Video Screencast Help

SAV for Linux: Virus definitions not reported as being updated

Created: 04 Feb 2013 | 12 comments

I am using Ubuntu 12.10 (Precise Pangolin), 64-bit, English with the latest kernel version 3.5.0.23-generic. (Note: I had to remove the outdated Autoprotect kernel modules and compile new ones to be compatible with the new kernel version.)

The version of SAV for Linux installed is 1.0.14.13 with the scan engine version 121.3.0.78

I use the SAVFL GUI or icon to initiate a liveupdate session. It downloaded the latest virus definitions which for today is February 2, 2013. However the date still remains as 02/01/2013.

I issued the command: sav info --defs to confirm the date of the virus definitions. And it is still 02/01/2013 when it should be 02/02/2013.

Could someone tell me how to resolve the above issue?

Comments 12 CommentsJump to latest comment

_Brian's picture

Check this article by Mick as it has some troubleshooting for this issue:

https://www-secure.symantec.com/connect/articles/s...

Symantec AntiVirus for Linux (SAVFL) client fails to update definition through LiveUpdate

Article:TECH93974  |  Created: 2009-01-12  |  Updated: 2013-01-30  |  Article URL http://www.symantec.com/docs/TECH93974

Did this just start?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Be Creative. Be IT's picture

The article by Mick2009 that you referred to does not resolve my issue.

Mick2009's picture

Hi BCBIT,

Good to see that SAVFL admins are keeping a close eye on any failures or irregularities- too often definition trouble goes for weeks or months in an organization before it is noticed.

This article has a great section on how to get a debug JLU log:

Troubleshooting Java LiveUpdate 3.x
Article URL http://www.symantec.com/docs/TECH123310 
 

In brief: run this command: java -classpath /opt/Symantec/LiveUpdate/jlu.jar com.symantec.liveupdate.LiveUpdate –d  and then the liveupdt.log will have extra detailed infromation about downloading and applying definitions.  If there are any errors in there, feel free to post/attach the log to your thread and some experts here in the forum may be able to spot any points of failure.

All the best,

Mick

 

With thanks and best regards,

Mick

Be Creative. Be IT's picture

@ Mick2009

Please find attached the liveupdt.log file for your necessary action. I have saved it in ODT format.

Thanks in advance.

AttachmentSize
liveupdt.odt 85.42 KB
Mick2009's picture

Cheers BCBIT!  Here is what I am seeing....

At the start of this most recent run, the current defs were dated Feb 5 2013, revision 3. 

Feb 6, 2013 3:23:24 AM   Avenge MicroDefs25 SavCorp10 Linux, MicroDefsB.CurDefs, SymAllLanguages, HubDefs, 0
Feb 6, 2013 3:23:24 AM   Avenge MicroDefs25 SavCorp10 Linux, MicroDefsB.CurDefs, SymAllLanguages, CurDefs, 130205003

It's a little odd that there's no date listed for the HubDefs.  Also, the date for CurDefs briefly disappeared a time or two recently:

Jan 31, 2013 2:58:53 AM   Avenge ... CurDefs, 130130004
Jan 31, 2013 3:10:43 AM   Avenge ... CurDefs, 130130004
Feb 2, 2013 6:34:44 AM   Avenge ... CurDefs, 130130004
Feb 2, 2013 6:34:59 AM   Avenge ... CurDefs, 0
Feb 2, 2013 6:34:59 AM   Avenge ... CurDefs, 130201004
Feb 4, 2013 7:19:26 PM   Avenge ... CurDefs, 130201004
Feb 4, 2013 7:20:53 PM   Avenge ... CurDefs, 0
Feb 4, 2013 7:20:53 PM   Avenge ... CurDefs, 130203009
Feb 6, 2013 3:21:02 AM   Avenge ... CurDefs, 130203009
Feb 6, 2013 3:23:24 AM   Avenge ... CurDefs, 130205003
 

The fact that the CurDefs date has been changing upwards does show successful download and processing of those definitions, though.  This SAVFL client is updating its definitions, regardless of what the GUI indicates.

This is a success:

Feb 6, 2013 3:21:03 AM Making /tmp/1360092062158/1360092063904/navupcur.dis executable ...
Feb 6, 2013 3:21:03 AM Running /tmp/1360092062158/1360092063904/navupcur.dis ...
Feb 6, 2013 3:21:03 AM Selection.updateSequenceNumber: SEQ.CurDefs=130205003
Feb 6, 2013 3:21:03 AM Selection.updateItemName: NAME.CurDefs=Virus Definitions
Feb 6, 2013 3:21:03 AM Selection.updateLastUpdateTimestamp: TIMESTAMP.CurDefs=1360092063985
Feb 6, 2013 3:21:03 AM Selection.updateDescription: DESCRIPTION.CurDefs=Symantec AntiVirus Definitions
Feb 6, 2013 3:21:03 AM
Feb 6, 2013 3:21:03 AM The Java LiveUpdate session has completed successfully.
Feb 6, 2013 3:21:03 AM Return code = 0
 

If the GUI or ./sav info -d is showing a different date, then you may wish to follow steps in the following article.  I can confirm that the latest protection is in place, though.

How to remediate virus definitions in Symantec Antivirus for Linux (SAVFL) 1.0.x
http://www.symantec.com/docs/TECH93435 
 

Please do update this thread with your progress!  &: )

With thanks and best regards,

Mick

Be Creative. Be IT's picture

@ Mick2009

Thanks for your reply and taking the time to look into my issue.

If the GUI or ./sav info -d is showing a different date, then you may wish to follow steps in the following article.  I can confirm that the latest protection is in place, though.

I am glad that the latest protection is in place as per your confirmation.

I wish to let you know that it is the GUI and the ./sav info -d showing a different date that prompted me to post on this forum in the first place.

I shall keep you updated as soon as I work on the steps outlined in "How to remediate virus definitions in Symantec Antivirus for Linux (SAVFL) 1.0.x"

Mick2009's picture

Hi BCBIT,

Just a ping to see how that remediation steps went and if the defs displayed is now accurate. 

With the best regards,

Mick

With thanks and best regards,

Mick

Mick2009's picture

Updating this thread with a minor observation: one of my own SAVFL clients was behaving in a similar fashion.  Immediately what liveupdt.log confirms is a successful LiveUpdate session, sav info -d  still displayed an old definitions date.  Checking again a few minutes later, the correct (updated) defs date was displayed.  So, this older date can be shown while post-session processing is still under way.   

With thanks and best regards,

Mick

Be Creative. Be IT's picture

Updating this thread with a minor observation: one of my own SAVFL clients was behaving in a similar fashion.

Would you consider the above to be a bug and perhaps fix it before Symantec releases an update to SAV for Linux?

Mick2009's picture

If this temporary delay in reporting the latest defs is a bug, it would be a low-priority cosmetic one.  Security is the main focus.

There are some cool developments underway in the Linux arena.  I am not at liberty to comment on the roadmap, but those votes in the Ideas section of Connect seem to have been heard.  More news in due course......  

With thanks and best regards,

Mick

Mick2009's picture

This new article may be of interest to followers of this thread...

SAV for Linux: A (Somewhat) Illustrated Guide Part 4: SAVFL Reporter
https://www-secure.symantec.com/connect/articles/sav-linux-somewhat-illustrated-guide-part-4-savfl-reporter

With thanks and best regards,

Mick

John Santana's picture

How big is the definition files normally for your SAVFL ?

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.