You can use GPO software assignment to push out new AV software. This is actually great way to ensure that all of your workstations are protected: if a computer is in an OU that has the antivirus policy, it will have anti-virus software installed. (Just make sure, if you are switching AV platforms, that you don't accidentally cause more than one product to be installed concurrently on the same group of workstations.)
However, when it comes to signature updates, you don't want to use Group Policy. Signature updates are released far too frequently for GPO assignment to be a practical option. Instead, your AV product needs to update itself via its own management server. Any enterprise AV product should have this functionality built in.
Based on personal experience, I recommend neither Symantec nor McAfee. You might consider ESET or Vipre, among others, as better-performing alternatives.
Microsoft Forefront Client Security uses your existing WSUS infrastructure to issue it's updates. It's an elegant solution since you probably deliver WSUS patching and AV signatures to the same network segments, and can use this to do it all through a single server, on a single port (80 or 443).
By contrast, deploying Sophos updates requires clients to be able to report back to the central reporting server on a couple of ports, and to Central Install (CI) nodes via SMB ports. In firewall terms across more than a flat network, the rulebase to support this is a mess.
When deploying AV by Group Policy, the only way to "patch" it is to create a completely new install MSI (making sure to increase the internal version numbers a point), and then Deploying it the same way you did your first package. This will cause a full install on all appropriate machines, but they will be patched.
This is one of the limitations of the GPO software deployment system.
I know from personal experience that SEP has a habit of not incrementing version numbers for small patches.
So far, Microsoft has not extended WSUS to support non-Microsoft approved packages.
You can use GPO software assignment to push out new AV software. This is actually great way to ensure that all of your workstations are protected: if a computer is in an OU that has the antivirus policy, it will have anti-virus software installed. (Just make sure, if you are switching AV platforms, that you don't accidentally cause more than one product to be installed concurrently on the same group of workstations.)
However, when it comes to signature updates, you don't want to use Group Policy. Signature updates are released far too frequently for GPO assignment to be a practical option. Instead, your AV product needs to update itself via its own management server. Any enterprise AV product should have this functionality built in.
Based on personal experience, I recommend neither Symantec nor McAfee. You might consider ESET or Vipre, among others, as better-performing alternatives.
Edit - related question: What is the best Antivirus for a Windows Domain Network?
Microsoft Forefront Client Security uses your existing WSUS infrastructure to issue it's updates. It's an elegant solution since you probably deliver WSUS patching and AV signatures to the same network segments, and can use this to do it all through a single server, on a single port (80 or 443).
By contrast, deploying Sophos updates requires clients to be able to report back to the central reporting server on a couple of ports, and to Central Install (CI) nodes via SMB ports. In firewall terms across more than a flat network, the rulebase to support this is a mess.
When deploying AV by Group Policy, the only way to "patch" it is to create a completely new install MSI (making sure to increase the internal version numbers a point), and then Deploying it the same way you did your first package. This will cause a full install on all appropriate machines, but they will be patched.
This is one of the limitations of the GPO software deployment system.
I know from personal experience that SEP has a habit of not incrementing version numbers for small patches.
So far, Microsoft has not extended WSUS to support non-Microsoft approved packages.