Updating Virus Definitions

Virus Definitions (DAT files) from McAfee can be downloaded onto a single local server (DAT file repository) and deployed automatically or manually via HTTPS (HTTP over TLS) or FTP to endpoints on your network via the Powertech Antivirus application in HelpSystems One. Powertech Antivirus also allows you to schedule updates and monitor the status of connected endpoints. Endpoints without a connection to Powertech Antivirus can also be configured to acquire DAT file updates from the local repository. Virus definitions can also be transferred to an air-gapped server using physical media.

The following instructions guide you through the process of configuring a local DAT file repository and keeping endpoints updated with the latest virus definitions from McAfee.

NOTE: Powertech Antivirus validates DAT updates before endpoints are able to use them. For details, see DAT file validation.

Updating virus definitions using a local DAT file repository

This method of updating virus definitions allows you to update the latest DAT files onto a local server, and then use the Powertech Antivirus application in HelpSystems One to distribute the DAT files to endpoints on your network via HTTP or FTP. Only the single server running Powertech Antivirus needs access to McAfee for downloading DAT Files.

Install Powertech Antivirus on the server you would like to use as the DAT file repository, and connect the endpoints you intend to scan. See the Powertech Antivirus Installation Guide for details on installing and connecting to HelpSystems One, and adding endpoints.

Once configured, the status of endpoints can be monitored on Powertech Antivirus for HelpSystems One's Home page.

The following instructions guide you through the process of:

  • Configuring a local DAT file repository with automatic updates;
  • Configuring a signed Certificate Authority (if required); and
  • Updating DAT files on endpoints manually using the Powertech Antivirus application in HelpSystems One.

To configure a local DAT file repository and schedule updates

  1. Open Powertech Antivirus application in HelpSystems One.
  2. In the Navigation Pane, choose Settings > Repository to open the Settings > Repository page.
  3. Toggle Virus Definition (DAT) Repository Common Settings (top toggle) to On. Set the frequency of updates and whether to automatically update endpoints.
  4. Choose the type of file server:
    • If you intend to use an HTTPS file server, toggle Virus Definition (DAT) Repository Common Settings to On. Then, set the maximum number of endpoints to be updated concurrently, and the port.
    • IMPORTANT: All endpoints must be able to access the port specified for the HTTPS service.

    • If you intend to use an FTP file server, toggle Virus Definition (DAT) Repository FTP Service Settings to On.

      See also: Settings > Repository.

  5. Click Save.

While not required for normal operations, you can use --ftp, --wget, --curl, or --avget to connect to the HelpSystems One PTAV DAT repository service. For example, the following can be used to update DAT files using the PTAV internal tool avget with self-signed certificates and the ptavrepo provided through the Powertech Antivirus application in HelpSystems One:

/opt/sgav/avupdate --ftp ftp://yourusername:yourpassword@yoursite/downloads/av
/opt/sgav/avupdate --ftp --passive --ptavrepo ftp://yourhelpsystemsonehost:21
/opt/sgav/avupdate --avget --ptavrepo https://yourhelpsystemsonehost:8023
NOTE: Specifying --ptavrepo doesn't require the /current folder since the version will be read from the PTAV DAT Repository service.

Configuring a signed certificate authority for DAT file updates

By default, the PTAV Service uses a self-signed certificate to ensure secure TLS data transfer between the repository and endpoints. Alternatively, you can use your own trusted certificate issued by a third-party certificate authority (CA) to secure the DAT repository HTTPS file server.

If you do not have a signed certificate, the Powertech Antivirus service generates a self-signed certificate.

NOTE: A certificate should only be provided if you are using your signed certificate authority. Do not provide a self-signed certificate.
  1. Locate your certificate and key files.
  2. If the certificate and key both have ".pem" file name suffixes, rename the certificate to "cert.pem" and the key to "key.pem". (If the certificate and key file name suffixes are ".crt" and ".key", no file renaming is required.)
  3. Place the certificate and key files into following folder, replacing the existing files: Linux: /opt/ptavwebsvc/PTAVService/certs
  4. Restart the HelpSystems One Powertech Antivirus Service. Linux: "PTAVServer"

To update DAT files on endpoints manually using HelpSystems One

If you set the Powertech Antivirus Settings to update endpoints automatically when DAT files are available, connected endpoints will be updated automatically based on your settings. You can also use the following method to update DAT files on endpoints manually.

