Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
itadmin
Explorer
Jump to solution

Can I mannually update AntiVirus and Antibot thriugh cli

Can I mannually update AntiVirus and Antibot thriugh cli

 

please update

0 Kudos
2 Solutions

Accepted Solutions
RS_Daniel
Advisor

Hello, check sk105757> troubleshooting steps> force an update.

View solution in original post

Timothy_Hall
Legend Legend
Legend

As Dameon said there normally isn't a big patterns/signature database downloaded and used by AV/ABOT, unlike APCL and IPS. Constant interaction with the ThreatCloud keeps a memory cache up to date with all the latest AV/ABOT updates automatically, so there is no real need to "force" an update most of the time.

However a situation can arise where a value held in the AV/ABOT cache is improperly blocking something causing a false positive.  In that case you can create an exception, or a Custom Threat Indicator matching the traffic set to "Inactive" to work around the issue.  If you suspect this is a "bad" or malfunctioning entry you can force an immediate refresh of all items in the cache, hoping that Check Point has cleared the problem:

Anti-Virus: sed -i "1s/.*/100/" $FWDIR/amw_kss/update/next_update
Anti-Bot: sed -i "1s/.*/100/" $FWDIR/amw/update/next_update

Note that the "1s" in the sed commands above is a number 1 followed by the letter "s". See here for more detail:    sk143972: How to trigger an update for Application Control / Anti-Virus /Anti-Bot / IPS

In the extreme case you can also completely flush the AV/ABOT cache; note that doing this will cause a huge flurry of requests to the ThreatCloud sent by the RAD daemon, and could cause a brief but noticeable performance impact as the cache repopulates if Hold mode is set:  sk105179: How to clear Anti-Virus and Anti-Bot kernel cache
 
Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

(1)
8 Replies
PhoneBoy
Admin
Admin

These blades do not have local signatures to update, requiring Internet access or Private ThreatCloud.

0 Kudos
Emil_T
Contributor

1. Still, the question was not about signatures, rather How can we manually update AntiVirus and Antibot. In the SmartConsole > Threat Policy > Custom Policy Tools > Updates there are configuration of IPS, AV, AB updates. The default for AV is 2 hours.

Also see in documentation: 

For the Anti-Virus, Anti-BotClosed and Threat Emulation, the gateways download the updates directly from the Check Point cloud. 
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ThreatPrevention_AdminGuide/Topics...

 

So it is clear that the gateway is pulling updates every 2 hours. The question is - How to trigger an immediate update.

 

2. Just to understand - if there are no local signatures, how the firewall scans files for viruses?

3. If there are no local signatures, then what is been downloaded every 2 hours?

0 Kudos
PhoneBoy
Admin
Admin

Most everything for Anti-Virus and Anti-Bot is looked up in ThreatCloud.
If you've enabled Deep Scan for AV, then there are local signatures.
I have not seen any CLI to manually update these.

IPS operates off local signatures.
While I don't see a CLI-way to force the update, you can troubleshoot with: https://support.checkpoint.com/results/sk/sk112635 

The Threat Emulation engine can be updated manually: https://support.checkpoint.com/results/sk/sk95235 

0 Kudos
Timothy_Hall
Legend Legend
Legend

As Dameon said there normally isn't a big patterns/signature database downloaded and used by AV/ABOT, unlike APCL and IPS. Constant interaction with the ThreatCloud keeps a memory cache up to date with all the latest AV/ABOT updates automatically, so there is no real need to "force" an update most of the time.

However a situation can arise where a value held in the AV/ABOT cache is improperly blocking something causing a false positive.  In that case you can create an exception, or a Custom Threat Indicator matching the traffic set to "Inactive" to work around the issue.  If you suspect this is a "bad" or malfunctioning entry you can force an immediate refresh of all items in the cache, hoping that Check Point has cleared the problem:

Anti-Virus: sed -i "1s/.*/100/" $FWDIR/amw_kss/update/next_update
Anti-Bot: sed -i "1s/.*/100/" $FWDIR/amw/update/next_update

Note that the "1s" in the sed commands above is a number 1 followed by the letter "s". See here for more detail:    sk143972: How to trigger an update for Application Control / Anti-Virus /Anti-Bot / IPS

In the extreme case you can also completely flush the AV/ABOT cache; note that doing this will cause a huge flurry of requests to the ThreatCloud sent by the RAD daemon, and could cause a brief but noticeable performance impact as the cache repopulates if Hold mode is set:  sk105179: How to clear Anti-Virus and Anti-Bot kernel cache
 
Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
(1)
Johannes_Schoen
Collaborator

@PhoneBoy: If there are no signature updates, why is there a scheduled service option (default 2h)?
Wouldn't it be nice to have a butten "schedule now"?

How can I verify that AB is working as expected, when the Gateway says "Gateway is not up to date"?

G_W_Albrecht
Legend Legend
Legend

Both AV and AB load database content from cloud. Schedule now would be a RFE, see sk71840 for details. You can check AB using Anti-Bot Test -- Accesses a link that is flagged by Anti-Bot blade as malicious. Shows as Check Point-Testing Bot in logs. See also:

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
RS_Daniel
Advisor

Hello, check sk105757> troubleshooting steps> force an update.

G_W_Albrecht
Legend Legend
Legend

Looks like a solution 😎

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events