5 Replies Latest reply on Aug 5, 2014 9:21 AM by adamg23

    Patch installation batch files

    Rookie

      Hi,

       

      I have McAfee ePO as a Whitelisting software in my domain. By default Whitelisting software blocks everything, hence ePO blocks Patch installation batch files at "C:\Windows\ProPatches\Install" from execution.

       

      In order to enable Shavlik Protect to run this batch file, I have to add the executable which creates this batch file to the McAfee Whitelist. Can anybody tell me which process actually creates the patch installation batch files.

       

      Thanks

      Srikanth Badireddy

        • 1. Re: Patch installation batch files
          SupportEmployee

          Hi Srikanth,

           

          The batch files are actually created on the Protect console system, and then copied into the C:\Windows\Propatches\Install folder on any target system during the deployment process. Most likely ST.Protect.exe is originally behind the creation of the batch files on the console system, but it's possible other components are involved as well. I would have to do a little more research if you would still like me to find this out.

           

          I'm not really familiar with the McAfee ePO application, but it seems based on this article I found that you should be able to use directory and file exclusions (there's a note in the article saying you could apply the same settings via ePO):

          McAfee KnowledgeBase - How to manage file and folder exclusions in VirusScan Enterprise 8.x

           

          You might want to check with McAfee about that since allowing the directory or files would be much easier for you to get this set up.

           

          Hope that helps!

          • 2. Re: Patch installation batch files
            Rookie

            Hi,

             

            You are right, we can trust a whole directory but it has other side effects e.g. any executable placed in that folder can be executed irrespective of its trusted source. Same is the case if we allow some extension without trusting its source. So we have decided not to use these two types of trusting files.

             

            It would be great if you could tell me what are all components responsible for creating the batch file, so we can trust the actual source in the McAfee ePO application.

             

            Thanks

            Srikanth Badireddy

            • 3. Re: Patch installation batch files
              SupportEmployee

              Hi Srikanth,

               

              I confirmed with our engineering team that ST.Protect.exe is creating the batch files on the Protect console system. I am not sure if that information will be carried over when the files are copied to the target system, but hopefully this information is helpful to you.

              • 4. Re: Patch installation batch files
                Rookie

                Hi,

                 

                Thanks for the information. I found that STSChedEx.exe actually launches the batch on the target system.

                 

                Just for information, we need add this file to ePO trusted updater list to allow the execution of the batch file.

                 

                Regards

                Srikanth

                • 5. Re: Patch installation batch files
                  SupportEmployee

                  Yes STSchedEx.exe is what would run the .bat files on any target system. Glad you got it figured out.