Anti-Virus Scan Engine updates are first released as elective downloads that require manual installation. After review of the elective download, the latest Engine is moved to the AutoUpdate sites. Sometimes, you might not want to update all computers in your environment to the most current Engine. For example, you might want to carry out preliminary testing on a test network or perform a limited deployment.

This article explains how to configure ePO 5.x so it doesn't update automatically to the latest posted Engine.
 

• The following process is divided into functional sections. Perform each section in the order it's presented.
• Before beginning the following process, you must temporarily disable Global Updating in ePO.
  
  Global Updating deploys the Engine in one movement and can't be stopped. For more information about Global Updating and prematurely deploying products and updates, see the ePolicy Orchestrator Product Guide for your version.
  
  
  For product documents, go to the Product Documentation portal.

Disable all Global Updating

1. Log on to the ePO 5.x server.
2. Click Menu, Configuration, Server Settings.
3. From the Setting Categories section, click Global Updating.
4. In the lower-right corner of the page, click Edit.
5. In the Status section, select Disabled.
6. Click Save.
    
   When viewing Global Updating after these steps are followed, you see a Disabled status.
    

Handle the existing and new Engine versions
Several options are available based on controlling the following:

• How a pull task from the update site to the Master Repository works
• How the agent policy and agent update task can be configured

This article assumes the following:

• 6600 is the Engine currently in use.
• 6700 is the new Engine where you want to prevent auto-updating.

Option 1

1. Move or check in the 6600 Engine to the Evaluation branch of the Master Repository. 
2. Pull or check in the 6700 Engine, current DAT files, and all other packages to the Current branch of the Master Repository.

The above approach doesn't require any change to the existing repository pull task. But, all clients that you want to retain at the 6600 Engine must have their ePO Agent Configuration policy changed to use the Evaluation branch for Engine updates.
 
To change the client policy, perform the steps below:

1. Log on to the ePO 5.x console.
2. Click Policy Catalog.
3. From the Product drop-down list, select Trellix Agent.
4. Click the Updates tab in the General policy that you want to change for TA.
   
   NOTE: Policies for the agent are stored via a category. The Update setting is found under the General category for the TA policy.
    
5. In the Repository Branch to use for each update type, change the option for the Engine, from Current to Evaluation.
   
   The following Engine types are available. Choose the appropriate Engine for your products:
   • Engine (Windows)
   • Linux Engine (Linux)
   • Mac Engine (MacOS)  
      
6. Click Save. The policy change propagates out during normal agent-to-server communication and local policy enforcement. 
   
   NOTES:
   • You must change all agent policies being used to prevent the new Engine from being pushed to clients. Any agent using a policy that isn't modified has the newer Engine deployed during an update.
   • You can use Policy Assignment queries to determine whether the policy changes have been correctly applied to the clients.

Option 2

Pull all DAT files and the 6700 Engine into the Evaluation branch. Leave the 6600 Engine in the Current branch of the Master Repository. Change the Branch option of the Repository Pull task from Current to Evaluation, and then save the change. Move the new DAT file from Evaluation to Current daily.

This approach doesn't require any further change on the clients on which you want to keep running the 6600 Engine, provided you perform one of the following actions:

• Manually copy or move the regular DAT file back into the Current branch from the Evaluation branch. Complete the task through the ePO console.
• Manually download and check in the ePO-deployable DAT package into the Current branch of the repository.

You can find the regular ePO-deployable DAT package on the Security Updates site. Under Security Updates - DATS, select DAT Package For Use With ePO. The file name is avvepo#####dat.zip, where ##### is the current DAT version. Example: avvepo99999dat.zip 

NOTE: A pull task updates more than just the DAT files and Engines in the repository. For example, spam definitions and SCP content are also pulled. Other products that require this extra content expect it to be in the Current branch of the repository. Updates for those products might fail if it isn't there. For this reason, Option 1 is recommended because it has less of an impact on other currently deployed products.

ePO 5.x has a scheduler server task type called Change The Branch For A Package. Use this task to automate the regular movement of DAT files. Use the task to move the DAT from the Evaluation to the Current branch of the Master Repository. 

