This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SayoojDinan
Participant
‎2024-02-22 12:48 AM

DAT signatures of Windows and Linux

The estate has both Windows and Linux machines installed with Checkpoint EDR, recently I noticed a very different anti-malware version for a few of my Linux machines 3.89.0/ 6.05 28/11/2023. The main concern is that these Linux devices are fetching the Windows DAT signature and are not updating to the latest version.

Can anyone help me understand what exactly is happening here, why a Linux machine is using a Windows DAT signature, and the possible reasons behind this?

 

********

Regards,

@SayoojDinan 

0 Kudos
3 Replies
Alex_G
Employee
Employee
‎2024-02-22 03:07 AM

Hi

There are two different things when we speak about AM:

  1. Engine version. Looks like 3.90.0
  2. Signature version. Looks like 6.06 16/01/2024. This is DB which is released roughly once per month and gets small updates several times per day. Linux client also reports version as a timestamp (e.g. 202402220810)

Engine version is pretty much common for Windows and Linux. However, there might be some time gaps when engine is updated on one platform and remains on the other.

Signatures are the same for both platforms.

To see if Linux agent runs the latest signatures, run 'sudo cpla am info' on the machine:

user@host > sudo cpla am info
CPLA version: 1.13.3
Anti-Malware version: 3.90.0 / 6.06 16/01/2024 (90995083 signatures)
Signature version: 202402220810
Policy name: Default Anti Malware policy
Policy version: 0

In the example above signature version is 202402220810, which reflects the current date.

0 Kudos
SayoojDinan
Participant
‎2024-02-22 03:22 AM
In response to Alex_G

@Alex_G Thanks for your reply.

My DAT signature shows 202312060548, this is quite a concern. How do I resolve this, also my endpoints are connected to the MGMT server and the agent version is 1.13.3.

********

Regards,

@SayoojDinan 

0 Kudos
Alex_G
Employee
Employee
‎2024-02-22 03:45 AM
In response to SayoojDinan

Management server allows to configure update source for AM. Here is a quick test that you can do:

  1. Restart the client by running "sudo systemctl restart cpla". Check the version in 5 mins
  2. Ensure that you are able to see SPS_VERSION in output of `curl https://teadv.checkpoint.com/Sophos-stg/version.txt`This should be available if the client is configured to use external server.  Updates from management server is in our roadmap. If you use proxy in your environment, it should be configured at the time of installation or by editing /etc/checkpoint/cpla/env and restarting the service
  3. Ensure that client is configured to use external update server.

Hope this will resolve the issue. if it doesn't, I would proceed with a support ticket

Alex

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events