Updating Virus Definitions

Virus Definitions (DAT files) from McAfee can be downloaded onto a single local server (DAT file repository) and deployed automatically or manually via HTTP or FTP to endpoints on your network via Insite. Insite also allows you to schedule updates and monitor the status of connected endpoints. Endpoints without a connection to Insite can also be configured to acquire DAT file updates from the local repository. Virus definitions can also be transferred to an air-gapped server using physical media.

The following instructions guide you through the process of configuring a local DAT file repository and keeping endpoints updated with the latest virus definitions from McAfee.

NOTE: Powertech Antivirus validates DAT updates before endpoints are able to use them. For details, see DAT file validation.

Updating virus definitions using a local DAT file repository

This method of updating virus definitions allows you to update the latest DAT files onto a local server, and then use the Insite PTAV Service to distribute the DAT files to endpoints on your network via HTTP or FTP. Only the single server running the Insite PTAV Service needs access to McAfee for downloading DAT Files.

Install the Insite PTAV Service on the server you would like to use as the DAT file repository, and connect the endpoints you intend to scan. See Connecting Powertech Antivirus to Insite for details on installing and connecting Insite, and adding endpoints. See also Port/Server Configuration for port mapping details.

Once configured, the status of endpoints can be monitored on Powertech Antivirus for Insite's Home screen.

The following instructions guide you through the process of:

  • Configuring a local DAT file repository with automatic updates
  • Configuring a signed Certificate Authority (if required)
  • Updating DAT files on endpoints manually using Insite

To configure a local DAT file repository and schedule updates

  1. Open Insite.
  2. In the Navigation Pane, choose Settings to open the Powertech Antivirus Settings screen.
  3. Toggle Virus Definition (DAT) Repository Common Settings to On. Set the frequency of updates and whether to automatically update endpoints.
  4. Choose the type of file server:
    • If you intend to use an HTTP file server, toggle Virus Definition (DAT) Repository HTTP Service Settings to On. Then, set the maximum number of endpoints to be updated concurrently, and the port.
    • IMPORTANT: The port specified for the HTTP service must be accessible by all endpoints.
    • If you intend to use an FTP file server, toggle Virus Definition (DAT) Repository FTP Service Settings to On.

      See also: Powertech Antivirus Settings screen.

  5. Click Save.

You can use --ftp, --wget, --curl, or --avget to connect to the Insite PTAV DAT repository service. For example, the following can be used to update DAT files using the PTAV internal tool avget with self-signed certificates and the ptavrepo provided through Insite:

/opt/sgav/avupdate --ftp ftp://yourusername:yourpassword@yoursite/downloads/av
/opt/sgav/avupdate --ftp --ptavrepo https://your-helpsystems-one-host:21
/opt/sgav/avupdate --avget --ptavrepo https://your-helpsystems-one-host:8023
NOTE: Specifying --ptavrepo doesn't require the /current folder since the version will be read from the PTAV DAT Repository service.

Configuring a signed certificate authority for DAT file updates

By default, the PTAV Service uses a self-signed certificate to ensure secure TLS data transfer between the repository and endpoints. Alternatively, you can use your own trusted certificate issued by a third-party certificate authority (CA) to secure the DAT repository HTTP file server.

If you do not have a signed certificate, the Powertech Antivirus service generates a self-signed certificate.

NOTE: A certificate should only be provided if you are using your signed certificate authority. Do not provide a self-signed certificate.
  1. Locate your certificate and key files.
  2. If the certificate and key both have ".pem" file name suffixes, rename the certificate to "cert.pem" and the key to "key.pem". (If the certificate and key file name suffixes are ".crt" and ".key", no file renaming is required.)
  3. Place the certificate and key files into following folder, replacing the existing files:
    1. Windows: \Help Systems\HelpSystems Insite\PTAVService\certs
    2. Linux: /opt/insite/PTAVService/certs
  4. Restart the Insite Powertech Antivirus Service.
    1. Windows: "InsitePTAVService"
    2. Linux: "HelpSystemsInsitePTAVServer"

To update DAT files on endpoints manually using Insite

If you set the Powertech Antivirus Settings to update endpoints automatically when DAT files are available, connected endpoints will be updated automatically based on your settings. You can also use the following method to update DAT files on endpoints manually.

