delayed AV defenition deployment

Discussion in 'ESET NOD32 Antivirus' started by pmsoares, Sep 6, 2010.

Thread Status:
Not open for further replies.
  1. pmsoares

    pmsoares Registered Member

    Joined:
    Jan 7, 2010
    Posts:
    5
    Location:
    Lisbon, Portugal
    Dear All,

    Due to 5017~5019 definiton i was considering changing the update policy from nod32 from my company.
    We have several critical system and we cannot afford the "luxury" of rebooting all computers.
    luckly (and that was very lucky) we had no major problem last friday.

    I was wondering if it is possible and how to do it, to scheudle the update definition to +3 days.

    I mean, i want to install today the AV definititions released 3 days ago and so on. the objective is having a pool of computer that are updated on realtime and a second pool of critical systems that are update with 3 days delay.

    is that possible?

    thanks in advance
     
  2. AJStevens

    AJStevens Registered Member

    Joined:
    Aug 27, 2008
    Posts:
    97
    Location:
    Surrey, UK
    Was thinking about this myself... I think you'll need multiple Mirrors, set on 24 hour checks, each using the other as it's update source, with the "main" one checking ESET's servers, your "Guinea Pig" PCs would get updates from this one, but other workstations/servers get updates from a mirror of a mirror of that mirror that gets updates from ESET.

    Should provide a "buffer", as long as those Guinea Pigs show up a problem.

    Using this method though, your other workstations will "leap" from one version to another, whereas the Guinea Pig PCs will get each update as it's released.
     
  3. pmsoares

    pmsoares Registered Member

    Joined:
    Jan 7, 2010
    Posts:
    5
    Location:
    Lisbon, Portugal
    that's a smart workaround, i had thought about it, but i was thinking more about some kind of option or setting that i could enable directly in the client or console :)
     
  4. AJStevens

    AJStevens Registered Member

    Joined:
    Aug 27, 2008
    Posts:
    97
    Location:
    Surrey, UK
    Sadly there isn't one, it's been suggested, particularly after last weeks problem, but no official answer.

    I thought about this some more last night, and considering writing a program to provide more control over updates.
     
  5. pmsoares

    pmsoares Registered Member

    Joined:
    Jan 7, 2010
    Posts:
    5
    Location:
    Lisbon, Portugal
    last night i was also thinking more carefully about mirroring from mirroring.
    and i got the conclusion that the solution did not fullfill my needs

    imagine
    server A -> update from eset
    server B -> mirror from A
    Server C -> mirror from B

    i can set and update scheudle mirror of 24h, but when mirror updates, it will fully update according to main server, that means, if by a unlucky and wrong release is updated by the time of mirror update i will had a hot update in my mirror.

    I am not sure if i made myself clear, but what i mean, is that when mirror updates, it will update the last release and not the 24h behind release.

    any other ideias to solve this issue?
     
  6. AJStevens

    AJStevens Registered Member

    Joined:
    Aug 27, 2008
    Posts:
    97
    Location:
    Surrey, UK
    That's why you have to use a couple of mirrors, they buffer and store an update for a 24 hour period.

    Indeed it's not a perfect solution, and why I said your end clients will "jump" through updates, whereas test PCs do each update in turn, this is because the update is time based, and not update based, so they won't be exactly 24 hours behind, but they will be 24 hours behind.

    Mirror A (Typically ERA?)
    - updates from Eset every 15 mins
    - "Guinea Pig" PCs update from this mirror

    Mirror B (Could be ERA running on another server, but better to be a Mirror by an Eset Client).
    - checks Mirror A for updates every 24 hours and updates (since there will pretty much always be an update after 24 hours, it'll update). If you're using ERA this can and will vary, I'm guessing it updates every 24 hours from the time the service starts (after a reboot), better to use a client, and you have more schedule options.
    - No clients update from it

    Mirror C
    - checks Mirror B for updates every 24 hours and updates
    - Normal clients update from this mirror

    You'll want Mirror C to be scheduled to update from Mirror B before Mirror B updates from ERA, this is best done with two client mirrors as you can specify a particular time.

    eg. Mirror C updates Daily at 11:00am, Mirror B updates Daily from ERA at 13:00pm

    It's not perfect, you're right that clients won't be precisely 24 hours behind, given the number of updates release a Day, but they will be a safe time behind.

    Alternately, you could use the ERA, and a single mirror, disable any automatic updating on the NOD Mirror, and once you're happy the Guinea Pig PCs are ok, manually update the mirror, which will then update the rest of the clients.. not fun having to do that several times a day though...

    I'm looking to see if there's something I can do instead.
     
  7. pmsoares

    pmsoares Registered Member

    Joined:
    Jan 7, 2010
    Posts:
    5
    Location:
    Lisbon, Portugal
    dear all,

    i think i got a refurbished solution! and it seams to work!

    I have an ERA that has a update mirror and also administration to all clients.
    then (here comes the ideia)
    i have the ID
    server A (era mirror)
    day0
    day1
    day2
    day3
    server B (running simple http server with nup files, It works!!)

    got a daily routine
    8h - copy day3 to serverB
    8h10 - copy day2 to day3
    8h20 - copy day1 to day2
    8h10 - copy day0 to day1
    8h00 - copy serverA to day0

    guinea pigs are updating from serverA critical machines are updating to serverB

    of course this is not perfec solution because
    clients are not 72hours delayed of all updates,
    they will just receive 1 update a day.
    but of course it's better then what happened last week and every time there is an critical definition update i can always push them manually


    i hope this can help someone and ESET should think about implementing some kind of scripting that allow to do this directly.
     
  8. 0verlord

    0verlord Registered Member

    Joined:
    Dec 18, 2008
    Posts:
    17
    I throttled back my updates on our branch offices to every 6 hours, to hopefully prevent them from being down should anything like last week happen again. Problem now is everytime I check on the RA Console most of the computers are in red and bugs me to no end.
     
  9. pmsoares

    pmsoares Registered Member

    Joined:
    Jan 7, 2010
    Posts:
    5
    Location:
    Lisbon, Portugal
    i also thought about something like that, but i got the conclusion that i get the same problem, because every 6 hours clients will update most recent definition file.
    if by unluck the erroneos definition is release at the time of update, you will get the same problem. of course if they release the correction with a time gap of 2 ou 3 hours, MAYBE your clients get thru withou problem.
     
    Last edited: Sep 10, 2010
Thread Status:
Not open for further replies.