Modify the selective updating entry of the agents and remove or disable the Fallback repositories
Fallback repositories contain the latest Engine and DAT files.

To use selective updating to remove the Engine from the selected items in the update list, perform the following steps:

1. Log on to the ePO 5.x console. 
2. Click System Tree.
3. Make sure that My Organization is selected and click the Assigned Client Tasks tab. 
4. Select the task where TaskType = Product Update.   
5. Under the Package types, deselect Engine and click Save.
   
   The following Engine types are available. Choose the appropriate Engine for your products:
   • Engine (Windows)
   • Linux Engine (Linux)
   • Mac Engine (macOS)
      
6. Repeat this procedure for each of the product update tasks configured.

NOTES:

• Because this change is a task change, it's applied on the next agent-to-server communication and policy enforcement. So, this change must be made before the repository is updated with the latest files and a client agent update task runs. If the agent update task runs before the client receives the policy, the Engine is applied regardless of the setting.
• If the agent update fails over to the external Fallback repository (TrellixHttp), the 6700 Engine is updated on the client regardless of the method used in the ePO Agent Configuration policy. To avoid this situation, disable the appropriate Fallback site from the updates list.
• The repository list used by the client is configured in the ePO Agent Configuration policy.
• You might prefer to edit the parent objects in the ePO 5.x Task Catalog rather than editing tasks at the branch level in the System Tree. Changes to the Task Catalog entries automatically propagate down to the System Tree where they've been assigned.

Disable the Fallback repositories

1. Log on to the ePO 5.x console. 
2. Click Policy Catalog. 
3. From the Product drop-down list, select Trellix Agent. 
4. Select the policy you want to change where the category = Repository. 
5. Find the repository listed as Fallback (TrellixHttp) in the Repository list and click Disable. 
6. Click Save. 
7. Repeat this procedure for all unique agent policies.

NOTES: 

• An agent must have at least one valid repository. Be careful when you use the Exclude new distributed repositories by default option. Currently, this option also tags the existing repositories as disabled when the content is edited. This fact can result in agents being assigned by default to the Master Repository.  
• Because this change is a policy change, it's applied on the next agent-to-server communication and policy enforcement. So, this change must be made before the repository is updated with the latest files and a client agent update task runs. If the agent update task runs before the client receives the policy, the Engine is applied.

Implement the following if TA 5.x peer-to-peer servers serve the new Engine on your network
When an TA 5.x agent requires content updates with peer-to-peer enabled, it tries to discover peer-to-peer servers with the content update in its broadcast domain. When agents that are configured as peer-to-peer servers receive the request, they verify whether they have the requested content. The servers then respond to the agent that makes the request. The requesting agent then downloads the content from the peer-to-peer server that responds first.

If an agent that's configured as a peer-to-peer server also hosts the 6700 Engine, it might serve the 6700 Engine to any agents also configured to use peer-to-peer.

• Disable peer-to-peer.
• Make sure that no peer-peer servers have a copy of the 6700 Engine.

1. Log on to the ePO 5.x console.
2. Click Menu, Systems, System Tree, Systems.
3. Select a group under System Tree. All systems within this group appear in the details pane.
4. Select a system, and then click Actions, Agent, Modify Policies on a Single System.
5. From the Product drop-down list, select Trellix Agent. The policy categories under TA are listed with the system's assigned policy.
6. If the policy is inherited, select Break inheritance and assign the policy and settings below.
7. From the Assigned policy drop-down list, select a General policy. From this location, you can edit the selected policy or create a policy.
8. Select whether to lock policy inheritance to prevent any systems that inherit this policy from having another one assigned in its place.
9. On the Peer-to-Peer tab, select these options as appropriate:
   • Deselect Enable Peer-to-Peer Communication to stop the TA from discovering and using peer-to-peer servers in the network.
   • Deselect Enable Peer-to-Peer Serving to stop the TA from serving content to peer agents.
10. Click Save.
11. Perform an agent wake-up call.