Updating Virus Definitions on an Anti-Virus Mirror

Note: Pivotal Platform is now part of VMware Tanzu. In v2.2 and later, Pivotal Anti-Virus is named Anti-Virus for VMware Tanzu.

Page last updated:

This topic describes how to update virus definitions on an Anti-Virus for VMware Tanzu mirror that is deployed by the Anti-Virus Mirror for VMware Tanzu tile.

The Anti-Virus Mirror for VMware Tanzu tile and the Anti-Virus for VMware Tanzu tile work together as follows:

• The Anti-Virus for VMware Tanzu tile runs Anti-Virus on all BOSH VMs by adding it to the BOSH runtime config.
• The Anti-Virus Mirror for VMware Tanzu tile creates an internal mirror that is used by the ClamAV components running on BOSH VMs.

Overview

The ClamAV community regularly updates virus definitions and publishes them to an external ClamAV database.

How these updated virus definitions propagate to the internal Anti-Virus Mirror that BOSH VMs use depends on whether your environment is running in an online or air-gapped network:

• Online Network: The Anti-Virus Mirror updates its virus definitions automatically.
• Air-gapped Network: An operator must manually download new virus definitions and run bosh scp to update them on the internal Anti-Virus mirror.

For more information and diagrams about this architecture, see How Virus Definitions Propagate to VMs.

The following sections describe both of these scenarios and explain how to manually update virus definitions on the internal Anti-Virus mirror.

Verify That Your Virus Definitions Are Up to Date

To confirm that virus definitions are up to date on a given VM:

1. BOSH SSH on to the VM.
2. View the go-clam-tls logs located at /var/vcap/sys/log/antivirus/go-clam-tls.log. For more information, see go-clam-tls Log Messages.

Automatic Updates with Online Networks

When your environment runs on an online network, the Anti-Virus Mirror VM regularly checks the external ClamAV database every two hours.

When new virus definitions are present on the external database, Anti-Virus Mirror downloads them automatically.

Manually Update on an Air-gapped Network

Anti-Virus jobs use three virus definitions files, main.cvd, daily.cvd, and bytecode.cvd. The internal Anti-Virus Mirror serves these three files to all Anti-Virus jobs in your environment.

To update the virus definitions:

1. Download the three virus definition files from the ClamAV virus database mirror or an equivalent external mirror. You can access the ClamAV mirror at the following URLs:

   • http://database.clamav.net/main.cvd
   • http://database.clamav.net/daily.cvd
   • http://database.clamav.net/bytecode.cvd

   If you are unable to download the virus definitions from one of the links above, use the cvdupdate tool. For information about cvdupdate, see the ClamAV documentation.

2. Copy your downloaded virus definition files to your Ops Manager VM.

   scp -i PATH-TO-PRIVATE-KEY PATH-TO-CVD-FILE ... ubuntu@OPS-MANAGER-VM-IP:
   

   For example:

   $ scp -i ~/.ssh/my-key.pem ~/Downloads/main.cvd ~/Downloads/daily.cvd ~/Downloads/bytecode.cvd ubuntu@192.168.0.2: 

3. SSH into the Ops Manager VM. For instructions, see Log in to the Ops Manager VM with SSH.

4. Find the name of your Anti-Virus Mirror deployment by running:

   bosh -e BOSH-ENVIRONMENT deployments | grep p-antivirus-mirror | cut -f1
   

   For example:

   $ bosh -e my-env deployments | grep p-antivirus-mirror | cut -f1

   The deployment name starts with p-antivirus-mirror- and is followed by a string of characters. For example:

   $ p-antivirus-mirror-08815ca5ead252c4b8d8

5. Copy the virus definitions to your internal Anti-Virus Mirror by running:

   bosh -e BOSH-ENVIRONMENT -d ANTIVIRUS-DEPLOYMENT-NAME scp /path/to/local/main.cvd /path/to/local/daily.cvd /path/to/local/bytecode.cvd :/var/vcap/data/antivirus-mirror/unvalidated
   

   For example:

   $ bosh -e my-env -d p-antivirus-mirror-4cb8cfbeee717258d72e scp main.cvd daily.cvd bytecode.cvd :/var/vcap/data/antivirus-mirror/unvalidated

6. Verify that the mirror validated and updated its local copies of the virus definitions by running:

   bosh -e BOSH-ENVIRONMENT -d ANTIVIRUS-DEPLOYMENT-NAME ssh -c "sudo cat FILE | grep \"updated /var/vcap/store\""
   

   Where FILE is determined by the output destination configured in Anti-Virus Mirror Configuration of the Anti-Virus Mirror for VMware Tanzu tile. Use one of these:

   • /var/vcap/sys/log/antivirus-mirror/antivirus-mirror.stdout.log for stdout
   • /var/vcap/sys/log/antivirus-mirror/antivirus-mirror.stderr.log for stderr
   • /var/log/syslog for syslog

   For example:

   $ bosh -e my-env -d p-antivirus-mirror-4cb8cfbeee717258d72e ssh -c "sudo cat /var/log/syslog | grep \"updated /var/vcap/store\""
   
   2019/05/30 17:16:34 updated /var/vcap/store/antivirus-mirror/validated/bytecode.cvd
   2019/05/30 17:16:40 updated /var/vcap/store/antivirus-mirror/validated/daily.cvd
   2019/05/30 17:16:49 updated /var/vcap/store/antivirus-mirror/validated/main.cvd