Deploying SAV 10 best practices

Hello Mike,

as regular reader of and contributor to this forum you're aware of the issues with Web Intelligence/LSP. Don't think that anything else could cause widespread disruption . Made the move (actually first 9.5 to 9.7, then 9.7 to 10.0) a long time ago. Usually what can be upgraded can be downgraded as well (requires at least one reboot though) so you might want to test this just in case (yes, the paranoid part of me says that if something breaks it will also prevent the downgrade :smileywink:). 

Christian

Thanks Christain

I'm not sure whether I actually use the web protection component. 

Under the AV & HIPs policies I have 'Block access to malicious websites' set to 'off' and 'Download scanning' set to 'As on-access scanning'. 

All our web content goes through a web filtering cloud service 'Zscaler'. Unless I'm getting the web intelligence/LSP feature mixed up...

Edit - Just read the whole Web Protection thread and understand where your coming from. So far I've not noticed any issues with internal sites during my two week testing phase. 

Hi RogueViper

If either the Web scanning or the Web blocking features are enabled then the Sophos LSP is loaded for v10.

If you already have the Web scanning enabled then I would strongly recommend enabling Web blocking as you would be adding additional protection and should suffer no noticable decrease in performance as the LSP is already loaded and sending http content for scanning .

HI RogueViper,

I don't think you can ever be too cautious and your approach seems to be a good one. I'm always amazed when someone says I rolled out software to thousands of production machines and now nothing works.  Did you try one first? :)

It certianly does no harm to "pilot" a new major verison in each part of the business; typically there is no major rush to be on the latest unless policy demands a new feature or you've left it so late that it's about to be retired.  To "truly" test all possible software users may have and how they really use it in a test environment can be unrealistic so to, for the want of a better word, pick on a few clients accross the business makes great sense.  Ideally these user would be the more techical who would recognise problems such as performance changes, etc.  Maybe even give them a short course to better educate them on the software,  these can then always be the guinea pigs for future rollouts , just don't call them guinea pigs, they may not like it.

Regards,

Jak

Thought I'd give an update on the progress of SAV 10. So far this has been successfully deployed to all desktops at the HQ site (~200). Plus laptops in a remote site (~20). However, I have stopped upgrading the rest of the HQ laptops (~80) because many of those laptops are very important users, some of who work remotely. 

I'm not really sure if I just need to 'man-up' and make the change; but being my first IT job I'm scared of messing up. Other IT staff already joke about me breaking stuff; a part of me thinks I won't last very long in IT if I don't start taking responsbility and calculated risks to get the job 'done'.

What would you do in my situation?

Hello RogueViper,

What would you do in my situation?

:smileyhappy: - get it done! And think of a good excuse in case you break something :smileywink: - seriously, **bleep** can happen, so be prepared for it (and don't panic if it comes worse). If all are "afraid" of the VIPs there's not much you can do anyway. Just do your job assiduously , when you do so a good superior will (and can) give you backing  if necessary - but not if you are lingering.

Christian

For the very senior few you could email them asking when would be a good time to deploy the update to avoid impacting their work.  

Otherwise if it all goes wrong you can always quote them: "Move fast and break things" it worked for Facebook :)

Jak

Is there a link someone can post to show some of us other monkeys how its done?  We've been @ 9.x forever and now I just found out 10 was available so I want to know how to deploy it silently and even on a schedule if possible.  Just did it manually on my machine, I don't suppose there's a way around the reboot?  :)  Thanks.:robothappy:

HI,

The reboot is required but the software will continue to function until you do so, it doesn't have to be done straight away.  The machine will flag the outstanding reboot state in SC until done so.

There are multiple approaches to upgrade. 

1. If you just have a single subscription, e.g. "Recommended" and therefore a single distribution point, e.g.:

\\server\sophosupdate\CIDs\s0000\

Then all the updating polices would use this "Recommended" subscription.

So if you change the "Recommended" subscription to SAV 10, SUM will update the above CID \\server\sophosupdate\CIDs\s0000\ with SAV 10 and on next update the clients will upgrade.

2. Create a second subscription, call it SAV 10 for example.

This will create you a new distribution location, e.g.

\\server\sophosupdate\CIDs\s0001\

You can then just change the updating policy for a few client to use this new subscription.  In the updting policy there is a subscription tab.

When the clients get their updating policy, on next update,  those clients will update from this new CID and upgrade to 10.

So 1 is the shotgun approach, 2 is the more measured approach where you can deploy to a few groups at a time.

Regards,

Jak