Video Screencast Help

SAV for Linux: A (Somewhat) Illustrated Guide Part 3

Created: 23 Jan 2013 • Updated: 24 Jan 2013 | 12 comments
Language Translations
Mick2009's picture
+14 14 Votes
Login to vote

The Story So Far....

This is the third in an informal series of articles intended to help admins make the best use of Symantec AntiVirus for Linux, keeping those boxes protected from today's many emerging threats without killing the CPU or the network bandwidth. 

This article will focus on the area with which many admins encounter the most trouble- how to keep SAV for Linux up-to-date.

 

How Often Are New Definitions Released?

New certified definitions are posted for SAVFL once per day.  These definitions contains all the AntiVirus signatures against all known threats, regardless of what OS they are designed to exploit.  Do not put off updating SAVFL on your Linux file server, thinking that there cannot be that many new Linux worms since last week.  SAVFL needs the latest definitions to stop the latest Windows/Mac/Android threats affecting clients that access that file server.  Make sure that SAVFL is updated every day

 

OK, How Does SAVFL Get Updated?

There are three ways:

  1. Internet LiveUpdate servers (The default.  Recommended if you have only a few SAVFL clients)
  2. Internal LiveUpdate Administrator 2.x server (Recommended if you have many SAVFL clients.)
  3. Intelligent Updater (Useful in certain circumstances, such as completely isolated computers.)
     

 

What Happens When I Push This Button?

SAVFL comes with Java LiveUpdate (JLU) built into it.  Clicking "LiveUpdate" from the SAVFL GUI will, by default, start a session that retrieves updates from the Internet.  A session can also be manually started from the command line: sav liveupdate -u

As long as the SAVFL client is updating every day, the files downloaded will be of manageable size. 

If the SAVFL client goes out-of-date by weeks, then a full set of definitions will need to be downloaded.  That can be a couple hundred MB.

 

"We Have A Lot of Linux Machines- that Many Updates Would Kill Our Network Bandwidth!"

If you establish an internal LiveUpdate Administrator 2.x server (LUA 2.x), it will download the update files from the Internet source servers once, and then make them available to all of your SAVFL clients on the corporate LAN.  Here is an official Symantec article on configuring the LUA 2.x server for SAVFL contents:

Configuring LiveUpdate Administrator 2.x to Download and Distribute Symantec Antivirus for Linux Contents
Article URL http://www.symantec.com/docs/TECH152311

 

The initial download is large, but then each subsequent day's download is small. Here is what LUA 2.x looks like making that first download of SAVFL materials, in case you have never seen the product:

 

The SAVFL clients then need to have their  setting updated so they know to look to that internal source, rather than keep looking on the Internet  Here is an article on how to configure the SAVFL clients to use that internal LUA 2.x server's Distribution Center (DC):

Configuring Symantec Antivirus for Linux (SAVFL) to download definitions from the Distribution Center of an internal LiveUpdate Administrator (LUA) 2.x Server
Article URL http://www.symantec.com/docs/TECH93505

And here is an excellent article by another member of the Connect Forum (give it a "thumbs up" vote!)   

How to Install SAV for Linux (SAVFL) and Update It Using LUA 2.x (2.3.0.71)
https://www-secure.symantec.com/connect/articles/how-install-sav-linux-savfl-and-update-it-using-lua-2x-23071

 

There's Always A Third Option

It is also possible to bring SAVFL clients up-to-date using an Intelligent Updater (IU).  Here's the article on that option:

How to update a Linux-based computer with Intelligent Updater definitions
Article URL http://www.symantec.com/docs/TECH96754 
 

Using IU's every day would consume a lot of bandwidth.  The size of the current Linux IU file (20130122-004-unix.sh) is 421.54 MB.  This will only grow as more and more threats are discovered. 

Intelligent Updaters are a great solution in certain circumstances (completely isolated computers that still require defenses, bringing a computer up-to-date if JLU is failing for some reason) but for day-to-day use, Internet or internal LiveUpdate servers are usually the best option.

 

OK, You Convinced Me.   I'll Configure my SAVFL Clients' Java LiveUpdate.  So, How Do I Do That? 

If you need to change the LiveUpdate schedule, source server, or other parameters, three ways are possible:

  1. By the command line
  2. By dropping on a GRC.DAT
  3. By changing the /etc/liveupdate.conf file

Details on the first two options can be found in SAV for Linux: A (Somewhat) Illustrated Guide Part 2. Here's a good article on how to manually configure liveupdate.conf:

Configuring Java LiveUpdate
Article URL http://www.symantec.com/docs/TECH101689 
 

Several admins have found it easy to create a valid liveupdate.conf file containing the proxy, LUA, etc details for their environment and place that in each SAVFL machine's /etc directory.  If there are many SAVFL clients to configure, and there is no SAV 10 Windows client on hand to generate the GRC.DAT, dropping the liveupdate.conf file is what I recommend

 

Sorry, I Don't Speak Klingon

Opening /etc/liveupdate.conf with a standard text editor presents a page full of odd text and characters:

This is actually by design.  The contents of this configuration file are encrypted to prevent tampering.  Editing the liveupdate.conf file on SAVFL must be done using a special tool.  The following article contains all the details:

Configuring Java LiveUpdate using the built-in Graphical User Interface (GUI)
Article URL http://www.symantec.com/docs/TECH123038 
 

Here is what the tool looks like:

 

 

What Just Happened?