  1. On the Powertech Antivirus navigation pane, click Endpoints.
  2. Check the endpoints you would like to update.
  3. Click Update DAT Files.

    NOTE: Alternatively, to update a single endpoint, you can also choose > Update DAT Files.


Updating virus definitions from endpoints directly

If endpoints on your network do not allow Insite Integration Service connections to the Insite service (for example, for unregistered and/or older/unsupported operating systems) you can still download the latest DAT updates from your local DAT file repository by specifying the "current" folder with the avupdate command.

To use this method, you must configure the HTTP file server with a genuine certificate because the HTTP download process (curl/wget) for legacy endpoints does not allow self-signed certificates in avupdate. (See Configuring a signed certificate authority for DAT file updates.)

McAfee updates virus definitions every day and you should schedule the update process to run daily. To start the update, either change to the product directory or type the full path to the avupdate command, and specify the current folder:

EXAMPLE:
cd /opt/sgav
./avupdate --curl https://yourserver.yourco.com:8023/current
or
/opt/sgav/avupdate --curl https://yourserver.yourco.com:8023/current
or
/opt/sgav/avupdate --avget https://myinsitehost:8023/current

The update process must be run by a root user. This is to prevent the product from accidentally (or maliciously) being disabled by deleting its files.

Updating virus definitions on air-gapped servers

If an endpoint is not connected to the network, you can load the latest virus definitions using physical media such as a USB thumb drive. To do so:

  1. Install Insite and the Powertech Antivirus module as described under Air-gapped Installation of Insite and Powertech Antivirus.
  2. Create a new folder called datimport in /opt/insite/PTAVService if it does not exist already. During the DAT update procedure, before referring to McAfee for DAT updates, Powertech Antivirus first checks for the presence of this folder.
  3. On a system with Internet access, download the latest virus definition (DAT) files from McAfee available at http://update.nai.com/products/commonupdater/. Save them to a tmp folder.
  4. Copy the DAT files from the tmp folder to transferable media, such as a thumb drive. Once copied, the DAT files can be deleted from the tmp folder.

  5. Copy the DAT files to /opt/insite/PTAVService/datimport on the air-gapped server.

    NOTE: If the PTAV Service was allowed, it may have connected to McAfee and acquired the latest DAT files. If so, delete the contents of the datrepo folder and restart the PTAV Service from the control panel. It is preferable to not allow the PTAV Service before creating the datimport folder.

  6. Open Insite, and in the Navigation pane, choose Settings.
  7. Click Save to process the files.
  8. Open Insite, and in the Navigation pane, choose Products.
  9. Select Insite Powertech Antivirus Service and click Allow.
  10. Install Powertech Antivirus on the air-gapped server and register the endpoint in Insite. To use the Deployment Manager to install Powertech Antivirus on endpoints, copy the Linux and AIX license files to the Insite server for the endpoint deploy. See Installation.
  11. In Insite, open Powertech Antivirus and choose Endpoints.
  12. Select the endpoint and click Update DAT Files.

See also: Air-Gapped Configuration for a diagram of port mappings.

Notes

McAfee updates virus definitions every day and you should run avupdate every day. To schedule using cron, run command crontab -e to edit the crontab file using the vi editor. Position the cursor to the end and type i to insert a line.

Type the following (on one line) to schedule the job to run every day at 6pm (18): 

0 18 * * * /opt/sgav/avupdate --curl https://yourserver.yourco.com:8023/current > /opt/sgav/log/avupdate.out

On AIX, to see the cron log, run tail /var/adm/cron/log.

On Linux, to see the cron log, run tail /var/log/syslog.

For more information about scheduling using cron, run man crontab. See also Scheduling Updates and Scans.

exit status

This command returns the following exit values:

0 Process completed successfully.

1 An error occurred.