Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 3 subscribers
  • Views 7314 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Updating Unix hosts by pushing files

NicolasSchmeltz

Hello,

Due to network limitations (in a DMZ for example), some of my servers can't get the update files, but I can put them on their local filsystem. Since the latest version the savupdate command does'nt work anymore.

Details :

1) From my repos server, I send the files :

 rsync -e ssh -az --delete-after /data/sophos/savlinux/savi/sav/ sophosadmin@distanthost:/tmp/sav

2) On the "distanthost" I execute this commands :

/opt/sophos-av/bin/savconfig set PrimaryUpdateSourcePath /tmp/sav

/opt/sophos-av/bin/savupdate -v5

The result is an exit 61 :

Updating from /tmp/sav
Reading /tmp/sav/savlinux/cidsync.upd
Reading /tmp/sav/cidsync.upd
Reading /opt/sophos-av/update/cache/Primary/cidsync.upd
Reading /opt/sophos-av/update/cache/Primary/savi/sav/vdlmnfst.dat
Reading /tmp/sav/savi/sav/vdlmnfst.dat
Failed to replicate from /tmp/sav
Failed to replicate from all update sources

I tried to send whole the archive :

rsync -e ssh -vaz --delete-after /data/sophos/savlinux  sophosadmin@distanthost:/tmp/sav:
/opt/sophos-av/bin/savupdate -v5
Updating from /tmp/sav
Reading /tmp/sav/savlinux/cidsync.upd
Reading /opt/sophos-av/update/cache/Primary/cidsync.upd
Reading /opt/sophos-av/update/cache/Primary/savi/sav/vdlmnfst.dat
Reading /tmp/sav/savlinux/savi/sav/vdlmnfst.dat
Failed to replicate from /tmp/sav
Failed to replicate from all update sources

--debug ends with :
Failed to replicate from /tmp/sav
Exception recorded in /opt/sophos-av/tmp/savupdateException.log
File /tmp/sav/savlinux/savi/sav/vdlmnfst.dat of unknown size, is larger than 16335 bytes
2016-05-02 09:59:35,538 DEBUG savupdate.util.Logger: ALL_UPDATE_SOURCES_FAILED
Failed to replicate from all update sources

Any suggestion to update the signatures (and the product) in this case ?

Another question : is it possible to clean the cache, which duplicates the signature files ?

Note : Our hosts are RedHat and AIX systems.



This thread was automatically locked due to age.
Parents
  • 0

    Hello Nicolas Schmeltz,

    in a DMZ
    if this (contrary to the usual meaning) is indeed a segment without Internet connection (i.e. an insular LAN segment) I'd rather read from the regular LAN than allowing writes - just my 2 cents though.
    Anyway, savupdate expects a certain structure and makes some consistency checks so you can't feed it just a list of files. [The following is mainly speculation as we update using the preferred method]. It seems that savupdate would accept the .../savi/sav/ directory using vdlmnfst.dat to check its consistency, but it doesn't expect this file to be larger than about 16k (this suggests that this "simple" IDE updating is a deprecated feature).
    As per chapter 15.4 of the v9 configuration guide you should use (a copy of) /opt/sophos-av/update/cache/ as source (please note you need a setting to be able to update different distros).

    [sending] /data/sophos/savlinux
    what are the contents of savlinux (why delete BTW)? Doesn't seem to be a full copy of a CID (or the cache) otherwise savupdate should be able to use it.

    clean the cache
    it will be rebuilt on the next update. Admittedly 250+MB isn't nothing (I remember the time when a 120MB HDD was considered obscene [;)]) and economy is elegance but then it's also not an enormous amount - so why do you want to clear it?

    Christian

  • 0 in reply to QC

    Hello Christian,

    Thanks for your answer.

    QC said:

    in a DMZ
    if this (contrary to the usual meaning) is indeed a segment without Internet connection (i.e. an insular LAN segment) I'd rather read from the regular LAN than allowing writes - just my 2 cents though.
    Anyway, savupdate expects a certain structure and makes some consistency checks so you can't feed it just a list of files. [The following is mainly speculation as we update using the preferred method]. It seems that savupdate would accept the .../savi/sav/ directory using vdlmnfst.dat to check its consistency, but it doesn't expect this file to be larger than about 16k (this suggests that this "simple" IDE updating is a deprecated feature).
    As per chapter 15.4 of the v9 configuration guide you should use (a copy of) /opt/sophos-av/update/cache/ as source (please note you need a setting to be able to update different distros).