To see the details on a Java LiveUpdate session, read liveupdt.log.  This log file takes practice to read, but can tell you what product components were checked for updates, what server the SAVFL client tried to connect to, if that connection was successful, what files were downloaded and if they were then processed. 

By default this log is located in the /opt/Symantec/LiveUpdate directory, but that is configurable in liveupdate.conf.

Note that this log only covers Java LiveUpdate activity, not Intelligent Updater.  That tool generates it own logs.

In case JLU sessions are not completing correctly, the following article may help:

Troubleshooting Java LiveUpdate 3.x
Article URL http://www.symantec.com/docs/TECH123310 
 

 

 

Is There Any Sneaky Way to See What Set of AV Definitions All My SAVFL Clients Have?

Yes. &: )

SAVFL (SEP for Linux) status check
https://www-secure.symantec.com/connect/forums/savfl-sep-linux-status-check

 

Many Connect Forum members have expressed and interest in a managed "Symantec Endpoint Protection for Linux" client.  (You may show your interest for such at the link below.)  Until that becomes available, SAVFL Reporter can collect some information from all of the legacy SAV for Linux clients in the organization, and display details in a report within Symantec Endpoint Protection Manager (SEPM).  This report can make it easy to spot clients with definitions that are out of date. 

 

Managed SEP client for Linux
https://www-secure.symantec.com/connect/ideas/managed-sep-client-linux

 

 

Final Notes

Many thanks for reading!  Please do add comments and feedback below.

 

 

Comments 12 CommentsJump to latest comment

.Brian's picture

Very nice!

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

+1
Login to vote
SebastianZ's picture

Great article, thanks!

+1
Login to vote
b7-37's picture

Excellent stuff.

+1
Login to vote
MeloSep's picture

Great stuff bro, really appreciate your work!

You mentioned Android in the beginning, vulnerabilities for this OS are in some way "compatible" and moved to a normal Linux system?

As far I know, android take most of the code in use from the Linux kernel, is this the reason why?

Thanks!

 

 

+1
Login to vote
Mick2009's picture

Many thanks, MeloSep!

Android is based on Linux, you are correct there.  I have not seen any vulnerabilities or threats, myself, that have moved back and forth between those platforms though.  (It might be possible, but I have not seen it.)

The thing I am concerned about, as the IT world moves in a BYOD (Bring Your Own Device) direction where personal and corporate equipment and networks become merged, is Android threats circulating through the file servers, mail servers, etc.  Android, unlike iPhone, offers the ability to get your Apps from many markets/methods.  .apk's can be mailed around, copied from shared network fodlers, etc. 

I am beginning to see a lot of Windows and Linux threat logs that include Android detections.  For example:

 

Event IP Address Computer Name Source Risk Name Occurrences File Path
Security risk found 10.x.x.x COMPUTERNAME Scheduled scan Android.Lotoor 1 c:\Users\NAME\Downloads\Roots\z4root 1.3.0.zip>>z4root 1.3.0.apk

 

I believe my next few articles will highlight the Symantec Mobile Security 7.2 product which defends Android and Windows Mobile devices.  

If there is sufficient demand, I may write another SAVFL article about the cool things that can be done with SAVFL Reporter first.

Thanks again for the comments and feedback, all!  &: )         

 

With thanks and best regards,

Mick

+2
Login to vote
Mick2009's picture

The Symantec Mobile Security 7.2 articles that I mentioned above are now live: check them out, Android fans!

Illustrated Guide to Installing Symantec Mobile Security 7.2,
https://www-secure.symantec.com/connect/articles/illustrated-guide-installing-symantec-mobilie-security-72

 

Getting to Know the Symantec Mobile Security 7.2 Client
https://www-secure.symantec.com/connect/articles/getting-know-symantec-mobile-security-72-client
 

With thanks and best regards,

Mick

0
Login to vote
Vikram Kumar-SAV to SEP's picture

Thumbs Up !!

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

+1
Login to vote
John Santana's picture

yes +1 !

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

+1
Login to vote
Mick2009's picture

Part 4 is  now available...

SAV for Linux: A (Somewhat) Illustrated Guide Part 4: SAVFL Reporter
https://www-secure.symantec.com/connect/articles/sav-linux-somewhat-illustrated-guide-part-4-savfl-reporter

With thanks and best regards,

Mick

+2
Login to vote
honey_jack's picture

Great + 10

Thanks & Regard

Honey Jack

 

If your issue has been solved, please use the "Mark as Solution" for the valid thread.

+1
Login to vote
honey_jack's picture

Great + 10

Thanks & Regard

Honey Jack

 

If your issue has been solved, please use the "Mark as Solution" for the valid thread.

+1
Login to vote