This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
itadmin
Explorer
‎2019-06-01 02:06 AM
Jump to solution

Can I mannually update AntiVirus and Antibot thriugh cli

Can I mannually update AntiVirus and Antibot thriugh cli

 

please update

0 Kudos
2 Solutions

Accepted Solutions
RS_Daniel
Advisor
‎2020-12-14 10:22 AM
Jump to solution

Hello, check sk105757> troubleshooting steps> force an update.

View solution in original post

Timothy_Hall
Legend Legend
Legend
Thursday
In response to Emil_T
Jump to solution

As Dameon said there normally isn't a big patterns/signature database downloaded and used by AV/ABOT, unlike APCL and IPS. Constant interaction with the ThreatCloud keeps a memory cache up to date with all the latest AV/ABOT updates automatically, so there is no real need to "force" an update most of the time.

However a situation can arise where a value held in the AV/ABOT cache is improperly blocking something causing a false positive.  In that case you can create an exception, or a Custom Threat Indicator matching the traffic set to "Inactive" to work around the issue.  If you suspect this is a "bad" or malfunctioning entry you can force an immediate refresh of all items in the cache, hoping that Check Point has cleared the problem:

Anti-Virus: sed -i "1s/.*/100/" $FWDIR/amw_kss/update/next_update
Anti-Bot: sed -i "1s/.*/100/" $FWDIR/amw/update/next_update

Note that the "1s" in the sed commands above is a number 1 followed by the letter "s". See here for more detail:    sk143972: How to trigger an update for Application Control / Anti-Virus /Anti-Bot / IPS

In the extreme case you can also completely flush the AV/ABOT cache; note that doing this will cause a huge flurry of requests to the ThreatCloud sent by the RAD daemon, and could cause a brief but noticeable performance impact as the cache repopulates if Hold mode is set:  sk105179: How to clear Anti-Virus and Anti-Bot kernel cache
 
Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

(1)
8 Replies
PhoneBoy
Admin
Admin
‎2019-06-02 05:33 PM
Jump to solution

These blades do not have local signatures to update, requiring Internet access or Private ThreatCloud.

0 Kudos
Emil_T
Participant
Wednesday
In response to PhoneBoy
Jump to solution

1. Still, the question was not about signatures, rather How can we manually update AntiVirus and Antibot. In the SmartConsole > Threat Policy > Custom Policy Tools > Updates there are configuration of IPS, AV, AB updates. The default for AV is 2 hours.

Also see in documentation: 

For the Anti-Virus, Anti-BotClosed and Threat Emulation, the gateways download the updates directly from the Check Point cloud. 
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ThreatPrevention_AdminGuide/Topics...

 

So it is clear that the gateway is pulling updates every 2 hours. The question is - How to trigger an immediate update.

 

2. Just to understand - if there are no local signatures, how the firewall scans files for viruses?

3. If there are no local signatures, then what is been downloaded every 2 hours?

0 Kudos
PhoneBoy
Admin
Admin
Wednesday
In response to Emil_T
Jump to solution

Most everything for Anti-Virus and Anti-Bot is looked up in ThreatCloud.
If you've enabled Deep Scan for AV, then there are local signatures.
I have not seen any CLI to manually update these.

IPS operates off local signatures.
While I don't see a CLI-way to force the update, you can troubleshoot with: https://support.checkpoint.com/results/sk/sk112635 

The Threat Emulation engine can be updated manually: https://support.checkpoint.com/results/sk/sk95235 

0 Kudos
Timothy_Hall
Legend Legend
Legend
Thursday
In response to Emil_T
Jump to solution

As Dameon said there normally isn't a big patterns/signature database downloaded and used by AV/ABOT, unlike APCL and IPS. Constant interaction with the ThreatCloud keeps a memory cache up to date with all the latest AV/ABOT updates automatically, so there is no real need to "force" an update most of the time.

However a situation can arise where a value held in the AV/ABOT cache is improperly blocking something causing a false positive.  In that case you can create an exception, or a Custom Threat Indicator matching the traffic set to "Inactive" to work around the issue.  If you suspect this is a "bad" or malfunctioning entry you can force an immediate refresh of all items in the cache, hoping that Check Point has cleared the problem:

Anti-Virus: sed -i "1s/.*/100/" $FWDIR/amw_kss/update/next_update
Anti-Bot: sed -i "1s/.*/100/" $FWDIR/amw/update/next_update

Note that the "1s" in the sed commands above is a number 1 followed by the letter "s". See here for more detail:    sk143972: How to trigger an update for Application Control / Anti-Virus /Anti-Bot / IPS

In the extreme case you can also completely flush the AV/ABOT cache; note that doing this will cause a huge flurry of requests to the ThreatCloud sent by the RAD daemon, and could cause a brief but noticeable performance impact as the cache repopulates if Hold mode is set:  sk105179: How to clear Anti-Virus and Anti-Bot kernel cache
 
Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
(1)
Johannes_Schoen
Collaborator
‎2020-12-14 05:28 AM
Jump to solution

@PhoneBoy: If there are no signature updates, why is there a scheduled service option (default 2h)?
Wouldn't it be nice to have a butten "schedule now"?

How can I verify that AB is working as expected, when the Gateway says "Gateway is not up to date"?

G_W_Albrecht
Legend Legend
Legend
‎2020-12-14 07:09 AM
In response to Johannes_Schoen
Jump to solution

Both AV and AB load database content from cloud. Schedule now would be a RFE, see sk71840 for details. You can check AB using Anti-Bot Test -- Accesses a link that is flagged by Anti-Bot blade as malicious. Shows as Check Point-Testing Bot in logs. See also:

How do I test if Anti-Bot and/or Anti-Virus is Wor...
CCSE / CCTE / CCME / CCSM Elite / SMB Specialist
0 Kudos
RS_Daniel
Advisor
‎2020-12-14 10:22 AM
Jump to solution

Hello, check sk105757> troubleshooting steps> force an update.

G_W_Albrecht
Legend Legend
Legend
‎2020-12-14 01:06 PM
In response to RS_Daniel
Jump to solution

Looks like a solution 😎

CCSE / CCTE / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events