    [sending] /data/sophos/savlinux
    what are the contents of savlinux (why delete BTW)? Doesn't seem to be a full copy of a CID (or the cache) otherwise savupdate should be able to use it.

    The network topography is not in my scope, but I just can say that some servers can only be reached in this way. As we have a lot of servers to maintain, I cannot change this historically way to update them...

    savlinux contents is the files of sophos to be installed (I used --delete to remove files which are no more present in a new version)

    I updated the software yesterday, fron Product version 5.19 to 5.21 - Engine v. 3.63 to 3.64, and the update works again in the way I explained.

    QC said:

    clean the cache
    it will be rebuilt on the next update. Admittedly 250+MB isn't nothing (I remember the time when a 120MB HDD was considered obscene [;)]) and economy is elegance but then it's also not an enormous amount - so why do you want to clear it?

    It raises alarms on our monitor tool for some servers ! We make also an archive of the old Sophos version before updating, so it doubles the space.
    So if you can confirm that I can rm -rf /opt/sophos-av/update/cache/Primary/ after an update or install, I would be grateful.
    Cheers,
    Nicolas
  • 0 in reply to NicolasSchmeltz

    Hello Nicolas,

    The network topography is not in my scope
    just felt like I should mention it.

    Product version 5.19 to 5.21 - Engine v. 3.63 to 3.64
    Hm, maybe I'm dense - 3.64 is the current engine. The product should be 9.11.1 (or maybe an earlier version but definitely 9.x)  though. 5.xx looks like Detection Data, but their current version is 5.26.

    savlinux
    this would be the appropriate source for updating - assuming this is a copy of /Cache/Primary/ (if a Linux machine downloads from Sophos) or \CIDs\Sxxx\savlinux\ (if using SUM/SEC on Windows) - as it will update detection data and software as well

    clearing the cache
    if I understand correctly you're updating manually, correct? An update compares the cache to the source, downloading or copying what's not in the cache. The actual update is done from the cache, afterwards the cache is AFAIK not used.

    Christian

Reply
  • 0 in reply to NicolasSchmeltz

    Hello Nicolas,

    The network topography is not in my scope
    just felt like I should mention it.

    Product version 5.19 to 5.21 - Engine v. 3.63 to 3.64
    Hm, maybe I'm dense - 3.64 is the current engine. The product should be 9.11.1 (or maybe an earlier version but definitely 9.x)  though. 5.xx looks like Detection Data, but their current version is 5.26.

    savlinux
    this would be the appropriate source for updating - assuming this is a copy of /Cache/Primary/ (if a Linux machine downloads from Sophos) or \CIDs\Sxxx\savlinux\ (if using SUM/SEC on Windows) - as it will update detection data and software as well

    clearing the cache
    if I understand correctly you're updating manually, correct? An update compares the cache to the source, downloading or copying what's not in the cache. The actual update is done from the cache, afterwards the cache is AFAIK not used.

    Christian

Children
  • 0 in reply to QC

    Hello Christian,

    In fact I receive updates from our Windows team. I get the update files in CIDs\S000\savlinux and CIDs\S000\EESAVUNIX shares.


    On the Unix side, we push the (less) data (as possible) to update / upgrade the signature files / the software.


    I'm sorry because I'm not familiar with this Sophos software for now, but the versions I've found :


    #>cat /opt/sophos-av/engine/savVersion

    9.11.0.4.3

    #>/opt/sophos-av/bin/savscan -v

    SAVScan virus detection utility

    Copyright (c) 1989-2016 Sophos Limited. All rights reserved.

    System time 03:02:55 PM, System date 03 May 2016

    Product version : 5.19.0

    Engine version : 3.63.0

    Virus data version : 5.25

    User interface version : 2.03.063

    Platform : Linux/AMD64

    Released : 08 March 2016

    AVScan virus detection utility

    Copyright (c) 1989-2016 Sophos Limited. All rights reserved.

    System time 03:02:55 PM, System date 03 May 2016

    Product version : 5.19.0

    Engine version : 3.63.0

    Virus data version : 5.25

    User interface version : 2.03.063

    Platform : Linux/AMD64

    Released : 08 March 2016

    So I assume that we can update signatures with this sources.

    clearing the cache

    We use a crontabed batch to update.

     I understand that we can safely add a command to clean up the /opt/sophos-av/update/cache/Primary/ directory

    Thanks for your help.

    Nicolas