Updating Virus Definitions

Virus Definitions (DAT files) from Trellix can be downloaded onto a single local server (DAT file repository) and deployed automatically or manually via HTTPS (HTTP over TLS) or FTP to Endpoints on your network via Powertech Antivirus Server. Powertech Antivirus also allows you to schedule updates and monitor the status of connected Endpoints. Endpoints without a connection to Powertech Antivirus Server can also be configured to acquire DAT file updates from the local repository. Virus definitions can also be transferred to an air-gapped server using physical media.

The following instructions guide you through the process of configuring a local DAT file repository and keeping Endpoints updated with the latest virus definitions from Trellix.

NOTE: Powertech Antivirus Server validates DAT updates before Endpoints are able to use them. For details, see DAT file validation.

Updating virus definitions using a local DAT file repository

This method of updating virus definitions allows you to update the latest DAT files onto a local server, and then use Powertech Antivirus Server to distribute the DAT files to Endpoints on your network via HTTP or FTP. Only the single server running Powertech Antivirus Server needs access to Trellix for downloading DAT Files.

Install Powertech Antivirus on the server you would like to use as the DAT file repository, and connect the Endpoints you intend to scan. See the Powertech Antivirus Installation Guide for details on installing and connecting to Fortra Application Hub, and adding Endpoints.

Once configured, the status of Endpoints can be monitored using Powertech Antivirus within Fortra Application Hub's Home page.

The following instructions guide you through the process of:

  • Configuring a local DAT file repository with automatic updates;
  • Configuring a signed Certificate Authority (if required); and
  • Updating DAT files on Endpoints manually using the Powertech Antivirus application in Fortra Application Hub.

To configure a local DAT file repository and schedule updates

  1. Open Powertech Antivirus application in Fortra Application Hub.
  2. In the Navigation Pane, choose Settings > Repository to open the Settings > Repository page.
  3. Toggle Virus Definition (DAT) Repository Common Settings (top toggle) to On. Set the frequency of updates and whether to automatically update Endpoints.
  4. Choose the type of file server:
    • If you intend to use an HTTPS file server, toggle Virus Definition (DAT) Repository Common Settings to On. Then, set the maximum number of Endpoints to be updated concurrently, and the port.

      • IMPORTANT: All Endpoints must be able to access the port specified for the HTTPS service.

    • If you intend to use an FTP file server, toggle Virus Definition (DAT) Repository FTP Service Settings to On.

      See also: Settings > Repository.

  5. Click Save.

While not required for normal operations, you can use --ftp, --wget, --curl, or --avget to connect to Powertech Antivirus Server's DAT repository service. For example, the following can be used to update DAT files using the Powertech Antivirus internal tool avget with self-signed certificates and the ptavrepo provided through the Powertech Antivirus application in Fortra Application Hub:

/opt/sgav/avupdate --ftp ftp://yourusername:yourpassword@yoursite/downloads/av
/opt/sgav/avupdate --ftp --passive --ptavrepo ftp://yourptavserverhost:21
/opt/sgav/avupdate --avget --ptavrepo https://yourptavserverhost:8023
NOTE: Specifying --ptavrepo doesn't require the /current folder since the version will be read from the Powertech Antivirus DAT Repository service.

Configuring a signed certificate authority for DAT file updates

By default, the Powertech Antivirus Service uses a self-signed certificate to ensure secure TLS data transfer between the repository and Endpoints. Alternatively, you can use your own trusted certificate issued by a third-party certificate authority (CA) to secure the DAT repository HTTPS file server.

If you do not have a signed certificate, the Powertech Antivirus service generates a self-signed certificate.

NOTE: A certificate should only be provided if you are using your signed certificate authority. Do not provide a self-signed certificate.
  1. Locate your certificate and key files on Powertech Antivirus Server.
  2. If the certificate and key both have ".pem" file name suffixes, rename the certificate to "cert.pem" and the key to "key.pem". (If the certificate and key file name suffixes are ".crt" and ".key", no file renaming is required.)
  3. Place the certificate and key files into following folder, replacing the existing files:
    Linux: /opt/ptavwebsvc/PTAVService/certs
  4. Restart the Powertech Antivirus Service.
    Linux: "PTAVServer"

To update DAT files on Endpoints manually using Powertech Antivirus Server

If you set the Powertech Antivirus Settings to update Endpoints automatically when DAT files are available, connected Endpoints will be updated automatically based on your settings. You can also use the following method to update DAT files on Endpoints manually.

