C drive is getting full all the time.
Unfortunatelly I still haven’t developed a relyable way for dealing with this in an automated way [Tamper protection is the main reason] and as you may imagine, when the number of servers is high, Administrator is always busy 🙂
As a temporary reactive solution I was using SEP Manager notifications showing Out-Of-Date Clients. In 80% of cases out-of-date means C drive is full. But I’ve decided that I need something more intelligent, some additional indication that could show which servers are suffering from the old SEP definitions. SCCM reporting will be described bellow.
So, affected servers would have more then one definition. Here is an example of what you may see: