Deployment Tasks with Task Chaining

[Hyperus]

ADNM Console Version:- 4.8.975
ADNM NetClient Version:- 4.8.1038

I have a problem with deployment of tasks when using "Task Chaining" on a deployment task when task "succeeds"
I have a "Workstation" Deployment task I have set it to the "Scan local disks" On-demand scanning task once the remote deployment of the task completes.
Same issue occurs with NetServer Deployment task also - just using the workstation one as the main example.

This is starting a "Scan local disks" for every single workstation AND server running the Avast NetClient OR Avast NetServer that is registered/listed in the Avast ADNM Catalog

I had anticipated the "Scan local disks" task to perform a scan of the workstation or server that I had just deployed NetClient or NetServer to as a precaution - I don't understand why it starts a "Scan local disks" for every registered Avast client under the Computer Catalog.

any ideas ?
have I mis-understood something or mis-read the ADNM Manual when creating the deployment tasks ?

Regards
Hyp

[wpn]

i think i can guess the problem:

in the SCAN LOCAL DISKS job, you probably have configured that it has to scan * computers. Meaning ALL computers, deployed or not....
standard the * is filled in this space, you can choose computer names or group names from ADNM to get scanned.
I didnt look into dynamicly filling this with the computername from the computer that you just deployed.... i dont think its possible tho; One sollution to that is to put the to be deployed computers into a special folder/group within your structure in ADNM.
Have the SCAN LOCAL DISKS job that you use for deployment filled with the folder/group name that is specific for those computers.

What is less complicated and a better sollution i believe:
use the scan on boot option right after a deployment, its a setting in the INSTALLATION PACKAGE that you created to be deployed (the setting is on the same window as where you can put the setings for the AMS server, you can edit the deployment package), this will be set for the specific computer that is getting deployed to and thus prefents the scan task to be set for all the computers in your enviroment

[Hyperus]

I see your point and completely agree regarding the behaviour - I would not have guessed....

I have a question then.... given that I don't want to run newly deployed systems in a separate quarantine container (I have adjusted the discovery task to discover ALL systems from active directory), how would you suggest I perform a post-installation scan of each workstation or server as the NetClient oir NetServer is installed without triggering a scan of every computer in the Managed List ?

Am I missing an option in the "deploy a client" somewhere that simply does a "scan this system upon completion"

I appreicate your response so far - I can see the pattern for all now (being *)

[wpn]

What is less complicated and a better sollution i believe:
use the scan on boot option right after a deployment, its a setting in the INSTALLATION PACKAGE that you created to be deployed (the setting is on the same window as where you can put the setings for the AMS server, you can edit the deployment package), this will be set for the specific computer that is getting deployed to and thus prefents the scan task to be set for all the computers in your enviroment

That what you want i described in the last alinea (right now quoted above)

I attached a screenshot, dont ask me why it is in dutch....
my OS is in english and my choice for installation of ADNM was english too, yet somewhere it looks for the locale settings of windows....

this screenshot is the 3rd/third page of the installation package after you click EDIT.  Make sure that checkbox in the red area is checked, if it is then it should scan
the computer directly after rebooting for installation.



this is the way i recommend it, so your other stations wont be affected by an install and just get their regular planned scan once a week (i hope you scan once a week managed)

[Hyperus]

My Bad, I really need to read more closely.... thank you
and DEFINATELY scan once a week.... I have also added extra scans to the regular scan - which I imho should be added by default ...
- excerpt from my installation procedure...

Menu Tree/Tasks/Client Side Tasks/On-demand Scanning Tasks/Scan local disks (right upper pane)/RClick-Properties/
Task/Areas/Add/Memory
Task/Areas/Add/Auto-Start Programs
Task/Areas/Add/Auto-Start Programs (All Users)
Task/Areas/Add/Root Kits (full scan)
Packers/Tick All packers
Report file/Tick "Create report file"/in "Log record for" - Tick everything EXCEPT "OK Files"
Alerts/Move SMTP from "Available Alerts" into "Used Alerts" Column
Scheduling/Add.../"Weekly Scan"(without quotes)/"Weekly Scan"(without quotes)/Weekly/05:00/Sunday

[wpn]

well

scanning actively for everything is safe ofcourse but your settings sound paranoid. Avast is blocking incoming viruses to the best it can.
the settings you have chosen are really resource intensive which could trouble the users in their computer usage.
i did add some options extra to my 2 weekly scan but not all to prevent users complaining their computer slows down when i run the automated virusscan.

