Who rated this post

cancel
Showing results for 
Search instead for 
Did you mean: 
Timothy_Hall
Legend Legend
Legend

As Dameon said there normally isn't a big patterns/signature database downloaded and used by AV/ABOT, unlike APCL and IPS. Constant interaction with the ThreatCloud keeps a memory cache up to date with all the latest AV/ABOT updates automatically, so there is no real need to "force" an update most of the time.

However a situation can arise where a value held in the AV/ABOT cache is improperly blocking something causing a false positive.  In that case you can create an exception, or a Custom Threat Indicator matching the traffic set to "Inactive" to work around the issue.  If you suspect this is a "bad" or malfunctioning entry you can force an immediate refresh of all items in the cache, hoping that Check Point has cleared the problem:

Anti-Virus: sed -i "1s/.*/100/" $FWDIR/amw_kss/update/next_update
Anti-Bot: sed -i "1s/.*/100/" $FWDIR/amw/update/next_update

Note that the "1s" in the sed commands above is a number 1 followed by the letter "s". See here for more detail:    sk143972: How to trigger an update for Application Control / Anti-Virus /Anti-Bot / IPS

In the extreme case you can also completely flush the AV/ABOT cache; note that doing this will cause a huge flurry of requests to the ThreatCloud sent by the RAD daemon, and could cause a brief but noticeable performance impact as the cache repopulates if Hold mode is set:  sk105179: How to clear Anti-Virus and Anti-Bot kernel cache
 
Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

(1)
Who rated this post