Do you push Antivirus update immediately or test them first?

Probably aimed more at those in a corporate or educational environment but:

Let's assume around 600 machines and layers of defence i.e. firewall does URL filtering and antivirus etc.

I'm have a dilemma which seems pretty much 50/50:

• Push updates immediately and get the maximum protection from new threats.

• Stage updates to a test group and push after X hours resulting in less protection from new threats but protection from "Our new update thinks <vitalsystemfile> is a virus"

Which do you do and why, and if you do the second option what is the value of "X"?

 

Approach will depend on the AV been choosen and setup of the machine you have to protect.

In a controlled environment, limited users access (no permission to install software, no access to system, etc) then AV updates can be more flexible. E.g. Wait one day for the distribution or take a sample for testing before release to the rest, etc. Stricter is the control on machine more lax could be the setup of AVs as the chances to get infected on closed machines is minimal.

If those 600 machine are open to user customisation then priority is to release AV updates as soon as received and you should select an AV with an history of low false positives to minimise risk.

 

With a good backup plan (personally have hourly snapshots and offline imaging), I update them as soon as the stable version is released.

@fax: Aren't open machines the ones more likely to have errors?

 

This is someone's else job. And it's already done => QA......
i.e. =

 

Of course, but QA doesn't always work..

http://www.reddit.com/r/sysadmin/comments/1jg1po/mcafee_dat_7152_just_blew_up_half_my_lan/

 

That's why you have to select a reliable AV with a good and trustworthy QA department!

 

Errors? You mean malware infection?

 

No, because the machine setup is less static, there can be more false positives, incompatibilities, and the like.

 

Yes, indeed and hopefully not the scenario for the OP as it will be near to impossible to manage given the number of machines to support and should be supported by imaging/backups

 

I don't know if you're still reading this thread but if you do, I suggest going with this 2nd option. It's better to do your own testing beforehand as it may reduce the likelihood of deploying updates that may interfere negatively with a corporate/educational environment. AV vendors may have extensive QA but they can't possibly predict all forms of incompatibilities that may arise with custom setups.

As for X hours, up to your convenience and risk aversion.