Automatic Definition update from WSUS

[Guest]

I try to have Defender to automatically update from WSUS without user
intervention. Basically, updating from WSUS works fine. But it needs user
intervention which it should not. Definition updates should install
automagically in the background.

How can I set this up?
Thanks
Franz

 

[Steven Jones]

What's the currenent WSUS and Windows Automatic Update configuration so i
can see whare your going wrong.

Steven Jones

 

[Guest]

I have set Definitions to 'automatically approved' for installation. The user
gets the information in the system tray that there are updates available and
has to manually start the installation for the Definitions.
There should not be a user-intervention needed for updates like Definitions.
Clients are set to automatically downlaod but not install by GPO. This is
the preffered setting for all the normal updates to not interrupt users
during work or in the morning. All are computers are off during the night
(except the servers of course). I think Definitons should be excluded from
this and it should be possible to have them installed automatically anyway.

Franz

 

[Bill Sanderson]

This detail was helpful. I've one report, from an individual user, that
with similar settings (although not in a WSUS environment)--he found that
the definitions were automatically installed at the time of a scheduled
scan.

i.e. the signature update was waiting in the tray, and the scheduled scan
has the setting "check for updates before scanning."--the update was
apparently applied and the scan proceeded.

This isn't exactly what you are looking for, but it may be useful.

That pre-scan update is triggered by a simple command-line:

mpcmdrun signatureupdate


--

 

[Guest]

I assume that "mpcmdrun signatureupdate" does connect to windowsupdate over
the internet even if in a WSUS environment, correct?

I really think Definition updates should be handled different than the rest
of the updates. There should never be a userintervention for that in a WSUS
environment even if the rest of updates is not set for automatic install.
Think of this situation: Every user would have to take action to install the
latest definitions for a virus scanner even in a corporate virus protection
system - never possible!

Franz

 

[Bill Sanderson]

I believe that mpcmdrun uses autoupdate, which would mean that it connects
to WSUS.

There's a log--mpcmdrun.log in \windows\temp which should have some detail.

I understand what you are asking for--and I don't know whether it is
possible in the current architecture--Microsoft does read these messages,
however.

--

 

[Guest]

I strongly agree. If, for instance, Symantec Antivirus CE required
user-interaction to install virus def. updates three things would happen.

1) Definition updates would be sporadic, at best
2) Virus infections
3) Nobody would buy the product!

If this issue is resolved and a solid central administration console made
available, it would save us quite a chunk of change when we give Webroot the
boot!