The Story So Far....
This is the third in an informal series of articles intended to help admins make the best use of Symantec AntiVirus for Linux, keeping those boxes protected from today's many emerging threats without killing the CPU or the network bandwidth.
- SAV for Linux Scanning Best Practices: A (Somewhat) Illustrated Guide covers the importance of auto-protect scanning, necessary scan exclusions and how to test them
- SAV for Linux: A (Somewhat) Illustrated Guide Part 2 provides examples of the various different ways in which SAVFL can be configured (by command line, by GRC.DAT and by xsymcfg).
This article will focus on the area with which many admins encounter the most trouble- how to keep SAV for Linux up-to-date.
How Often Are New Definitions Released?
New certified definitions are posted for SAVFL once per day. These definitions contains all the AntiVirus signatures against all known threats, regardless of what OS they are designed to exploit. Do not put off updating SAVFL on your Linux file server, thinking that there cannot be that many new Linux worms since last week. SAVFL needs the latest definitions to stop the latest Windows/Mac/Android threats affecting clients that access that file server. Make sure that SAVFL is updated every day.
OK, How Does SAVFL Get Updated?
There are three ways:
- Internet LiveUpdate servers (The default. Recommended if you have only a few SAVFL clients)
- Internal LiveUpdate Administrator 2.x server (Recommended if you have many SAVFL clients.)
- Intelligent Updater (Useful in certain circumstances, such as completely isolated computers.)
What Happens When I Push This Button?
SAVFL comes with Java LiveUpdate (JLU) built into it. Clicking "LiveUpdate" from the SAVFL GUI will, by default, start a session that retrieves updates from the Internet. A session can also be manually started from the command line: sav liveupdate -u
As long as the SAVFL client is updating every day, the files downloaded will be of manageable size.
If the SAVFL client goes out-of-date by weeks, then a full set of definitions will need to be downloaded. That can be a couple hundred MB.
"We Have A Lot of Linux Machines- that Many Updates Would Kill Our Network Bandwidth!"
If you establish an internal LiveUpdate Administrator 2.x server (LUA 2.x), it will download the update files from the Internet source servers once, and then make them available to all of your SAVFL clients on the corporate LAN. Here is an official Symantec article on configuring the LUA 2.x server for SAVFL contents:
Configuring LiveUpdate Administrator 2.x to Download and Distribute Symantec Antivirus for Linux Contents
Article URL http://www.symantec.com/docs/TECH152311
The initial download is large, but then each subsequent day's download is small. Here is what LUA 2.x looks like making that first download of SAVFL materials, in case you have never seen the product:
The SAVFL clients then need to have their setting updated so they know to look to that internal source, rather than keep looking on the Internet Here is an article on how to configure the SAVFL clients to use that internal LUA 2.x server's Distribution Center (DC):
Configuring Symantec Antivirus for Linux (SAVFL) to download definitions from the Distribution Center of an internal LiveUpdate Administrator (LUA) 2.x Server
Article URL http://www.symantec.com/docs/TECH93505
And here is an excellent article by another member of the Connect Forum (give it a "thumbs up" vote!)
How to Install SAV for Linux (SAVFL) and Update It Using LUA 2.x (22.214.171.124)
There's Always A Third Option
It is also possible to bring SAVFL clients up-to-date using an Intelligent Updater (IU). Here's the article on that option:
How to update a Linux-based computer with Intelligent Updater definitions
Article URL http://www.symantec.com/docs/TECH96754
Using IU's every day would consume a lot of bandwidth. The size of the current Linux IU file (20130122-004-unix.sh) is 421.54 MB. This will only grow as more and more threats are discovered.
Intelligent Updaters are a great solution in certain circumstances (completely isolated computers that still require defenses, bringing a computer up-to-date if JLU is failing for some reason) but for day-to-day use, Internet or internal LiveUpdate servers are usually the best option.
OK, You Convinced Me. I'll Configure my SAVFL Clients' Java LiveUpdate. So, How Do I Do That?
If you need to change the LiveUpdate schedule, source server, or other parameters, three ways are possible:
- By the command line
- By dropping on a GRC.DAT
- By changing the /etc/liveupdate.conf file
Details on the first two options can be found in SAV for Linux: A (Somewhat) Illustrated Guide Part 2. Here's a good article on how to manually configure liveupdate.conf:
Configuring Java LiveUpdate
Article URL http://www.symantec.com/docs/TECH101689
Several admins have found it easy to create a valid liveupdate.conf file containing the proxy, LUA, etc details for their environment and place that in each SAVFL machine's /etc directory. If there are many SAVFL clients to configure, and there is no SAV 10 Windows client on hand to generate the GRC.DAT, dropping the liveupdate.conf file is what I recommend.
Sorry, I Don't Speak Klingon
Opening /etc/liveupdate.conf with a standard text editor presents a page full of odd text and characters:
This is actually by design. The contents of this configuration file are encrypted to prevent tampering. Editing the liveupdate.conf file on SAVFL must be done using a special tool. The following article contains all the details:
Configuring Java LiveUpdate using the built-in Graphical User Interface (GUI)
Article URL http://www.symantec.com/docs/TECH123038
Here is what the tool looks like:
What Just Happened?
To see the details on a Java LiveUpdate session, read liveupdt.log. This log file takes practice to read, but can tell you what product components were checked for updates, what server the SAVFL client tried to connect to, if that connection was successful, what files were downloaded and if they were then processed.
By default this log is located in the /opt/Symantec/LiveUpdate directory, but that is configurable in liveupdate.conf.
Note that this log only covers Java LiveUpdate activity, not Intelligent Updater. That tool generates it own logs.
In case JLU sessions are not completing correctly, the following article may help:
Troubleshooting Java LiveUpdate 3.x
Article URL http://www.symantec.com/docs/TECH123310
Is There Any Sneaky Way to See What Set of AV Definitions All My SAVFL Clients Have?
Yes. &: )
SAVFL (SEP for Linux) status check
Many Connect Forum members have expressed and interest in a managed "Symantec Endpoint Protection for Linux" client. (You may show your interest for such at the link below.) Until that becomes available, SAVFL Reporter can collect some information from all of the legacy SAV for Linux clients in the organization, and display details in a report within Symantec Endpoint Protection Manager (SEPM). This report can make it easy to spot clients with definitions that are out of date.
Managed SEP client for Linux
Many thanks for reading! Please do add comments and feedback below.