+ 0 Votes Bigger question robo_dev 3 years ago What AV countermeasures are already in place? If the answer is 'none' then the AV needs to go first, as trying to inventory, patch and update virus-infected PCs is not going to end well. If you are reasonably confident that the PCs are not 'crawling with viruses', then bringing them up to the same patch level would make it more likely that the AV software would deploy without any issues. That's my thought, based on your scenario, as I see it. + 1 Votes AV first. CharlieSpencer_Palmetto Updated - 3 years ago Scanning and patching will indeed take care of existing vulnerabilities, but it won't take care of existing infections. Don't worry about preventing future diseases right now; worry about curing the ones you've probably already got. + 0 Votes From past experience HAL 9000 Moderator 3 years ago On a stand alone system I picked up a Infection by visiting the M$ Update Site. or maybe more correctly I should say in the time that the system was connected to the Windows Update Servers before an AV product got installed. Maybe it didn't come directly from the Windows Update Site but it most certainly did hit the system hard and mean that I had to restart the reload process from scratch again. Since that time I never consider connecting any system to the Net without first a AV product Installed. I'm not even overly happy with the need to connect to the Net to download a AV product and I have stopped using any AV product that I can not download and install without the computer being connected to the net till you start the Updating Process. That is with a Stand Alone System with a LAN it would be the number of Workstations & Servers worse than a Stand Alone System. I've had numerous times where infected LAN's have reinfected a workstation after it gets reloaded and fully patched then gets reconnected to the LAN. I've had way too many Self Replicating Infections across Networks to ever consider not having a Fully Working AV product in place first before starting to build the LAN. Col + 0 Votes Makes Sense butlertf 3 years ago Currently there is no AV set up hence the whole question which to implement first. It is a small lab that we are building and it is behind a firewall that only allows our specified workstations in. Granted if our workstation gets infected it could infect the rest of the systems, but the workstations do have AV on them. The more I think about it, it seems the AV should go in first and patching second. Thank you guys for the comments. + 1 Votes AV first. CharlieSpencer_Palmetto Updated - 3 years ago Scanning and patching will indeed take care of existing vulnerabilities, but it won't take care of existing infections. Don't worry about preventing future diseases right now; worry about curing the ones you've probably already got.