  1. On the Powertech Antivirus navigation pane, click Endpoints.
  2. Check the Endpoints you would like to update.
  3. Click Update DAT Files.

Updating virus definitions from Linux Endpoints directly

If Endpoints on your network do not allow Powertech Antivirus Integration Service connections to the Powertech Antivirus service (for example, for unregistered and/or older/unsupported operating systems), you can still download the latest DAT updates from your local DAT file repository by specifying the "current" folder with the avupdate command.

To use this method, you must configure the HTTPS file server with a genuine certificate because the HTTPS download process (curl/wget) for legacy Endpoints does not allow self-signed certificates in avupdate. (See Configuring a signed certificate authority for DAT file updates.)

Trellix updates virus definitions every day and you should schedule the update process to run daily. To start the update, either change to the product directory or type the full path to the avupdate command, and specify the current folder:

EXAMPLE:
cd /opt/sgav
./avupdate --curl https://yourserver.yourco.com:8023/current
or
/opt/sgav/avupdate --curl https://yourserver.yourco.com:8023/current
or
/opt/sgav/avupdate --avget https://myinsitehost:8023/current

The update process must be run by a root user. This is to prevent the product from accidentally (or maliciously) being disabled by deleting its files.

Updating virus definitions from IBM i Endpoints directly

Please see the section Integrating with Powertech Antivirus Server in the Powertech Antivirus for IBM i User Guide.

Updating virus definitions on air-gapped servers

If your Powertech Antivirus Server is not connected to the internet, you can load the latest virus definitions using physical media, such as a USB thumb drive. To do so:

  1. Create a new folder called datimport in /opt/ptavwebsvc/PTAVService if it does not exist already. During the DAT update procedure, before referring to Trellix for DAT updates, Powertech Antivirus first checks for the presence of this folder.
  2. On a system with Internet access, download the latest required virus definition (DAT) files from Trellix and save them to a tmp folder. These files are available at http://update.nai.com/products/commonupdater/.
    Files needed:

    • oem.ini

    • gdeltaavv.ini

    • avvdat.ini

    • *.zip file referenced in oem.ini

    • Incremental updates: All *.gem files. No need for these if running a standard full update (using Powertech Antivirus Server or avupdate --full). If the incremental update fails, a full update is performed using the .zip file.

  3. Copy the DAT files from the tmp folder to transferable media, such as a thumb drive. Once copied, the DAT files can be deleted from the tmp folder.

  4. Copy the DAT files to /opt/ptavwebsvc/PTAVService/datimport on the air-gapped server:

    NOTE: If the Powertech Antivirus Service was allowed, it may have connected to Trellix and acquired the latest DAT files. If so, delete the contents of the datrepo folder and restart the Powertech Antivirus Service from the control panel. It is preferable to not allow the Powertech Antivirus Service before creating the datimport folder.

  5. Open the Powertech Antivirus application in Fortra Application Hub, and in the Navigation pane, choose Settings > Repository.
  6. Click Save to prompt the Powertech Antivirus Service to process the files.
  7. Install Powertech Antivirus on the air-gapped server and register the Endpoint(s) in Fortra Application Hub. To use the Marketplace to install Powertech Antivirus on Endpoints, copy the Linux and AIX license files to the Fortra Application Hub server for the Endpoint deployment.
  8. In Fortra Application Hub, open Powertech Antivirus and choose Endpoints.
  9. Select the Endpoint and click Update DAT Files.

Notes

Trellix updates virus definitions every day and you should run avupdate every day.

  • To schedule using cron, run command crontab -e to edit the crontab file using the vi editor. Position the cursor to the end and type i to insert a line.

    1. Type the following (on one line) to schedule the job to run every day at 6pm (18): 

      2. 0 18 * * * /opt/sgav/avupdate --curl https://yourserver.yourco.com:8023/current > /opt/sgav/log/avupdate.out

    2. On AIX, to see the cron log, run tail /var/adm/cron/log.

    3. On Linux, to see the cron log, run tail /var/log/syslog.

    For more information about scheduling using cron, run man crontab. See also Scheduling Updates and Scans.

  • The exit status of the avupdate command can be used to check the result of the DAT update. Exit values are:

    • 0 Process completed successfully.

    • 1 An error occurred.

  • The DAT decompression option (--decomp) can be used to ensure the virus definitions are saved in an optimal format for fast initialization. This has the most effect when a full update is requested, or when one occurs through an inability to patch incrementally.