Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Using Intelligent updater method to updated defs, but they are not used/recognized by the engine

Created: 08 May 2013 | 10 comments

Hello,

 I have Ubuntu 12.04 64bit and I'm using this package:

Symantec_Protection_Engine_NAS_7.0.1.1_Linux_IN.zip

I'm only using the command line scanner (ssecls) component, which seems to work fine.

My problem is that this is an unmanaged system and I need to update the A/V defs manually on demand. So, I am attempting to use the Intelligent Updater method.

Here are the steps I'm doing:

1. cd /opt/SYMCScan/bin/definitions/AntiVirus

2. Download the A/V defn update script (20130508-003-unix.sh)

3. ./setup-iu.sh enable

4. sh ./20130508-003-unix.sh

5. ./setup-iu.sh disable

I've tried doing these steps both as root and as the user I created to run SYMCScan. Both have the same result.

When I complete step 4, it correctly unpacks the new definitions into /opt/Symantec/virusdefs/incoming/

I am under the impression that after I complete those steps, the Symantec Engine should automatically detect the new definitions and use them.

However, if I run an on-demand scan before and after doing these update steps, the Defs Version remains the same.

 

As my user, I'm running a scan like this:
/opt/SYMCScan/ssecls/ssecls -mode scan -onerror leave -details -verbose testfile.txt
 
<snip>

 

        Defs Version = 20120624.008
 Commandline Scanner = 7.0.0.10
 
<snip>
 
So, my question is, what do I need to do so that the command line scanner will make use of the new definitions?
 
Thanks!
Operating Systems:

Comments 10 CommentsJump to latest comment

mrtizmo's picture

Oh, in case it helps, the output when executing the updating script is here:

 

$ sh 20130508-003-unix.sh 
Validating available tools...
Decoding Intelligent Updater package...
Decompressing package contents...
Checking distribution integrity...
Extracting distribution files...
Installing virus defintions to /opt/Symantec/virusdefs/incoming
Copying definition files...
Removing temporary files...
 
Virus definitions installed successfully.
 
BenDC's picture

As a heads up the Scan/Protection Engine is not supported or tested on Ubuntu.

Is the Product properly licensed? If not it will not update definitions.

Is this system not able to run Java LiveUpdate? Java LiveUpdate can be triggered from the UI manually or on a schedulde.

You should not need to disable the setup-iu after running the update. infact leave it enabled and restart the service with it enabled.

how much free space is there for /opt?

 

mrtizmo's picture

Oh, shoot. My mistake. This system is CentOS 6.4 64bit.

Yes, I have a valid license. I've saved the file as /opt/Symantec/Licenses/spe.slf. As a test, I removed the license file and restarted the service; it will not start w/o that file. I moved the license file back and it now starts, so I think it is being recognized.

The drive has 4GB of free space, so that should be plenty.

I'm not using a GUI, this is a remote box that I only connect to with a command line terminal, which I why I didn't think LiveUpdate would be possible and is why I'm trying to do everything with shell commands. Is there a better way to perform an on-demand definition update on the command line?

Ok. I'll remove the disable setup-iu step.

I enabled the setup-iu and restarted the service, the output of a manual scan still shows the old Defs version. 

 

Thank you for your suggestions. Do you have any additional ideas?

 

 

TSE-JDavis's picture

Essentially, what BenDC says below. There's not way to verify that it is showing as valid from a command-line

TSE-JDavis's picture

You don't have to load the GUI locally, most people load it remotely. You just need to make sure that ports 8004 and 8005 are open between your client and the server.

BenDC's picture

Access the UI and verify the licenes status shows as valid.

 

mrtizmo's picture

The UI doesn't work for some reason.

I connect to https://ip.ip.ip.ip:8004 and it does the ssl cert exchange and then brings up a blank page.

I know the browser is communicating with the server because it is doing the certificate exchange and the cert shows the Symantec name. I also observed the network traffic on the host and it is going in both directions.

Is there a way to make a change to one of the .xml files to cause the UI log status/errors to a log file?

 

 

TSE-JDavis's picture

When it asked you to block potentially dangerous actions, did you click Yes or No? You need to say No to that dialog box.

mrtizmo's picture

I tried with both Chromium and Firefox. In both, I accepted the unrecognized (self-signed) certificate. It then completes the ssl exchange and brings me to a blank page.

I also tried it with curl on the server itself. I told curl to ignore the ssl warnings and complete the exchange, it also returns an empty page. Here is the output from curl:

 

$ curl -v -k https://10.80.80.187:8004
* About to connect() to 10.80.80.187 port 8004 (#0)
*   Trying 10.80.80.187... connected
* Connected to 10.80.80.187 (10.80.80.187) port 8004 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate:
* subject: CN=Symantec Protection Engine 7.0,OU=Newport News,O=Symantec,C=US
* start date: May 09 18:09:39 2013 GMT
* expire date: May 08 18:09:39 2018 GMT
* common name: Symantec Protection Engine 7.0
* issuer: CN=Symantec Protection Engine 7.0,OU=Newport News,O=Symantec,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: 10.80.80.187:8004
> Accept: */*
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Server: 192.168.0.4:9999
< Last-Modified: Thu, 9 May 2013 20:37:25 GMT
< Connection: close
< Content-Type: text/html
< Content-Length: 0
* Closing connection #0
 
mrtizmo's picture

I just decided to manually copy the new virus def files from /opt/Symantec/virusdefs/incoming/ to /opt/SYMCScan/bin/definitions/AntiVirus/VirusDefs/

Then, restarting the symscan service picks up the new defs and I'm good.

Thanks.