Previous Pattern File Version Rollback

Problems with the scan engine or pattern files are uncommon. However, if a problem does occur, it is likely to be due either to file corruption or false positives (incorrect detection of malware in non-problematic files).

If a problem does arise, you can deploy an Action to affected endpoints to delete the file (or files) in question and replace them with a different version. This action is called a pattern rollback, and you can roll back all or selected pattern files. By default, the CPM server keeps 15 previous versions of the pattern and engine file for rollbacks. (Set this option at the bottom of the Server Settings Wizard: Core Protection Module > Configuration > ActiveUpdate Server Settings > ActiveUpdate Server Settings Wizard > "Others" section.)

There are several things to remember when rolling back a pattern update:
  • Part of the rollback process is to lock down endpoints to prevent any further pattern updates until the lock is cleared. The lock serves as a safeguard against reintroducing whatever issue it was that triggered the need for a rollback. After the issue is resolved, either by changing something on the endpoints or by acquiring a different version of the pattern file, you must run the Core Protection Module - Clear Rollback Flag Task to re-enable updates.
  • If your clients are not all running the same version of the pattern file, that is, some have the current pattern and some have an earlier version, and you perform a rollback to the earlier version, clients with the current version will revert to the earlier version, and clients with the earlier version will be updated to the current version.
  • You can roll back all or selected pattern files. However, even if you only roll back one pattern file, you must still reset the rollback flag for all pattern files.

Perform a Pattern File Rollback

  1. From the IBM BigFix Console, click Endpoint Protection on the lower-left pane.
  2. From the upper-left navigation pane, go to Core Protection Module > Updates > Update/Rollback Patterns > Create Pattern Update/Rollback Task. The Pattern Update and Rollback Wizard opens.

  3. In the list of folders that appears, click the ">" icon to expand and display the pattern file version that you want to roll back to.
  4. Click the Rollback To button across from the folder. In the pop-up window that opens, choose either:
    Deploy a one time action
    Use this option to open the Take Action window and the computers that you want to apply this one-time Action to. Any computers included in the Target that are not relevant for the Action at the time of deployment respond with a "not relevant" statement. Click OK.
    Create an update Fixlet
    Use this option to open the Edit Fixlet Message window and configure a Fixlet that deploys the Action whenever the selected clients become relevant. When finished, click OK and in the window that opens, click the hyperlink that appears below Actions to open the Take Action window.
    Note: In CPM 10.6 (or later), you can perform a rollback only on Virus Patterns and Engines.

  5. In the Target tab that opens, click All computers with the property values selected in the tree list below and then choose a property that includes all the computers that you want to deploy this Action to.
    Execution
    Set any time and retry behavior for the update.
    Users
    This option works in combination with Target, linked by the AND operand (both conditions must be present for the installation to occur).

  6. After you select the computers you want to update, click OK.
  7. At the prompt, type your private key password and click OK.
  8. In the Action | Summary window that opens, monitor the "Status" and "Count" of the Action to confirm that it is "Running" and then "Completed."

Re-Enable Updates Following a Rollback

After a rollback you must clear the rollback flag setting attached to patterns on your CPM for Mac clients to re-enable manual, cloud, or automatic pattern updates. You must do this also for pattern files that were not included in the rollback: all pattern files updates will be on hold after a rollback until their individual flags are lifted. You can remove the flag on all pattern files at the same time, or on selected files.

  1. From the BigFix Console, click Endpoint Protection on the lower left-pane.
  2. From the upper-left navigation pane, go to Core Protection Module > Updates > Other Update Tasks > Core Protection Module - Clear Rollback Flag. A screen displaying the Task Description tab opens.
  3. Beneath Actions, click the hyperlink to open the Take Action window.
  4. In the Target tab, click All computers with the property values selected in the tree list below and then choose a property that includes all the computers that you want to deploy this Action to.
  5. Click OK.
  6. At the prompt, type your private key password and click OK.
  7. In the Action | Summary window that opens, monitor the "Status" and "Count" of the Action to confirm that it is "Running" and then "Completed."