i also run the scan mainly during lunchtime

[Hyperus]

I completely agree regarding load - thats why I schedule for 5am Sunday morning (per the procedure part I pasted) ... its purely a paranoid scan in case something edged into a machine that is very new.
I also like your idea of scanning during lunchtime - it catches the machines that users turn off after hours (who ignore the directive NOT to turn off their machines   )

[wpn]

well i assume that after business hours the user machines would be turned of (be green?? but that depends all on what processes are running in the background of the user computers)

if you dont do paranoid scans on the user computers during working hours, but standard scans, then there is no problem....
most of my users actualy aint lunching yet at the time the scan starts and they didnt complain about it (but maybe thats because i informed them about it saying that its no other way to do it and that its for security reasons so they cant oppose it, not even management)

[wpn]

I assume this problem is solved?

[Hyperus]

Not so much solved as it was re-worked based on your suggestions.

The scan on completion task for a single deployment does in deed start a scan on all network computers including the exchange server store
The option being "*" is certainly responsible for this. The heads of a number of organisations I look after called me irate regarding the scan that started on all machines each time a single install was performed... Personally I still cannot see why this option is the way it is - surely other people want to do a scan on completion without scan at boot sometimes ? - maybe not. I now see this option as unusable.

I hear what you are saying regarding putting machines into a special quarantine container until installation is complete, but I currently don't have the time to manage this while doing mass conversions (and I mean mass) for all of my managed sites changing from Trend (removal) to Avast (install) - it is just too messy. The convenience of managing all machines in a single container is very handy.

Given there is no "%ComputerName%" I can use instead of * I have opted to disable this chain-scan-on-completion feature (My intention was to perform the 1st time scan after install while users work - albeit slower than normal - to avoid user-down-time). I have now chosen to use the Scan At Boot after install option that you have suggested. This does not please the users, but does get the job done without causing a scan of every machine on the network.

I appreciate your suggestions as this has certainly helped me get the job done and to be honest a scan at boot for a "First Time Scan" is warranted in my opinion due to the number of viruses and hidden trojans that Trend is overlooking. Chances are that this is really a blessing in disguise.

Thanks again
Hyp

[wpn]

why would you want to do a scan after installation, that is NOT a boot scan?
the bootscan is done before any windows files are loaded, meaning that virusses that would be loaded arent loaded yet and are possible to remove, otherwise you still have to reboot and do the scan again to delete the virus....
part of networking security is having downtime for this, would be best outside office times but its not always possible....

they want to have a better product and better protection, this is a side effect for this... but it does mean your better protected and your sure that you are clean....
(trend is not removed without a reason as you said )

if the managers dont want you to work after office hours, or the people dont let the computers turned on then its out of your hands and you NEED to enforce this way.... they can choose  either leave the infections and risque the chance to lose data (or even get it stolen) or have some down time per computer but get (almost) sure there are no virusses on the computers anymore...

they can calculate the losses with the down time and the losses with the lost and stolen data..... their choice....

glad i could help you, enjoy the mass conversoin

[Hyperus]

Your first line says it all. Part of my problem was lack of knowledge regarding the boot time scan feature when I first downloaded Avast. To complicate matters I keep bowing to client pressure with unreasonable requests. I need to HTFU - and so do the clients

I made a stand regarding allowing me to impliment a boot-time-scan after new install and basically gave them no choice.
While it would be obvious to existing Avast Administrators, the Boot Time Scan is not an immediately obvious function to Admins coming from an inferior product like Trend. Trend does not have a feature like this and clearly is why their product fails with some threats.

Avast has proven itself to find and deal with threats at boot time that simply cannot be processed while windows is running.
I needed my head read for not doing a boot scan after a fresh install - the old RTFM rule applies here I think.
I have since gone back over all of the sites already installed and amended the ADNM settings to all do Boot-Time-Scan on new install/

Thanks Again WPN - your advice was right on the money.

Hyp

[wpn]

great to hear..... too bad my boss doesnt pay me for it

and yes what you say about RTFM applies (still applies for me too tho!)

And good that you make a point without a choice, they choose to put on a better product they need to know

what you could do as extra leverage, generate the reports about the virusses that avast found on the computers and show that to the managers that complain about the down time.....  they will STFU