  1. On the Powertech Antivirus navigation pane, click Endpoints.
  2. Check the endpoints you would like to update.
  3. Click Update DAT Files.

Updating virus definitions from endpoints directly

If endpoints on your network do not allow HelpSystems One Integration Service connections to the HelpSystems One service (for example, for unregistered and/or older/unsupported operating systems), you can still download the latest DAT updates from your local DAT file repository by specifying the "current" folder with the avupdate command.

To use this method, you must configure the HTTPS file server with a genuine certificate because the HTTPS download process (curl/wget) for legacy endpoints does not allow self-signed certificates in avupdate. (See Configuring a signed certificate authority for DAT file updates.)

McAfee updates virus definitions every day and you should schedule the update process to run daily. To start the update, either change to the product directory or type the full path to the avupdate command, and specify the current folder:

EXAMPLE:
cd /opt/sgav
./avupdate --curl https://yourserver.yourco.com:8023/current

or
/opt/sgav/avupdate --curl https://yourserver.yourco.com:8023/current
or
/opt/sgav/avupdate --avget https://myinsitehost:8023/current

The update process must be run by a root user. This is to prevent the product from accidentally (or maliciously) being disabled by deleting its files.

Updating virus definitions on air-gapped servers

If your Powertech Antivirus application in HelpSystems One is not connected to the internet, you can load the latest virus definitions using physical media, such as a USB thumb drive. To do so:

  1. Create a new folder called datimport in /opt/ptavwebsvc/PTAVService if it does not exist already. During the DAT update procedure, before referring to McAfee for DAT updates, Powertech Antivirus first checks for the presence of this folder.
  2. On a system with Internet access, download the latest required virus definition (DAT) files from McAfee and save them to a tmp folder. These files are available at http://update.nai.com/products/commonupdater/.
    Files needed:
    • oem.ini

    • gdeltaavv.ini

    • avvdat.ini

    • *.zip file referenced in oem.ini

    • Incremental updates: All *.gem files. No need for these if running a standard full update (using Powertech Antivirus for HelpSystems One or avupdate --full). If the incremental update fails, a full update is performed using the .zip file.

  3. Copy the DAT files from the tmp folder to transferable media, such as a thumb drive. Once copied, the DAT files can be deleted from the tmp folder.
  4. Copy the DAT files to /opt/ptavwebsvc/PTAVService/datimport on the air-gapped server:

    NOTE: If the PTAV Service was allowed, it may have connected to McAfee and acquired the latest DAT files. If so, delete the contents of the datrepo folder and restart the PTAV Service from the control panel. It is preferable to not allow the PTAV Service before creating the datimport folder.

  5. Open the Powertech Antivirus application in HelpSystems One, and in the Navigation pane, choose Settings > Repository.
  6. Click Save to process the files.
  7. Install Powertech Antivirus on the air-gapped server and register the endpoint(s) in HelpSystems One. To use the Application Manager to install Powertech Antivirus on endpoints, copy the Linux and AIX license files to the HelpSystems One server for the endpoint deployment.
  8. In HelpSystems One, open Powertech Antivirus and choose Endpoints.
  9. Select the endpoint and click Update DAT Files.

Notes

McAfee updates virus definitions every day and you should run avupdate every day. To schedule using cron, run command crontab -e to edit the crontab file using the vi editor. Position the cursor to the end and type i to insert a line.

Type the following (on one line) to schedule the job to run every day at 6pm (18):

0 18 * * * /opt/sgav/avupdate --curl https://yourserver.yourco.com:8023/current > /opt/sgav/log/avupdate.out

On AIX, to see the cron log, run tail /var/adm/cron/log.

On Linux, to see the cron log, run tail /var/log/syslog.

For more information about scheduling using cron, run man crontab. See also Scheduling Updates and Scans.

exit status

This command returns the following exit values:

0 Process completed successfully.

1 An error occurred.