Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SayoojDinan
Participant

DAT signatures of Windows and Linux

The estate has both Windows and Linux machines installed with Checkpoint EDR, recently I noticed a very different anti-malware version for a few of my Linux machines 3.89.0/ 6.05 28/11/2023. The main concern is that these Linux devices are fetching the Windows DAT signature and are not updating to the latest version.

Can anyone help me understand what exactly is happening here, why a Linux machine is using a Windows DAT signature, and the possible reasons behind this?

 

********

Regards,

@SayoojDinan 

0 Kudos
3 Replies
Alex_G
Employee
Employee

Hi

There are two different things when we speak about AM:

  1. Engine version. Looks like 3.90.0
  2. Signature version. Looks like 6.06 16/01/2024. This is DB which is released roughly once per month and gets small updates several times per day. Linux client also reports version as a timestamp (e.g. 202402220810)

Engine version is pretty much common for Windows and Linux. However, there might be some time gaps when engine is updated on one platform and remains on the other.

Signatures are the same for both platforms.

To see if Linux agent runs the latest signatures, run 'sudo cpla am info' on the machine:

user@host > sudo cpla am info
CPLA version: 1.13.3
Anti-Malware version: 3.90.0 / 6.06 16/01/2024 (90995083 signatures)
Signature version: 202402220810
Policy name: Default Anti Malware policy
Policy version: 0

In the example above signature version is 202402220810, which reflects the current date.

0 Kudos
SayoojDinan
Participant

@Alex_G Thanks for your reply.

My DAT signature shows 202312060548, this is quite a concern. How do I resolve this, also my endpoints are connected to the MGMT server and the agent version is 1.13.3.

********

Regards,

@SayoojDinan 

0 Kudos
Alex_G
Employee
Employee

Management server allows to configure update source for AM. Here is a quick test that you can do:

  1. Restart the client by running "sudo systemctl restart cpla". Check the version in 5 mins
  2. Ensure that you are able to see SPS_VERSION in output of `curl https://teadv.checkpoint.com/Sophos-stg/version.txt`This should be available if the client is configured to use external server.  Updates from management server is in our roadmap. If you use proxy in your environment, it should be configured at the time of installation or by editing /etc/checkpoint/cpla/env and restarting the service
  3. Ensure that client is configured to use external update server.

Hope this will resolve the issue. if it doesn't, I would proceed with a support ticket

Alex

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events